Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

nail/aurora hijacked my computer! [RESOLVED]


  • This topic is locked This topic is locked

#1
princsstrish

princsstrish

    Member

  • Member
  • PipPip
  • 16 posts
I tried Spybot, Ad-Aware, CWShredder, HouseCall. It's still infected. Here is my HJT log.
Logfile of HijackThis v1.99.1
Scan saved at 12:37:02 PM, on 7/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\NovaNET\NNWINSDR.EXE
C:\WINDOWS\Explorer.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\Program Files\Dantz\Client\Remotsvc.exe
C:\Program Files\Dantz\Client\retroclient.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\windows\system32\ecxgvtq.exe
C:\PROGRA~1\NORTON~3\navapw32.exe
C:\Program Files\QuickTime\qttask.exe
C:\LOGITECH\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\exp.exe
C:\WINDOWS\system32\wintask.exe
C:\WINDOWS\system32\lpmhpp.exe
C:\WINDOWS\system32\cipans32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\cicop.exe
C:\Program Files\Cas\Client\casclient.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\quickbook2002basic\Components\QBAgent\qbdagent2002.exe
C:\quickbook2002basic\Components\QBAgent\QBDAgent.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
C:\Program Files\eFax Messenger 3.5\J2GTray.exe
C:\WINDOWS\FSScrCtl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.capecodonline.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *ne2.attbb.net
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~3\navapw32.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\system32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitehln32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\lpmhpp.exe reg_run
O4 - HKLM\..\Run: [qq7U3nU] cipans32.exe
O4 - HKLM\..\Run: [xcenxs] c:\windows\system32\ecxgvtq.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [b9o8RhY3P] cicop.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\quickbook2002basic\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\quickbook2002basic\Components\QBAgent\QBDAgent.exe
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\quickbook2001pro\Components\QBAgent\qbdagent2001.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: eFax DllCmd 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GTray.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weat...Transporter.cab?
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots....SDownloader.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1097333204062
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0029.exe
O16 - DPF: {AAD68411-5B98-11D3-9B52-00001C0007B3} (EonX 3.0.0) - http://download.eonr.../3_0_2/eonx.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://ib.armstrong....timage30717.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq....co/SysQuery.cab
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NovaNET - Unknown owner - C:\Program Files\NovaNET\NNWINSDR.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: Retrospect Client - Dantz Development Corporation - C:\Program Files\Dantz\Client\Remotsvc.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Client\rthlpsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Any help will be appreciated!! This is my boss wife computer so I'll be a hero!!

Trish
  • 0

Advertisements


#2
P3-450

P3-450

    Visiting Staff

  • Member
  • PipPipPip
  • 242 posts
Hi princsstrish, welcome to G2G :tazz:

I will be looking at your log and will get be back as soon as I can ;)
  • 0

#3
P3-450

P3-450

    Visiting Staff

  • Member
  • PipPipPip
  • 242 posts
Hi

Download Ewido, install then from within the program check for updates BUT dont scan yet
ewido security suite: http://www.ewido.net/en/download/
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK.
We will fix this in a moment.
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful"), Now close the program.
Do NOT run a scan yet.

Notes: If you already have the program please make sure its version 3.5 you have and updated.
If the program just exits before it finishes start it again and set it up to do a custom scan:
Start the program click the scan button over to the left click custom scan, click add drive/directory/file
and add c:\documents and settings\
add c:\windows\system32\ also, then click start scan, have it remove everything found. Do NOT run a scan yet.


Please download Nailfix from here:
http://www.noidea.us...050711214630636

Double click on nailfix.exe and click on Next. When asked, do not run Nailfix.


Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml


Once in Safe Mode, Please double click on the nailfix folder that was created earlier and inside that double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Next please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan
  • 0

#4
princsstrish

princsstrish

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
I did as requested. Computer still has aurora popups. Here are the log files

Hijack This

Logfile of HijackThis v1.99.1
Scan saved at 6:18:18 PM, on 7/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\NovaNET\NNWINSDR.EXE
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\Program Files\Dantz\Client\Remotsvc.exe
C:\Program Files\Dantz\Client\retroclient.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\windows\system32\codpzl.exe
C:\PROGRA~1\NORTON~3\navapw32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\cipans32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\LOGITECH\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\cicop.exe
C:\Program Files\Cas\Client\casclient.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\quickbook2002basic\Components\QBAgent\qbdagent2002.exe
C:\quickbook2002basic\Components\QBAgent\QBDAgent.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
C:\Program Files\eFax Messenger 3.5\J2GTray.exe
C:\WINDOWS\FSScrCtl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.capecodonline.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *ne2.attbb.net
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~3\navapw32.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\system32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitehln32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\lpmhpp.exe reg_run
O4 - HKLM\..\Run: [qq7U3nU] cipans32.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [hxrkmt] c:\windows\system32\codpzl.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [b9o8RhY3P] cicop.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\quickbook2002basic\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\quickbook2002basic\Components\QBAgent\QBDAgent.exe
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\quickbook2001pro\Components\QBAgent\qbdagent2001.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: eFax DllCmd 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GTray.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots....SDownloader.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1097333204062
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0029.exe
O16 - DPF: {AAD68411-5B98-11D3-9B52-00001C0007B3} (EonX 3.0.0) - http://download.eonr.../3_0_2/eonx.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://ib.armstrong....timage30717.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq....co/SysQuery.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NovaNET - Unknown owner - C:\Program Files\NovaNET\NNWINSDR.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: Retrospect Client - Dantz Development Corporation - C:\Program Files\Dantz\Client\Remotsvc.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Client\rthlpsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

As you can see, nail.exe is still there.

Here is the ewido log

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:13:20 PM, 7/14/2005
+ Report-Checksum: 9D8937A5

+ Scan result:

HKLM\SOFTWARE\AutoLoader -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\AutoLoader\qDoo1bJXUKcM -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\BookedSpace.DLL -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\{0DC5CD7C-F653-4417-AA43-D457BE3A9622} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension\CLSID -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension\CurVer -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{417386C3-8D4A-4611-9B91-E57E89D603AC} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Spyware.NewDotNet : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{05080E6B-A88A-4CFD-8C3D-9B2557670B6E} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{10D7DB96-56DC-4617-8EAB-EC506ABE6C7E} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{6CDC3337-01F7-4A79-A4AF-0B19303CC0BE} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{795398D0-DC2F-4118-A69C-592273BA9C2B} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B288F21C-A144-4CA2-9B70-8AFA1FAE4B06} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\PopOops2.PopOops -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\PopOops2.PopOops\Clsid -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\SWLAD1.SWLAD -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\SWLAD1.SWLAD\Clsid -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{014DA6C0-189F-421A-88CD-07CFE51CFF10} -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{0DC5CD7C-F653-4417-AA43-D457BE3A9622} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{8992B6CA-B8C9-4AED-BF89-0A17F6296A06} -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{D0C29A75-7146-4737-98EE-BC4D7CF44AF9} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{E0D3B292-A0B0-4640-975C-2F882E039F52} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Envolo -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Envolo\AutoUpdate -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Envolo\AutoUpdate\State -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Envolo\AutoUpdate\Tasks -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\AUI -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AutoUpdate -> Spyware.AproposMedia : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon -> Spyware.BetterInternet : Cleaned with backup
HKU\S-1-5-21-1177238915-2000478354-682003330-1003\Software\intexp -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-1177238915-2000478354-682003330-1003\Software\intexp\Config -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-1177238915-2000478354-682003330-1003\Software\intexp\MyFileSystem2 -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-1177238915-2000478354-682003330-1003\Software\LQ -> Dialer.Generic : Cleaned with backup
HKU\S-1-5-21-1177238915-2000478354-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -> Spyware.BookedSpace : Cleaned with backup
HKU\S-1-5-21-1177238915-2000478354-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{014DA6C1-189F-421A-88CD-07CFE51CFF10} -> Spyware.eXact : Cleaned with backup
HKU\S-1-5-21-1177238915-2000478354-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{014DA6C9-189F-421A-88CD-07CFE51CFF10} -> Spyware.MySearch : Cleaned with backup
HKU\S-1-5-21-1177238915-2000478354-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{016235BE-59D4-4CEB-ADD5-E2378282A1D9} -> Spyware.AproposMedia : Cleaned with backup
HKU\S-1-5-21-1177238915-2000478354-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-1177238915-2000478354-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{28CAEFF3-0F18-4036-B504-51D73BD81ABC} -> Spyware.SearchMiracle : Cleaned with backup
HKU\S-1-5-21-1177238915-2000478354-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{339BB23F-A864-48C0-A59F-29EA915965EC} -> Spyware.HuntBar : Cleaned with backup
HKU\S-1-5-21-1177238915-2000478354-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Spyware.NewDotNet : Cleaned with backup
HKU\S-1-5-21-1177238915-2000478354-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{63B78BC1-A711-4D46-AD2F-C581AC420D41} -> Spyware.HuntBar : Cleaned with backup
HKU\S-1-5-21-1177238915-2000478354-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{825CF5BD-8862-4430-B771-0C15C5CA8DEF} -> Spyware.EliteBar : Cleaned with backup
HKU\S-1-5-21-1177238915-2000478354-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{87766247-311C-43B4-8499-3D5FEC94A183} -> Spyware.HuntBar : Cleaned with backup
HKU\S-1-5-21-1177238915-2000478354-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8952A998-1E7E-4716-B23D-3DBE03910972} -> Spyware.HuntBar : Cleaned with backup
HKU\S-1-5-21-1177238915-2000478354-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8DA5457F-A8AA-4CCF-A842-70E6FD274094} -> Spyware.HuntBar : Cleaned with backup
C:\WINDOWS\SYSTEM32\PSof1.exe -> Spyware.Pacer : Cleaned with backup
C:\WINDOWS\SYSTEM32\yeoburm.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\SYSTEM32\wintask.exe -> TrojanDownloader.Small.abd : Cleaned with backup
C:\WINDOWS\SYSTEM32\DrPMon.dll -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\SYSTEM32\nsp283.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\WINDOWS\SYSTEM32\exp.exe -> TrojanDownloader.Small.abd : Cleaned with backup
C:\WINDOWS\SYSTEM32\supdate.dll -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINDOWS\SYSTEM32\redit.cpl -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINDOWS\SYSTEM32\yiuniio.dll -> TrojanDownloader.Qoologic.s : Cleaned with backup
C:\WINDOWS\SYSTEM32\lpmhpp.exe -> TrojanDownloader.Qoologic.u : Cleaned with backup
C:\WINDOWS\SYSTEM32\xmodmmr.exe -> TrojanDownloader.Qoologic.u : Cleaned with backup
C:\WINDOWS\SYSTEM32\gsnis.dll -> TrojanDownloader.Qoologic.t : Cleaned with backup
C:\WINDOWS\SYSTEM32\dist001.exe -> TrojanDownloader.Agent.qg : Cleaned with backup
C:\WINDOWS\SYSTEM32\auto_update_uninstall.exe -> Spyware.AproposMedia : Cleaned with backup
C:\WINDOWS\SYSTEM32\SSK3_B5 Seedcorn 4.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\WINDOWS\SYSTEM32\elitehai32.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\elitetbm32.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\elitehln32.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\Cookies\anyuser@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\WINDOWS\Cookies\anyuser@specificpop[2].txt -> Spyware.Cookie.Specificpop : Cleaned with backup
C:\WINDOWS\Temporary Internet Files\Content.IE5\QBKFDAVQ\Toolbar3[1].cab/IExploreSkins.exe -> Spyware.WebSearch : Error during cleaning
C:\WINDOWS\Temporary Internet Files\Content.IE5\QBKFDAVQ\Toolbar3[1].cab/TBPS.exe -> Spyware.WebSearch : Error during cleaning
C:\WINDOWS\Temporary Internet Files\Content.IE5\QBKFDAVQ\Toolbar3[1].cab/common.dll -> Spyware.WebSearch : Error during cleaning
C:\WINDOWS\Temporary Internet Files\Content.IE5\QBKFDAVQ\Toolbar3[1].cab/toolbar.dll -> Spyware.WebSearch : Error during cleaning
C:\WINDOWS\Temporary Internet Files\Content.IE5\ZDCWGR7Z\newmajorse2[1].cab/newmajorse2.txt -> Spyware.WebSearch : Error during cleaning
C:\WINDOWS\Temporary Internet Files\Content.IE5\8HM34XUJ\WinTS[1].cab/WToolsS.exe -> TrojanDownloader.Wintool.b : Error during cleaning
C:\WINDOWS\Temporary Internet Files\Content.IE5\6NWF8A6O\TBPSSvc[1].cab/TBPSSvc.exe -> Spyware.IBIS : Error during cleaning
C:\WINDOWS\Temporary Internet Files\Content.IE5\S1UB4XMF\AutoUpdaterInstaller[1].exe -> TrojanDownloader.Apropo.g : Cleaned with backup
C:\WINDOWS\NDNuninstall4_50.exe -> Spyware.NewDotNet : Cleaned with backup
C:\WINDOWS\cfgmgr52.dll -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\svcproc.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\Nail.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\AuroraHandler.dll -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\adiiasgi.exe -> Spyware.BookedSpace : Cleaned with backup
C:\Program Files\Aprps\CxtPls.dll -> Heuristic.Win32.Hijacker1 : Cleaned with backup
C:\Program Files\CasStub\casstub.exe -> TrojanDownloader.Agent.qg : Cleaned with backup
C:\Program Files\AutoUpdate\AutoUpdate.exe -> TrojanDownloader.Apropo.g : Cleaned with backup
C:\RECYCLED\Dc1\bar\1.bin\NPMYSRCH.DLL -> Spyware.MyWay : Cleaned with backup
C:\RECYCLED\Dc1\bar\1.bin\S4BAR.DLL -> Spyware.MyWay : Cleaned with backup
C:\RECYCLED\NPROTECT\00671700.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\RECYCLED\NPROTECT\00671701.dll -> Spyware.ImiBar : Cleaned with backup
C:\RECYCLED\NPROTECT\00671790.EXE -> Spyware.AproposMedia : Cleaned with backup
C:\RECYCLED\NPROTECT\00672417.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLED\NPROTECT\00672667.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\RECYCLED\NPROTECT\00672668.dll -> Spyware.ImiBar : Cleaned with backup
C:\RECYCLED\NPROTECT\00672669.exe -> TrojanDownloader.Intexp.c : Cleaned with backup
C:\RECYCLED\NPROTECT\00672684.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLED\NPROTECT\00672756.DLL -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLED\NPROTECT\00672950.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLED\NPROTECT\00674833.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLED\NPROTECT\00662433.exe -> TrojanDownloader.Small.abd : Cleaned with backup
C:\RECYCLED\NPROTECT\00662435.EXE -> Spyware.VirtualBouncer : Cleaned with backup
C:\RECYCLED\NPROTECT\00662469.EXE -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLED\NPROTECT\00662480.EXE -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLED\NPROTECT\00662482.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLED\NPROTECT\00662484.exe -> TrojanDropper.Agent.hh : Cleaned with backup
C:\RECYCLED\NPROTECT\00662488.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\RECYCLED\NPROTECT\00662491.exe -> TrojanDropper.Agent.kd : Cleaned with backup
C:\RECYCLED\NPROTECT\00671358.EXE -> Spyware.VirtualBouncer.j : Cleaned with backup
C:\RECYCLED\NPROTECT\00671359.EXE -> Spyware.VirtualBouncer : Cleaned with backup
C:\RECYCLED\NPROTECT\00671360.EXE -> Spyware.VirtualBouncer.j : Cleaned with backup
C:\RECYCLED\NPROTECT\00671413.EXE -> Spyware.Hijacker.Generic : Cleaned with backup
C:\RECYCLED\NPROTECT\00671446.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLED\NPROTECT\00671687.EXE -> TrojanDownloader.Apropo.g : Cleaned with backup
C:\RECYCLED\NPROTECT\00671688.DLL -> Spyware.EliteBar : Cleaned with backup
C:\RECYCLED\NPROTECT\00671792.DLL -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup
C:\RECYCLED\NPROTECT\00671793.exe -> TrojanDownloader.Intexp.c : Cleaned with backup
C:\RECYCLED\NPROTECT\00671794.DLL -> Spyware.VirtualBouncer : Cleaned with backup
C:\RECYCLED\NPROTECT\00671795.DLL -> Spyware.VirtualBouncer : Cleaned with backup
C:\RECYCLED\NPROTECT\00671796.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\RECYCLED\NPROTECT\00671797.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\RECYCLED\NPROTECT\00671798.EXE -> TrojanDropper.Agent.hl : Cleaned with backup
C:\RECYCLED\NPROTECT\00671997.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLED\NPROTECT\00672005.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLED\NPROTECT\00672405.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLED\NPROTECT\00672414.EXE -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLED\NPROTECT\00662495.EXE -> Spyware.Hijacker.Generic : Cleaned with backup
C:\FXITRBIN\AAKC0086 -> Heuristic.Win32.Dialer : Cleaned with backup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\uitr.exe -> TrojanDownloader.Qoologic.u : Cleaned with backup
C:\Documents and Settings\default\Local Settings\Temp\Toolbar3.cab/IExploreSkins.exe -> Spyware.WebSearch : Error during cleaning
C:\Documents and Settings\default\Local Settings\Temp\Toolbar3.cab/TBPS.exe -> Spyware.WebSearch : Error during cleaning
C:\Documents and Settings\default\Local Settings\Temp\Toolbar3.cab/common.dll -> Spyware.WebSearch : Error during cleaning
C:\Documents and Settings\default\Local Settings\Temp\Toolbar3.cab/toolbar.dll -> Spyware.WebSearch : Error during cleaning
C:\Documents and Settings\default\Local Settings\Temp\Cookies\default@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\default\Local Settings\Temp\SSK3_B5 Seedcorn 4.exe -> TrojanDropper.Small.qn : Cleaned with backup
C:\Documents and Settings\default\Local Settings\Temp\AutoUpdate0\auto_update_install.exe -> Spyware.AproposMedia : Cleaned with backup
C:\Documents and Settings\default\Cookies\default@112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\default\Cookies\default@a.tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\default\Cookies\default@specificpop[1].txt -> Spyware.Cookie.Specificpop : Cleaned with backup
C:\Documents and Settings\default\Cookies\default@specificpop[3].txt -> Spyware.Cookie.Specificpop : Cleaned with backup
C:\Documents and Settings\default\Cookies\default@www2.enigmasoftwaregroup[1].txt -> Spyware.Cookie.Enigmasoftwaregroup : Cleaned with backup
C:\Documents and Settings\default\Cookies\default@adopt.specificclick[3].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\default\Cookies\default@adopt.specificclick[1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\default\Cookies\default@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\default\Cookies\default@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\default\Cookies\default@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1623\A0253676.exe -> Spyware.BookedSpace : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1623\A0253682.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1623\A0253684.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1623\A0253723.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1623\A0253725.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1623\A0253776.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1623\A0253777.dll -> Spyware.ImiBar : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1623\A0253778.exe -> TrojanDownloader.Intexp.c : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1623\A0253784.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1623\A0253809.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1623\A0253810.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0253968.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1621\A0252467.exe -> TrojanDownloader.Qoologic.v : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1621\A0252468.exe -> Spyware.VirtualBouncer : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1621\A0252469.exe -> Spyware.VirtualBouncer : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1621\A0252474.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1622\A0253485.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1622\A0253486.exe -> Adware.BetterInternet : Cleaned with backup


::Report End

Please help!!
  • 0

#5
P3-450

P3-450

    Visiting Staff

  • Member
  • PipPipPip
  • 242 posts
Hi lets try the same again.

Please start Ewido

From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful"), Now close the program.

Do NOT run a scan yet.


Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml


Once in Safe Mode, Please double click on the nailfix folder that was created earlier and inside that double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Next please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan
  • 0

#6
princsstrish

princsstrish

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
same results when doing the scans again. once i reboot in regular mode, nail.exe comes back.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:15:13 PM, 7/15/2005
+ Report-Checksum: 8379DD59

+ Scan result:

HKLM\SOFTWARE\AutoLoader -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\AutoLoader\qDoe1bJXUKcM -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\AutoLoader\qDoo1bJXUKcM -> Spyware.AproposMedia : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon -> Spyware.BetterInternet : Cleaned with backup
C:\WINDOWS\SYSTEM32\zsowct.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\SYSTEM32\DrPMon.dll -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\Temporary Internet Files\Content.IE5\QBKFDAVQ\Toolbar3[1].cab/IExploreSkins.exe -> Spyware.WebSearch : Error during cleaning
C:\WINDOWS\Temporary Internet Files\Content.IE5\QBKFDAVQ\Toolbar3[1].cab/TBPS.exe -> Spyware.WebSearch : Error during cleaning
C:\WINDOWS\Temporary Internet Files\Content.IE5\QBKFDAVQ\Toolbar3[1].cab/common.dll -> Spyware.WebSearch : Error during cleaning
C:\WINDOWS\Temporary Internet Files\Content.IE5\QBKFDAVQ\Toolbar3[1].cab/toolbar.dll -> Spyware.WebSearch : Error during cleaning
C:\WINDOWS\Temporary Internet Files\Content.IE5\ZDCWGR7Z\newmajorse2[1].cab/newmajorse2.txt -> Spyware.WebSearch : Error during cleaning
C:\WINDOWS\Temporary Internet Files\Content.IE5\8HM34XUJ\WinTS[1].cab/WToolsS.exe -> TrojanDownloader.Wintool.b : Error during cleaning
C:\WINDOWS\Temporary Internet Files\Content.IE5\6NWF8A6O\TBPSSvc[1].cab/TBPSSvc.exe -> Spyware.IBIS : Error during cleaning
C:\WINDOWS\Nail.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\svcproc.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLED\NPROTECT\00675114.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\default\Local Settings\Temp\Toolbar3.cab/IExploreSkins.exe -> Spyware.WebSearch : Error during cleaning
C:\Documents and Settings\default\Local Settings\Temp\Toolbar3.cab/TBPS.exe -> Spyware.WebSearch : Error during cleaning
C:\Documents and Settings\default\Local Settings\Temp\Toolbar3.cab/common.dll -> Spyware.WebSearch : Error during cleaning
C:\Documents and Settings\default\Local Settings\Temp\Toolbar3.cab/toolbar.dll -> Spyware.WebSearch : Error during cleaning
C:\Documents and Settings\default\Cookies\default@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0253969.exe -> Spyware.Pacer : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0253970.exe -> TrojanDownloader.Small.abd : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0253971.dll -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0253972.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0253973.exe -> TrojanDownloader.Small.abd : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0253974.dll -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0253975.cpl -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0253976.dll -> TrojanDownloader.Qoologic.s : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0253977.exe -> TrojanDownloader.Qoologic.u : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0253978.exe -> TrojanDownloader.Qoologic.u : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0253979.dll -> TrojanDownloader.Qoologic.t : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0253980.exe -> TrojanDownloader.Agent.qg : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0253981.exe -> Spyware.AproposMedia : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0253982.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0253983.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0253984.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0253985.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0253986.exe -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0253987.dll -> Spyware.BookedSpace : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0253988.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0253989.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0253990.dll -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0253991.exe -> Spyware.BookedSpace : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0253992.dll -> Heuristic.Win32.Hijacker1 : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0253993.exe -> TrojanDownloader.Agent.qg : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0253994.exe -> TrojanDownloader.Apropo.g : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0253995.DLL -> Spyware.MyWay : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0253996.DLL -> Spyware.MyWay : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0253997.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0253998.dll -> Spyware.ImiBar : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0253999.EXE -> Spyware.AproposMedia : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0254000.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0254001.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0254002.dll -> Spyware.ImiBar : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0254003.exe -> TrojanDownloader.Intexp.c : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0254004.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0254005.DLL -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0254006.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0254007.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0254008.exe -> TrojanDownloader.Small.abd : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0254009.EXE -> Spyware.VirtualBouncer : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0254010.EXE -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0254011.EXE -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0254012.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0254013.exe -> TrojanDropper.Agent.hh : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0254014.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0254015.exe -> TrojanDropper.Agent.kd : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0254016.EXE -> Spyware.VirtualBouncer.j : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0254017.EXE -> Spyware.VirtualBouncer : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0254018.EXE -> Spyware.VirtualBouncer.j : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0254019.EXE -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0254020.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0254021.EXE -> TrojanDownloader.Apropo.g : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0254022.DLL -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0254023.DLL -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0254024.exe -> TrojanDownloader.Intexp.c : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0254025.DLL -> Spyware.VirtualBouncer : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0254026.DLL -> Spyware.VirtualBouncer : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0254027.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0254028.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0254029.EXE -> TrojanDropper.Agent.hl : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0254030.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0254031.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0254032.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0254033.EXE -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0254034.EXE -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0254035.exe -> TrojanDownloader.Qoologic.u : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0254042.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1625\A0254047.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1626\A0254289.exe -> Adware.BetterInternet : Cleaned with backup


::Report End


Logfile of HijackThis v1.99.1
Scan saved at 5:18:41 PM, on 7/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\NovaNET\NNWINSDR.EXE
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\Program Files\Dantz\Client\Remotsvc.exe
C:\Program Files\Dantz\Client\retroclient.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\NORTON~3\navapw32.exe
C:\Program Files\QuickTime\qttask.exe
c:\windows\system32\ldifota.exe
C:\WINDOWS\system32\cipans32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\cicop.exe
C:\Program Files\Cas\Client\casclient.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\quickbook2002basic\Components\QBAgent\qbdagent2002.exe
C:\quickbook2002basic\Components\QBAgent\QBDAgent.exe
C:\LOGITECH\MouseWare\system\em_exec.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
C:\Program Files\eFax Messenger 3.5\J2GTray.exe
C:\WINDOWS\FSScrCtl.exe
C:\hjt\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.capecodonline.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *ne2.attbb.net
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~3\navapw32.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\system32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitehln32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\lpmhpp.exe reg_run
O4 - HKLM\..\Run: [qq7U3nU] cipans32.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [xjbbidi] c:\windows\system32\ldifota.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [b9o8RhY3P] cicop.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\quickbook2002basic\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\quickbook2002basic\Components\QBAgent\QBDAgent.exe
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\quickbook2001pro\Components\QBAgent\qbdagent2001.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: eFax DllCmd 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GTray.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots....SDownloader.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1097333204062
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0029.exe
O16 - DPF: {AAD68411-5B98-11D3-9B52-00001C0007B3} (EonX 3.0.0) - http://download.eonr.../3_0_2/eonx.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://ib.armstrong....timage30717.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq....co/SysQuery.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NovaNET - Unknown owner - C:\Program Files\NovaNET\NNWINSDR.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: Retrospect Client - Dantz Development Corporation - C:\Program Files\Dantz\Client\Remotsvc.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Client\rthlpsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

same stuff different day. I'm off for the weekend so won't be back til Monday. Thank you for any help you can provide. i guess nailfix isn't working.
  • 0

#7
P3-450

P3-450

    Visiting Staff

  • Member
  • PipPipPip
  • 242 posts
Hi

Let's try it this way.

Please load up Ewido and update it

Dont run it yet.


Download Process Explorer from http://www.sysintern...ssExplorer.html

Run Process Explorer and find the Process ldifota.exe in the list of Processes.

Select the process and click Process > Suspend.

Then in HijackThis click Config > Misc Tools > Delete a file on reboot...
In the explorer Window select the file c:\windows\system32\ldifota.exe
When prompted if you want to reboot click YES

Please Leave Process explorer running with the process suspended.

After the reboot check the following items in HijackThis.

Close all windows except HijackThis and click Fix checked:


O4 - HKLM\..\Run: [xjbbidi] c:\windows\system32\ldifota.exe r




Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml


Once in Safe Mode, Please double click on the nailfix folder that was created earlier and inside that double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Next please run HijackThis, click Scan, and check:


F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)



Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan
  • 0

#8
princsstrish

princsstrish

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
OK, let's try this again. I redownloaded nailfix and this time I think it downloaded correctly. For some reason I don't know why, but it wasn't doing exactly what you said was "normal" for nailfix. Now it is working i believe. Here are my scans after repeating what you told me originally.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:11:17 AM, 7/18/2005
+ Report-Checksum: A6CF72F7

+ Scan result:

HKLM\SOFTWARE\AutoLoader -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\AutoLoader\qDoo1bJXUKcM -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{016235BE-59D4-4CEB-ADD5-E2378282A1D9} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B548B7D8-3D03-4AED-A6A1-4251FAD00C10} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B99A727F-0782-4A71-BCC2-6E1E66414904} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Wbho.Band -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\Wbho.Band\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\Wbho.Band\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Envolo -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Envolo\AutoUpdate -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Envolo\AutoUpdate\State -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Envolo\AutoUpdate\Tasks -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{016235BE-59D4-4CEB-ADD5-E2378282A1D9} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AproposClient -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AutoUpdate -> Spyware.AproposMedia : Cleaned with backup
HKU\S-1-5-21-1177238915-2000478354-682003330-1003\Software\intexp -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-1177238915-2000478354-682003330-1003\Software\intexp\Config -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-1177238915-2000478354-682003330-1003\Software\intexp\MyFileSystem2 -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-1177238915-2000478354-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{016235BE-59D4-4CEB-ADD5-E2378282A1D9} -> Spyware.AproposMedia : Cleaned with backup
HKU\S-1-5-21-1177238915-2000478354-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned with backup
C:\WINDOWS\SYSTEM32\dgjkgms.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\SYSTEM32\auto_update_uninstall.exe -> Spyware.AproposMedia : Cleaned with backup
C:\WINDOWS\Temporary Internet Files\Content.IE5\QBKFDAVQ\Toolbar3[1].cab/IExploreSkins.exe -> Spyware.WebSearch : Error during cleaning
C:\WINDOWS\Temporary Internet Files\Content.IE5\QBKFDAVQ\Toolbar3[1].cab/TBPS.exe -> Spyware.WebSearch : Error during cleaning
C:\WINDOWS\Temporary Internet Files\Content.IE5\QBKFDAVQ\Toolbar3[1].cab/common.dll -> Spyware.WebSearch : Error during cleaning
C:\WINDOWS\Temporary Internet Files\Content.IE5\QBKFDAVQ\Toolbar3[1].cab/toolbar.dll -> Spyware.WebSearch : Error during cleaning
C:\WINDOWS\Temporary Internet Files\Content.IE5\QBKFDAVQ\AutoUpdaterInstaller[1].exe -> TrojanDownloader.Apropo.g : Cleaned with backup
C:\WINDOWS\Temporary Internet Files\Content.IE5\ZDCWGR7Z\newmajorse2[1].cab/newmajorse2.txt -> Spyware.WebSearch : Error during cleaning
C:\WINDOWS\Temporary Internet Files\Content.IE5\8HM34XUJ\WinTS[1].cab/WToolsS.exe -> TrojanDownloader.Wintool.b : Error during cleaning
C:\WINDOWS\Temporary Internet Files\Content.IE5\6NWF8A6O\TBPSSvc[1].cab/TBPSSvc.exe -> Spyware.IBIS : Error during cleaning
C:\WINDOWS\wupdt.exe -> TrojanDownloader.Intexp.c : Cleaned with backup
C:\WINDOWS\tdtb.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\systb.dll -> Spyware.ImiBar : Cleaned with backup
C:\Program Files\Aprps\CxtPls.dll -> Heuristic.Win32.Hijacker1 : Cleaned with backup
C:\Program Files\AutoUpdate\AutoUpdate.exe -> TrojanDownloader.Apropo.g : Cleaned with backup
C:\RECYCLED\NPROTECT\00676898.EXE -> TrojanDownloader.Apropo.g : Cleaned with backup
C:\RECYCLED\NPROTECT\00677118.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLED\NPROTECT\00676238.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLED\NPROTECT\00676518.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLED\NPROTECT\00675141.EXE -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLED\NPROTECT\00676901.EXE -> Spyware.AproposMedia : Cleaned with backup
C:\Documents and Settings\default\Local Settings\Temp\Toolbar3.cab/IExploreSkins.exe -> Spyware.WebSearch : Error during cleaning
C:\Documents and Settings\default\Local Settings\Temp\Toolbar3.cab/TBPS.exe -> Spyware.WebSearch : Error during cleaning
C:\Documents and Settings\default\Local Settings\Temp\Toolbar3.cab/common.dll -> Spyware.WebSearch : Error during cleaning
C:\Documents and Settings\default\Local Settings\Temp\Toolbar3.cab/toolbar.dll -> Spyware.WebSearch : Error during cleaning
C:\Documents and Settings\default\Local Settings\Temp\AutoUpdate0\auto_update_install.exe -> Spyware.AproposMedia : Cleaned with backup
C:\Documents and Settings\default\Cookies\default@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\default\Cookies\default@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\default\Cookies\default@overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\default\Cookies\default@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\default\Cookies\default@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\default\Cookies\default@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1626\A0254291.dll -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1626\A0254292.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1626\A0254293.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1626\A0254294.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1626\A0254301.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1643\A0254900.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1649\A0255059.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1649\A0255060.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1649\A0255061.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{BD575D12-0D56-4112-8B00-F0D800D08113}\RP1649\A0255062.dll -> Adware.BetterInternet : Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 11:15:17 AM, on 7/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\NovaNET\NNWINSDR.EXE
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\Program Files\Dantz\Client\Remotsvc.exe
C:\Program Files\Dantz\Client\retroclient.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\NORTON~3\navapw32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\apclsapi.exe
C:\LOGITECH\MouseWare\system\em_exec.exe
C:\Program Files\Messenger\msmsgs.exe
c:\windows\system32\xmjxpdo.exe
C:\WINDOWS\system32\algutil.exe
C:\Program Files\Cas\Client\casclient.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\quickbook2002basic\Components\QBAgent\qbdagent2002.exe
C:\quickbook2002basic\Components\QBAgent\QBDAgent.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
C:\Program Files\eFax Messenger 3.5\J2GTray.exe
C:\WINDOWS\FSScrCtl.exe
C:\hjt\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.capecodonline.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *ne2.attbb.net
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~3\navapw32.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\system32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitehln32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\lpmhpp.exe reg_run
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [qq7U3nU] apclsapi.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [fyukdcd] c:\windows\system32\xmjxpdo.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [b9o8RhY3P] algutil.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\quickbook2002basic\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\quickbook2002basic\Components\QBAgent\QBDAgent.exe
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\quickbook2001pro\Components\QBAgent\qbdagent2001.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: eFax DllCmd 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GTray.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots....SDownloader.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1097333204062
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0029.exe
O16 - DPF: {AAD68411-5B98-11D3-9B52-00001C0007B3} (EonX 3.0.0) - http://download.eonr.../3_0_2/eonx.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://ib.armstrong....timage30717.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq....co/SysQuery.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NovaNET - Unknown owner - C:\Program Files\NovaNET\NNWINSDR.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: Retrospect Client - Dantz Development Corporation - C:\Program Files\Dantz\Client\Remotsvc.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Client\rthlpsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

I still have a couple of popups but they are not aurora. also, lots of shortcuts on the desktop. Do i have to delete those manually?
  • 0

#9
princsstrish

princsstrish

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
ok, after deleting shortcuts on desktop manually, my boss' wife rebooted her computer. Guess what's back!!!!! yep, nail.exe

also geting a msg when booting up

Error loading C:\WINDOWS\cfgmgr52.dll the specified module could not be found.

You can click OK and the computer boots up fine though. :tazz:

What next??????
  • 0

#10
P3-450

P3-450

    Visiting Staff

  • Member
  • PipPipPip
  • 242 posts
Hi

Can you post back a fresh hjt log from when the computer was reboot please.
  • 0

Advertisements


#11
princsstrish

princsstrish

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Here is the HJT log from after reboot.

Logfile of HijackThis v1.99.1
Scan saved at 11:57:22 AM, on 7/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\NovaNET\NNWINSDR.EXE
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\Program Files\Dantz\Client\Remotsvc.exe
C:\Program Files\Dantz\Client\retroclient.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\NORTON~3\navapw32.exe
C:\Program Files\QuickTime\qttask.exe
c:\windows\system32\hhhztl.exe
C:\WINDOWS\system32\apclsapi.exe
C:\LOGITECH\MouseWare\system\em_exec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\algutil.exe
C:\Program Files\Cas\Client\casclient.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\quickbook2002basic\Components\QBAgent\qbdagent2002.exe
C:\quickbook2002basic\Components\QBAgent\QBDAgent.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
C:\Program Files\eFax Messenger 3.5\J2GTray.exe
C:\WINDOWS\FSScrCtl.exe
C:\hjt\HijackThis.exe
C:\DOCUME~1\default\LOCALS~1\Temp\MVV\aurareco.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.capecodonline.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *ne2.attbb.net
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~3\navapw32.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\system32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitehln32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\lpmhpp.exe reg_run
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [qq7U3nU] apclsapi.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [zpfsvdm] c:\windows\system32\hhhztl.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [b9o8RhY3P] algutil.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\quickbook2002basic\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\quickbook2002basic\Components\QBAgent\QBDAgent.exe
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\quickbook2001pro\Components\QBAgent\qbdagent2001.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: eFax DllCmd 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GTray.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots....SDownloader.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1097333204062
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0029.exe
O16 - DPF: {AAD68411-5B98-11D3-9B52-00001C0007B3} (EonX 3.0.0) - http://download.eonr.../3_0_2/eonx.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://ib.armstrong....timage30717.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq....co/SysQuery.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NovaNET - Unknown owner - C:\Program Files\NovaNET\NNWINSDR.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: Retrospect Client - Dantz Development Corporation - C:\Program Files\Dantz\Client\Remotsvc.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Client\rthlpsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#12
P3-450

P3-450

    Visiting Staff

  • Member
  • PipPipPip
  • 242 posts
Hi

We will come back to Aurora later.



Download: CCleaner
http://www.majorgeek...wnload4191.html
http://www.ccleaner.com/

Dont run it yet


===============

Let's look for, and delete, any program segments(prefetches) that might be present, and are associated with the 'problems' we're trying to remove from this system. To do this, let's:

1) Click "Start | Search", then search for each of these program's base name(s), in all files and folders:

apclsapi.exe*
algutil.exe*
aurareco.exe*

2) Then if any are found in the 'prefetch' folder, delete them.

Look closely, since the 'base' name will have a bunch of random numbers and letters attached to it.

===============

Run HiJackThis then:

1. Click "Config..."
2. Click "Misc Tools"
3. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

c:\windows\system32\hhhztl.exe
C:\WINDOWS\system32\apclsapi.exe
C:\WINDOWS\system32\algutil.exe
C:\Program Files\Cas\Client\casclient.exe
C:\DOCUME~1\default\LOCALS~1\Temp\MVV\aurareco.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Now, let's open a command prompt and unregister the dll(s) we're going to remove, by entering the following:

regsvr32 /u systb.dll

It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing.

===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\system32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitehln32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\lpmhpp.exe reg_run
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [qq7U3nU] apclsapi.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [zpfsvdm] c:\windows\system32\hhhztl.exe r
O4 - HKCU\..\Run: [b9o8RhY3P] algutil.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"

O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0029.exe

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe


Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

folders...

C:\Program Files\Cas
C:\Program Files\AutoUpdate

files...

c:\windows\system32\hhhztl.exe
C:\WINDOWS\system32\apclsapi.exe
C:\WINDOWS\system32\algutil.exe
C:\DOCUME~1\default\LOCALS~1\Temp\MVV\aurareco.exe
C:\WINDOWS\Nail.exe
C:\WINDOWS\systb.dll
C:\WINDOWS\system32\PSof1.exe
C:\WINDOWS\system32\exp.exe
C:\WINDOWS\system32\wintask.exe
C:\WINDOWS\cfgmgr52.dll
C:\windows\system32\elitehln32.exe
C:\WINDOWS\system32\lpmhpp.exe
C:\WINDOWS\wupdt.exe
C:\WINDOWS\svcproc.exe

Search for...

apclsapi.exe
algutil.exe

...using "Start | Search...".

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from "Safe Mode".

===============


Run CCleaner click the Windows tab

Select the following:
Internet Explorer:
Temp Internet
History
Recently Typed URLs
Delete Index.dat files

System:
Empty Recycle Bin
Temporary Files
Memory Dumps
Chkdsk File Fragments
Old Prefetch Data

Next: click Options click the Settings tab
Uncheck: "Only delete files older than 48 hrs.", click Ok
Then click Run Cleaner (bottom right) then Exit (reboot)



Reboot back into normal mode and post back a new log.
  • 0

#13
princsstrish

princsstrish

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Done as requested. Here is the HJT log. I see some things that came back :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 10:22:39 AM, on 7/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\NovaNET\NNWINSDR.EXE
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\Program Files\Dantz\Client\Remotsvc.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Dantz\Client\retroclient.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\windows\system32\oaevxd.exe
C:\PROGRA~1\NORTON~3\navapw32.exe
C:\Program Files\QuickTime\qttask.exe
C:\LOGITECH\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\idltedit.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\icffg.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\quickbook2002basic\Components\QBAgent\qbdagent2002.exe
C:\quickbook2002basic\Components\QBAgent\QBDAgent.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
C:\Program Files\eFax Messenger 3.5\J2GTray.exe
C:\WINDOWS\FSScrCtl.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\Aprps\CxtPls.exe
C:\DOCUME~1\default\LOCALS~1\Temp\MOS\aurareco.exe
C:\hjt\HijackThis.exe
C:\DOCUME~1\default\LOCALS~1\Temp\wupdt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\wupdsnff.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.capecodonline.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *ne2.attbb.net
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~3\navapw32.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [qq7U3nU] idltedit.exe
O4 - HKLM\..\Run: [jvadtv] c:\windows\system32\oaevxd.exe r
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [b9o8RhY3P] icffg.exe
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\quickbook2002basic\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\quickbook2002basic\Components\QBAgent\QBDAgent.exe
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\quickbook2001pro\Components\QBAgent\qbdagent2001.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: eFax DllCmd 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GTray.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots....SDownloader.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1097333204062
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {AAD68411-5B98-11D3-9B52-00001C0007B3} (EonX 3.0.0) - http://download.eonr.../3_0_2/eonx.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://ib.armstrong....timage30717.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq....co/SysQuery.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NovaNET - Unknown owner - C:\Program Files\NovaNET\NNWINSDR.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: Retrospect Client - Dantz Development Corporation - C:\Program Files\Dantz\Client\Remotsvc.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Client\rthlpsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#14
P3-450

P3-450

    Visiting Staff

  • Member
  • PipPipPip
  • 242 posts
Hi


===============

Let's look for, and delete, any program segments(prefetches) that might be present, and are associated with the 'problems' we're trying to remove from this system. To do this, let's:

1) Click "Start | Search", then search for each of these program's base name(s), in all files and folders:

idltedit.exe*
icffg.exe*
aurareco.exe*
wupdt.exe*
wupdsnff.exe*

2) Then if any are found in the 'prefetch' folder, delete them.

Look closely, since the 'base' name will have a bunch of random numbers and letters attached to it.

===============

Run HiJackThis then:

1. Click "Config..."
2. Click "Misc Tools"
3. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

c:\windows\system32\oaevxd.exe
C:\WINDOWS\system32\idltedit.exe
C:\WINDOWS\system32\icffg.exe
C:\DOCUME~1\default\LOCALS~1\Temp\MOS\aurareco.exe
C:\DOCUME~1\default\LOCALS~1\Temp\wupdt.exe
C:\WINDOWS\wupdsnff.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Now, let's open a command prompt and unregister the dll(s) we're going to remove, by entering the following:

regsvr32 /u cxtpls.dll

It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing.

===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:


O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll

O4 - HKLM\..\Run: [qq7U3nU] idltedit.exe
O4 - HKLM\..\Run: [jvadtv] c:\windows\system32\oaevxd.exe r
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [b9o8RhY3P] icffg.exe

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)


Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

folders...

C:\Program Files\Aprps

files...

c:\windows\system32\oaevxd.exe
C:\WINDOWS\system32\idltedit.exe
C:\WINDOWS\system32\icffg.exe
C:\DOCUME~1\default\LOCALS~1\Temp\MOS\aurareco.exe
C:\DOCUME~1\default\LOCALS~1\Temp\wupdt.exe
C:\WINDOWS\wupdsnff.exe
C:\WINDOWS\wupdt.exe

Search for...

idltedit.exe
icffg.exe

...using "Start | Search...".

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from "Safe Mode".

===============


Run CCleaner click the Windows tab

Select the following:
Internet Explorer:
Temp Internet
History
Recently Typed URLs
Delete Index.dat files

System:
Empty Recycle Bin
Temporary Files
Memory Dumps
Chkdsk File Fragments
Old Prefetch Data

Next: click Options click the Settings tab
Uncheck: "Only delete files older than 48 hrs.", click Ok
Then click Run Cleaner (bottom right) then Exit (reboot)



Reboot back into Normal Mode and post back a fresh Hijackthis log. :tazz:
  • 0

#15
princsstrish

princsstrish

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
After following directions. Here is the new HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 12:23:32 PM, on 7/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\NovaNET\NNWINSDR.EXE
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\Program Files\Dantz\Client\Remotsvc.exe
C:\Program Files\Dantz\Client\retroclient.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\NORTON~3\navapw32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\LOGITECH\MouseWare\system\em_exec.exe
c:\windows\system32\pvraftn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\quickbook2002basic\Components\QBAgent\qbdagent2002.exe
C:\quickbook2002basic\Components\QBAgent\QBDAgent.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\eFax Messenger 3.5\J2GTray.exe
C:\WINDOWS\FSScrCtl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hjt\HijackThis.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.capecodonline.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *ne2.attbb.net
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~3\navapw32.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [ortimhk] c:\windows\system32\pvraftn.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\quickbook2002basic\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\quickbook2002basic\Components\QBAgent\QBDAgent.exe
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\quickbook2001pro\Components\QBAgent\qbdagent2001.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: eFax DllCmd 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GTray.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots....SDownloader.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1097333204062
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {AAD68411-5B98-11D3-9B52-00001C0007B3} (EonX 3.0.0) - http://download.eonr.../3_0_2/eonx.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://ib.armstrong....timage30717.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq....co/SysQuery.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NovaNET - Unknown owner - C:\Program Files\NovaNET\NNWINSDR.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: Retrospect Client - Dantz Development Corporation - C:\Program Files\Dantz\Client\Remotsvc.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Client\rthlpsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP