Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Aurora problem My Hijackthis log Please HELP! [CLOSED]

Started by Christopherc321 , Jul 23 2005 08:11 PM

This topic is locked

#1
Christopherc321

Posted 23 July 2005 - 08:11 PM

New Member

Member
6 posts

I hate this Aurora thing Please help me
I have this file that I have pinpointed it's a file in my win32 folder that keeps changing names after I end the process maybe this is the trojan? How can I get rid of it?

Logfile of HijackThis v1.99.1
Scan saved at 7:09:50 PM, on 7/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
c:\windows\system32\teqsceh.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Christopher Cobian\My Documents\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xanga.com/cobian
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\Adobe\Acrobat Reader 5\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\WINDOWS\AuroraHandler.dll (file missing)
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\nsd20.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: free loud - {DDBF5BF8-7BD1-D09B-A631-1DA16F62210B} - C:\PROGRA~1\GREYHE~1\SIZEAMOK.dll (file missing)
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\system32\richedtr.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: (no name) - {99345E16-7F77-46F0-8D12-01802D3434D4} - (no file)
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O3 - Toolbar: LESS SHIM - {B78B490A-768A-6036-D316-2D3564741E7F} - C:\PROGRA~1\GREYHE~1\SIZEAMOK.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [richup] C:\WINDOWS\system32\richup.exe
O4 - HKLM\..\Run: [Sysnet] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\sysnet.exe
O4 - HKLM\..\Run: [savenow] C:\WINDOWS\savenow.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [gksgnvc] c:\windows\system32\teqsceh.exe r
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 4.0.0.300 - http://about.chatspa...va/cfs40300.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Dots - http://download.game...ts/y/dtt1_x.cab
O16 - DPF: Yahoo! MahJong - http://download.game...nts/y/ot0_x.cab
O16 - DPF: Yahoo! Reversi - http://download.game...nts/y/rt0_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab27571.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\hbjydxgw.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c282.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab27571.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://nprotect1.gra...protect/npx.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://nprotect1.gra...Crypt/npkcx.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} - http://messenger.zon...ss.cab30149.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FFFF005A-0001-101A-A3C9-08002B2F49FB} - http://web.cheapnet....ms/90G26464.exe
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\CMAPP\Client\cmappmf.dll
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: Zboard - C:\WINDOWS\SYSTEM32\Winlognotif.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe (file missing)
O23 - Service: NTLOAD - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
O23 - Service: NTSVCMGR - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Edited by Christopherc321, 24 July 2005 - 01:41 AM.

#2
Rawe

Posted 24 July 2005 - 02:40 AM

Visiting Staff

Member
4,746 posts

Hello and welcome!

Please print these instructions out, or write them down, as you can't read them during the fix. Be sure to ask any questions before proceeding the fix.

First;

Please download Ewido Security Suite it is a free version of the program.

Install Ewido Security Suite
When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
Launch Ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run Ewido for the first time, you will get a warning "Database could not be found!" Click OK. We will fix this in a moment.
You will need to update Ewido to the latest definition files.
- On the left hand side of the main screen click update.
- Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display "Update successful")
Exit Ewido. DO NOT run a scan yet.

If you are having problems with the updater, you can use this link to manually update Ewido.
ewido manual updates

Download CCleaner and install it, but do not run it yet.

Please download this file: Revised Installer for the Nailfix Utility
Save it to your desktop.
DO NOT run it yet.

To reboot into Safe Mode with Windows XP, you can follow these steps from Microsoft;

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, please double-click on Nailfix.exe.
Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish".
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Now open Ewido and do a scan of your system.

Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE; During some scans with Ewido it is finding cases of false positives.**
- You will need to step through the process of cleaning files one-by-one.
- If Ewido detects a file you KNOW to be legitimate, select none as the action.
- DO NOT select "Perform action on all infections"
- If you are unsure of any entry found, select none for now as the action.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.

Now run HijackThis, click Scan, check the following objects for removal;

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [gksgnvc] c:\windows\system32\teqsceh.exe r
Close any other open windows and/or open browsers, making sure that only HiJackThis is running at that time. Make sure that the above mentioned objects are all checked, then hit "Fix Checked". Exit HJT.
NOTE; The 04 entry may have changed names if you have rebooted since posting the log; look for an entry with a similar format, that will always in in a single letter r.

Using Windows Explorer, locate the following file and delete if present;
c:\windows\system32\teqsceh.exe (It must be named as the 04 when fixed in HJT.)

Now run CCleaner.

Uncheck "Cookies" under "Internet Explorer".
If running Firefox: click on the "Applications" tab and uncheck "Cookies" under "Firefox".
Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.

REBOOT!!

Boot up into normal mode, run a new scan with HiJackThis & post the fresh log here along with the log from Ewido using Add Reply.

- Rawe

Edited by Rawe, 24 July 2005 - 02:42 AM.

#3
Christopherc321

Posted 24 July 2005 - 01:56 PM

New Member

Topic Starter
Member
6 posts

Here it is

Should I run Ewido to take off all the infections it found??? (It's a lot of infections)

Logfile of HijackThis v1.99.1
Scan saved at 12:54:45 PM, on 7/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
c:\windows\system32\sqfcpnv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Christopher Cobian\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xanga.com/cobian
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\Adobe\Acrobat Reader 5\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\WINDOWS\AuroraHandler.dll (file missing)
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: free loud - {DDBF5BF8-7BD1-D09B-A631-1DA16F62210B} - C:\PROGRA~1\GREYHE~1\SIZEAMOK.dll (file missing)
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\system32\richedtr.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: (no name) - {99345E16-7F77-46F0-8D12-01802D3434D4} - (no file)
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O3 - Toolbar: LESS SHIM - {B78B490A-768A-6036-D316-2D3564741E7F} - C:\PROGRA~1\GREYHE~1\SIZEAMOK.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [richup] C:\WINDOWS\system32\richup.exe
O4 - HKLM\..\Run: [Sysnet] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\sysnet.exe
O4 - HKLM\..\Run: [savenow] C:\WINDOWS\savenow.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [pvpacf] c:\windows\system32\sqfcpnv.exe r
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 4.0.0.300 - http://about.chatspa...va/cfs40300.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Dots - http://download.game...ts/y/dtt1_x.cab
O16 - DPF: Yahoo! MahJong - http://download.game...nts/y/ot0_x.cab
O16 - DPF: Yahoo! Reversi - http://download.game...nts/y/rt0_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab27571.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\hbjydxgw.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c282.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab27571.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://nprotect1.gra...protect/npx.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://nprotect1.gra...Crypt/npkcx.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} - http://messenger.zon...ss.cab30149.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FFFF005A-0001-101A-A3C9-08002B2F49FB} - http://web.cheapnet....ms/90G26464.exe
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: Zboard - C:\WINDOWS\SYSTEM32\Winlognotif.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe (file missing)
O23 - Service: NTLOAD - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
O23 - Service: NTSVCMGR - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Ewido Log

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:38:47 PM, 7/24/2005
+ Report-Checksum: F35D5C82

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Ignored
HKLM\SOFTWARE\Classes\CLSID\{1D6711C8-7154-40BB-8380-3DEA45B69CBF} -> TrojanDownloader.WebP2P : Ignored
HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Ignored
HKLM\SOFTWARE\Classes\CLSID\{70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -> Spyware.GameSpyArcade : Ignored
HKLM\SOFTWARE\Classes\CLSID\{9F95F736-0F62-4214-A4B4-CAA6738D4C07} -> Spyware.SaveNow : Ignored
HKLM\SOFTWARE\Classes\CLSID\{C91E8926-D4BE-4685-99F4-0D996B96BAC0} -> Spyware.P2PNetworking : Ignored
HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame -> Spyware.IEPlugin : Ignored
HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame\CLSID -> Spyware.IEPlugin : Ignored
HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame\CurVer -> Spyware.IEPlugin : Ignored
HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame -> Spyware.IEPlugin : Ignored
HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame\CLSID -> Spyware.IEPlugin : Ignored
HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame\CurVer -> Spyware.IEPlugin : Ignored
HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser -> Spyware.IEPlugin : Ignored
HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser\CLSID -> Spyware.IEPlugin : Ignored
HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser\CurVer -> Spyware.IEPlugin : Ignored
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow -> Spyware.IEPlugin : Ignored
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow\CLSID -> Spyware.IEPlugin : Ignored
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow\CurVer -> Spyware.IEPlugin : Ignored
HKLM\SOFTWARE\Classes\Interface\{16097036-894C-4C00-A61F-93CA0D49A70E} -> Spyware.TOPicks : Ignored
HKLM\SOFTWARE\Classes\Interface\{2ED5AF98-9258-45BA-B79B-06625C92F662} -> Spyware.TOPicks : Ignored
HKLM\SOFTWARE\Classes\Interface\{700DC0DD-F409-42E0-9DE5-21EE1A2BA9FD} -> Spyware.TOPicks : Ignored
HKLM\SOFTWARE\Classes\Interface\{C285D18D-43A2-4AEF-83FB-BF280E660A97} -> Spyware.SaveNow : Ignored
HKLM\SOFTWARE\Classes\Interface\{C91E8926-D4BE-4685-99F4-0D996B96BAC0} -> Spyware.P2PNetworking : Ignored
HKLM\SOFTWARE\Classes\Interface\{D273D427-57C6-4B12-860F-BBB8195F6E2A} -> Spyware.TOPicks : Ignored
HKLM\SOFTWARE\Classes\Interface\{FD42F6D3-7AB1-470C-979B-7996EDC99099} -> Spyware.TOPicks : Ignored
HKLM\SOFTWARE\Classes\TypeLib\{F720B40F-3A38-4B22-B30D-DCF095D42498} -> Spyware.P2PNetworking : Ignored
HKLM\SOFTWARE\Classes\Wbho.Band -> Spyware.IEPlugin : Ignored
HKLM\SOFTWARE\Classes\Wbho.Band\CLSID -> Spyware.IEPlugin : Ignored
HKLM\SOFTWARE\Classes\Wbho.Band\CurVer -> Spyware.IEPlugin : Ignored
HKLM\SOFTWARE\IntexusDial -> Dialer.Generic : Ignored
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{10000000-1000-0000-1000-000000000000} -> Spyware.ISTBar : Ignored
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1D6711C8-7154-40BB-8380-3DEA45B69CBF} -> TrojanDownloader.WebP2P : Ignored
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -> Spyware.GameSpyArcade : Ignored
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Ignored
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{999A06FF-10EF-4A29-8640-69E99882C26B} -> Spyware.Begin2Search : Ignored
HKLM\SOFTWARE\PerfectNav -> Spyware.KeenValue : Ignored
HKU\S-1-5-21-1343024091-1202660629-725345543-1004\Software\drelkge789AEF5 -> Spyware.DesktopTraffic : Ignored
HKU\S-1-5-21-1343024091-1202660629-725345543-1004\Software\drelkge789AEF5\eeennn -> Spyware.DesktopTraffic : Ignored
HKU\S-1-5-21-1343024091-1202660629-725345543-1004\Software\drelkge789AEF5\kkws -> Spyware.DesktopTraffic : Ignored
HKU\S-1-5-21-1343024091-1202660629-725345543-1004\Software\drelkge789AEF5\ppops -> Spyware.DesktopTraffic : Ignored
HKU\S-1-5-21-1343024091-1202660629-725345543-1004\Software\drelkge789AEF5\reel -> Spyware.DesktopTraffic : Ignored
HKU\S-1-5-21-1343024091-1202660629-725345543-1004\Software\drelkge789AEF5\ssites -> Spyware.DesktopTraffic : Ignored
HKU\S-1-5-21-1343024091-1202660629-725345543-1004\Software\intexp -> Spyware.IEPlugin : Ignored
HKU\S-1-5-21-1343024091-1202660629-725345543-1004\Software\intexp\Config -> Spyware.IEPlugin : Ignored
HKU\S-1-5-21-1343024091-1202660629-725345543-1004\Software\intexp\MyFileSystem2 -> Spyware.IEPlugin : Ignored
HKU\S-1-5-21-1343024091-1202660629-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Ignored
HKU\S-1-5-21-1343024091-1202660629-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{999A06FF-10EF-4A29-8640-69E99882C26B} -> Spyware.Begin2Search : Ignored
:mozilla.14:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Atdmt : Ignored
:mozilla.15:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Ignored
:mozilla.19:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Doubleclick : Ignored
:mozilla.30:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Linksynergy : Ignored
:mozilla.31:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Linksynergy : Ignored
:mozilla.67:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Hitbox : Ignored
:mozilla.68:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Hitbox : Ignored
:mozilla.70:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Findwhat : Ignored
:mozilla.71:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.72:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.73:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.74:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.77:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Hitbox : Ignored
:mozilla.100:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Addynamix : Ignored
:mozilla.105:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Mediaplex : Ignored
:mozilla.108:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Adtrak : Ignored
:mozilla.120:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.121:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.122:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.123:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.124:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Adserver : Ignored
:mozilla.125:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Adserver : Ignored
:mozilla.126:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Adserver : Ignored
:mozilla.128:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Overture : Ignored
:mozilla.129:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Overture : Ignored
:mozilla.146:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored
:mozilla.147:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored
:mozilla.148:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored
:mozilla.169:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Linksynergy : Ignored
C:\Documents and Settings\Christopher Cobian\Cookies\christopher cobian@2o7[1].txt -> Spyware.Cookie.2o7 : Ignored
C:\Documents and Settings\Christopher Cobian\Cookies\christopher cobian@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Ignored
C:\Documents and Settings\Christopher Cobian\Cookies\christopher cobian@adtrak[1].txt -> Spyware.Cookie.Adtrak : Ignored
C:\Documents and Settings\Christopher Cobian\Cookies\christopher cobian@advertising[1].txt -> Spyware.Cookie.Advertising : Ignored
C:\Documents and Settings\Christopher Cobian\Cookies\christopher cobian@atdmt[1].txt -> Spyware.Cookie.Atdmt : Ignored
C:\Documents and Settings\Christopher Cobian\Cookies\christopher cobian@ehg-stampsdotcom.hitbox[1].txt -> Spyware.Cookie.Hitbox : Ignored
C:\Documents and Settings\Christopher Cobian\Cookies\christopher cobian@findwhat[1].txt -> Spyware.Cookie.Findwhat : Ignored
C:\Documents and Settings\Christopher Cobian\Cookies\christopher cobian@hitbox[2].txt -> Spyware.Cookie.Hitbox : Ignored
C:\Documents and Settings\Christopher Cobian\Cookies\christopher cobian@linksynergy[2].txt -> Spyware.Cookie.Linksynergy : Ignored
C:\Documents and Settings\Christopher Cobian\Cookies\christopher cobian@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Ignored
C:\Documents and Settings\Christopher Cobian\Cookies\christopher cobian@overture[1].txt -> Spyware.Cookie.Overture : Ignored
C:\Documents and Settings\Christopher Cobian\Cookies\christopher cobian@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Ignored
C:\Documents and Settings\Christopher Cobian\Cookies\christopher cobian@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Ignored
C:\Documents and Settings\Christopher Cobian\My Documents\Madness Interactive\madness.exe -> TrojanDropper.Decept.30.a : Ignored
C:\Documents and Settings\Christopher Cobian\My Documents\My Received Files\Messenger Plus! - Setup.exe/sponsor.exe -> TrojanDownloader.Swizzor.ag : Ignored
C:\Documents and Settings\Christopher Cobian\My Documents\worms 3d\Worms3D.exe -> Heuristic.Win32.Backdoor.IrcBot : Ignored
C:\Program Files\GDiVX Player\SuperBarInstall.exe -> Spyware.SuperBar : Ignored
C:\RECYCLER\NPROTECT\00909486.exe -> Adware.BetterInternet : Ignored
C:\RECYCLER\NPROTECT\00909491.exe -> Adware.BetterInternet : Ignored
C:\RECYCLER\NPROTECT\00909569.exe -> Adware.BetterInternet : Ignored
C:\RECYCLER\NPROTECT\00909574.exe -> Adware.BetterInternet : Ignored
C:\RECYCLER\NPROTECT\00909816.exe -> Adware.BetterInternet : Ignored
C:\RECYCLER\NPROTECT\00910357.exe -> Adware.BetterInternet : Ignored
C:\RECYCLER\NPROTECT\00910360.exe -> Adware.BetterInternet : Ignored
C:\RECYCLER\NPROTECT\00910387.exe -> Adware.BetterInternet : Ignored
C:\RECYCLER\NPROTECT\00910391.exe -> Adware.BetterInternet : Ignored
C:\RECYCLER\NPROTECT\00910394.exe -> Adware.BetterInternet : Ignored
C:\RECYCLER\NPROTECT\00910396.exe -> Adware.BetterInternet : Ignored
C:\RECYCLER\NPROTECT\00910399.exe -> Adware.BetterInternet : Ignored
C:\RECYCLER\NPROTECT\00910436.exe -> Adware.BetterInternet : Ignored
C:\RECYCLER\NPROTECT\00910712.exe -> Adware.BetterInternet : Ignored
C:\RECYCLER\NPROTECT\00910757.EXE -> Adware.BetterInternet : Ignored
C:\RECYCLER\NPROTECT\00910773.exe -> Adware.BetterInternet : Ignored
C:\RECYCLER\S-1-5-21-1343024091-1202660629-725345543-1004\Dc4.exe -> Adware.BetterInternet : Ignored
C:\WINDOWS\Downloaded Program Files\gsda.dll -> Dialer.Generic : Ignored
C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll -> Spyware.WinAD : Ignored
C:\WINDOWS\systb.dll -> Spyware.ImiBar : Ignored
C:\WINDOWS\system32\nsb15.dll -> Spyware.Beginto : Ignored
C:\WINDOWS\system32\nsd20.dll -> Spyware.Beginto : Ignored
C:\WINDOWS\system32\nsk1B.dll -> Spyware.Beginto : Ignored
C:\WINDOWS\system32\oeqbyfw.exe -> Adware.BetterInternet : Ignored
C:\WINDOWS\system32\thin-94-1-x-x.exe -> Adware.BetterInternet : Ignored
C:\WINDOWS\tdtb.exe -> Trojan.Imiserv.c : Ignored
C:\WINDOWS\wupdt.exe -> TrojanDownloader.Intexp.c : Ignored

::Report End

#4
Rawe

Posted 24 July 2005 - 02:17 PM

Visiting Staff

Member
4,746 posts

Hi again!

Please print these instructions out, or write them down, as you can't read them during the fix.

Download & install;
CleanUp

Don't run it yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Update Ewido to it's latest definitions but don't run it yet!

Please run a scan with HiJackThis, and check the following objects for removal;

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xanga.com/cobian
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - (no file)
O2 - BHO: free loud - {DDBF5BF8-7BD1-D09B-A631-1DA16F62210B} - C:\PROGRA~1\GREYHE~1\SIZEAMOK.dll (file missing)
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\system32\richedtr.dll
O3 - Toolbar: (no name) - {99345E16-7F77-46F0-8D12-01802D3434D4} - (no file)
O3 - Toolbar: LESS SHIM - {B78B490A-768A-6036-D316-2D3564741E7F} - C:\PROGRA~1\GREYHE~1\SIZEAMOK.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [richup] C:\WINDOWS\system32\richup.exe
O4 - HKLM\..\Run: [Sysnet] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\sysnet.exe
O4 - HKLM\..\Run: [savenow] C:\WINDOWS\savenow.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [pvpacf] c:\windows\system32\sqfcpnv.exe r
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\hbjydxgw.exe

Make sure only HJT is running, and the above mentioned objects are checked, then hit "Fix Checked".

Exit it.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, using Windows Explorer, locate the following files/folders and delete if present;

C:\Program Files\Media Gateway\ <= Entire Folder
C:\WINDOWS\savenow.exe
C:\WINDOWS\wupdt.exe
c:\windows\system32\sqfcpnv.exe
C:\WINDOWS\system32\richup.exe
C:\PROGRA~1\GREYHE~1\ <= Entire Folder
C:\WINDOWS\systb.dll
C:\WINDOWS\system32\richedtr.dll

Launch Ad-aware and do a full scan. Remove all it finds.

Now do a full scan in Ewido Security Suite, save the log it produces & let it fix anything it finds!

Run CleanUp! making sure to reboot.

Run a new scan with HiJackThis and post the fresh log here along with the Ewido log.

- Rawe

#5
Christopherc321

Posted 24 July 2005 - 10:00 PM

New Member

Topic Starter
Member
6 posts

Here it is.... They just keep coming back...*sigh*

Wupdsnff.exe <----- Do I need this file???

Found in C:\Windows
Cache32drelkge789aef5 <---- Do I need this file???

Found in C:\Windows\System32

PLEASE!!! Or I might

and delete everything on my computer and I don't want to.

Logfile of HijackThis v1.99.1
Scan saved at 11:04:53 PM, on 7/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\DVDREG~1\DVDRegionFree.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Christopher Cobian\My Documents\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\Adobe\Acrobat Reader 5\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 4.0.0.300 - http://about.chatspa...va/cfs40300.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Dots - http://download.game...ts/y/dtt1_x.cab
O16 - DPF: Yahoo! MahJong - http://download.game...nts/y/ot0_x.cab
O16 - DPF: Yahoo! Reversi - http://download.game...nts/y/rt0_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab27571.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c282.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab27571.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://nprotect1.gra...protect/npx.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://nprotect1.gra...Crypt/npkcx.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} - http://messenger.zon...ss.cab30149.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FFFF005A-0001-101A-A3C9-08002B2F49FB} - http://web.cheapnet....ms/90G26464.exe
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: Zboard - C:\WINDOWS\SYSTEM32\Winlognotif.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe (file missing)
O23 - Service: NTLOAD - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
O23 - Service: NTSVCMGR - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:26:51 PM, 7/24/2005
+ Report-Checksum: B378F87B

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{1D6711C8-7154-40BB-8380-3DEA45B69CBF} -> TrojanDownloader.WebP2P : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -> Spyware.GameSpyArcade : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9F95F736-0F62-4214-A4B4-CAA6738D4C07} -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{C91E8926-D4BE-4685-99F4-0D996B96BAC0} -> Spyware.P2PNetworking : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{16097036-894C-4C00-A61F-93CA0D49A70E} -> Spyware.TOPicks : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{2ED5AF98-9258-45BA-B79B-06625C92F662} -> Spyware.TOPicks : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{700DC0DD-F409-42E0-9DE5-21EE1A2BA9FD} -> Spyware.TOPicks : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C285D18D-43A2-4AEF-83FB-BF280E660A97} -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C91E8926-D4BE-4685-99F4-0D996B96BAC0} -> Spyware.P2PNetworking : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{D273D427-57C6-4B12-860F-BBB8195F6E2A} -> Spyware.TOPicks : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{FD42F6D3-7AB1-470C-979B-7996EDC99099} -> Spyware.TOPicks : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{F720B40F-3A38-4B22-B30D-DCF095D42498} -> Spyware.P2PNetworking : Cleaned with backup
HKLM\SOFTWARE\Classes\Wbho.Band -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\Wbho.Band\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\Wbho.Band\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\IntexusDial -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1D6711C8-7154-40BB-8380-3DEA45B69CBF} -> TrojanDownloader.WebP2P : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -> Spyware.GameSpyArcade : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\PerfectNav -> Spyware.KeenValue : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon -> Spyware.BetterInternet : Cleaned with backup
HKU\S-1-5-21-1343024091-1202660629-725345543-1004\Software\drelkge789AEF5 -> Spyware.DesktopTraffic : Cleaned with backup
HKU\S-1-5-21-1343024091-1202660629-725345543-1004\Software\drelkge789AEF5\eeennn -> Spyware.DesktopTraffic : Cleaned with backup
HKU\S-1-5-21-1343024091-1202660629-725345543-1004\Software\drelkge789AEF5\kkws -> Spyware.DesktopTraffic : Cleaned with backup
HKU\S-1-5-21-1343024091-1202660629-725345543-1004\Software\drelkge789AEF5\ppops -> Spyware.DesktopTraffic : Cleaned with backup
HKU\S-1-5-21-1343024091-1202660629-725345543-1004\Software\drelkge789AEF5\reel -> Spyware.DesktopTraffic : Cleaned with backup
HKU\S-1-5-21-1343024091-1202660629-725345543-1004\Software\drelkge789AEF5\ssites -> Spyware.DesktopTraffic : Cleaned with backup
HKU\S-1-5-21-1343024091-1202660629-725345543-1004\Software\intexp -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-1343024091-1202660629-725345543-1004\Software\intexp\Config -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-1343024091-1202660629-725345543-1004\Software\intexp\MyFileSystem2 -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-1343024091-1202660629-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-1343024091-1202660629-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{999A06FF-10EF-4A29-8640-69E99882C26B} -> Spyware.Begin2Search : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Linksynergy : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Linksynergy : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Findwhat : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.104:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
:mozilla.109:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Adtrak : Cleaned with backup
:mozilla.124:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.125:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.126:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.127:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.128:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.129:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.130:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.132:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.133:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.150:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.151:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.152:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.173:C:\Documents and Settings\Christopher Cobian\Application Data\Mozilla\Firefox\Profiles\gxc8pxy2.default\cookies.txt -> Spyware.Cookie.Linksynergy : Cleaned with backup
C:\Documents and Settings\Christopher Cobian\Cookies\christopher cobian@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Christopher Cobian\Cookies\christopher cobian@adtrak[1].txt -> Spyware.Cookie.Adtrak : Cleaned with backup
C:\Documents and Settings\Christopher Cobian\Cookies\christopher cobian@findwhat[1].txt -> Spyware.Cookie.Findwhat : Cleaned with backup
C:\Documents and Settings\Christopher Cobian\Cookies\christopher cobian@overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Christopher Cobian\My Documents\backups\backup-20050724-183644-834.dll -> Spyware.ImiBar : Cleaned with backup
C:\Documents and Settings\Christopher Cobian\My Documents\Madness Interactive\madness.exe -> TrojanDropper.Decept.30.a : Cleaned with backup
C:\Documents and Settings\Christopher Cobian\My Documents\My Received Files\Messenger Plus! - Setup.exe/sponsor.exe -> TrojanDownloader.Swizzor.ag : Cleaned with backup
C:\Documents and Settings\Christopher Cobian\My Documents\worms 3d\Worms3D.exe -> Heuristic.Win32.Backdoor.IrcBot : Cleaned with backup
C:\Program Files\GDiVX Player\SuperBarInstall.exe -> Spyware.SuperBar : Cleaned with backup
C:\RECYCLER\NPROTECT\00909486.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00909491.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00909569.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00909574.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00909816.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00910357.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00910360.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00910387.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00910391.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00910394.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00910396.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00910399.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00910436.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00910712.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00910757.EXE -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00910773.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00910776.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00911020.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00911089.dll -> Spyware.ImiBar : Cleaned with backup
C:\RECYCLER\NPROTECT\00911091.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00911095.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00911115.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00911116.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00911138.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1202660629-725345543-1004\Dc2.exe -> TrojanDownloader.Intexp.c : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1202660629-725345543-1004\Dc3.dll -> Spyware.ImiBar : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\gsda.dll -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll -> Spyware.WinAD : Cleaned with backup
C:\WINDOWS\ezlxxzzferj.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\Nail.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\svcproc.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\DrPMon.dll -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\nsb15.dll -> Spyware.Beginto : Cleaned with backup
C:\WINDOWS\system32\nsd20.dll -> Spyware.Beginto : Cleaned with backup
C:\WINDOWS\system32\nsk1B.dll -> Spyware.Beginto : Cleaned with backup
C:\WINDOWS\system32\thin-94-1-x-x.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\tovpgp.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\tdtb.exe -> Trojan.Imiserv.c : Cleaned with backup

::Report End

Edited by Christopherc321, 25 July 2005 - 01:49 AM.

#6
Rawe

Posted 25 July 2005 - 03:57 AM

Visiting Staff

Member
4,746 posts

Hi again.

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):

Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
Double-click the file to install it as follows:
- Click "Next", read the agreement, Click "Next"
- Choose "Custom" click "Next".
- Leave the default installation directoy as it is, then click "Next".
- UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
- On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
- Finally, click "Install"
Once the program is installed, it will open.
It will prompt you to update to the latest definitions, click Yes.
Disable SpySweeper Shields
- Click Shields on the left.
- Click Internet Explorer and uncheck all items.
- Click Windows System and uncheck all items.
- Click Startup Programs and uncheck all items.
Once the definitions are installed and shields disabled, click Sweep Now on the left side.
Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish.
Paste the contents of the session log you copied into your next reply.

- Rawe

#7
Christopherc321

Posted 25 July 2005 - 02:03 PM

New Member

Topic Starter
Member
6 posts

********
12:20 PM: |··· Start of Session, Monday, July 25, 2005 ···|
12:20 PM: Spy Sweeper started
12:20 PM: Sweep initiated using definitions version 505
12:20 PM: Starting Memory Sweep
12:21 PM: Found Adware: abetterinternet
12:21 PM: Detected running threat: C:\WINDOWS\system32\DrPMon.dll (ID = 4127918)
12:22 PM: Memory Sweep Complete, Elapsed Time: 00:02:15
12:22 PM: Starting Registry Sweep
12:22 PM: Found Adware: begin2search
12:22 PM: HKCR\trfdsk.amo.1\ (3 subtraces) (ID = 4365071)
12:22 PM: HKCR\trfdsk.iiittt.1\ (3 subtraces) (ID = 4365072)
12:22 PM: HKCR\trfdsk.momo.1\ (3 subtraces) (ID = 4365073)
12:22 PM: HKCR\trfdsk.ohb.1\ (3 subtraces) (ID = 4365074)
12:22 PM: Found Adware: cas
12:22 PM: HKLM\software\classes\typelib\{d4c89c18-b4f3-46a9-8800-e9e7a55afbd9}\ (9 subtraces) (ID = 4366244)
12:22 PM: HKCR\typelib\{d4c89c18-b4f3-46a9-8800-e9e7a55afbd9}\ (9 subtraces) (ID = 4366246)
12:22 PM: Found Adware: ieplugin
12:22 PM: HKCR\clsid\{1c896551-8b92-4907-8c06-15db2d1f874a}\ (11 subtraces) (ID = 4389175)
12:22 PM: HKCR\clsid\{d36f70b1-7df5-4fd4-a765-70ccc8f72cd7}\ (11 subtraces) (ID = 4389183)
12:22 PM: HKCR\clsid\{e2bf1bf3-1fdb-4c93-8874-0b09e71c594c}\ (13 subtraces) (ID = 4389184)
12:22 PM: HKCR\clsid\{f3155057-4c2c-4078-8576-50486693fd49}\ (13 subtraces) (ID = 4389185)
12:22 PM: HKCR\imitoolbar.bottomframe.1\ (3 subtraces) (ID = 4389186)
12:22 PM: HKCR\imitoolbar.leftframe.1\ (3 subtraces) (ID = 4389190)
12:22 PM: HKCR\imitoolbar.popupbrowser.1\ (3 subtraces) (ID = 4389192)
12:22 PM: HKCR\imitoolbar.popupwindow.1\ (3 subtraces) (ID = 4389194)
12:22 PM: HKCR\interface\{3e589169-86ad-44fe-b426-f0bf105d5582}\ (8 subtraces) (ID = 4389196)
12:22 PM: HKCR\interface\{6a288140-3e1c-4cd9-aac5-e20fdd4f5d64}\ (8 subtraces) (ID = 4389197)
12:22 PM: HKCR\interface\{98b2ddba-6da2-4421-af2b-814e98f53649}\ (8 subtraces) (ID = 4389198)
12:22 PM: HKCR\interface\{7371ad3f-c419-4dc0-8e8a-e21fafad53e0}\ (8 subtraces) (ID = 4389199)
12:22 PM: HKCR\interface\{220959ea-b54c-4201-8df2-1cfac8b59fd7}\ (8 subtraces) (ID = 4389200)
12:22 PM: HKCR\interface\{e4458b4a-6149-4450-84f2-864adb7e8c52}\ (8 subtraces) (ID = 4389201)
12:22 PM: HKLM\software\classes\interface\{3e589169-86ad-44fe-b426-f0bf105d5582}\ (8 subtraces) (ID = 4389215)
12:22 PM: HKLM\software\classes\typelib\{57add57b-173e-418a-8f70-17e5c9f2bcc9}\ (9 subtraces) (ID = 4389217)
12:22 PM: HKCR\typelib\{57add57b-173e-418a-8f70-17e5c9f2bcc9}\ (9 subtraces) (ID = 4389249)
12:22 PM: HKCR\wbho.band.1\ (3 subtraces) (ID = 4389251)
12:22 PM: Found Adware: drsnsrch.com hijacker
12:22 PM: HKU\S-1-5-21-1343024091-1202660629-725345543-1004\software\microsoft\search assistant\ || defaultsearchurl (ID = 4389253)
12:22 PM: Found Adware: internexus dialer
12:22 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/starinstall.ocx\ (2 subtraces) (ID = 4390027)
12:22 PM: Found Adware: privacyscan
12:22 PM: HKU\S-1-5-21-1343024091-1202660629-725345543-1004\software\in3rd\ (3 subtraces) (ID = 4398210)
12:22 PM: HKU\S-1-5-21-1343024091-1202660629-725345543-1004\software\aurora\ || au3n5a7tionscode (ID = 4407471)
12:22 PM: HKU\S-1-5-21-1343024091-1202660629-725345543-1004\software\aurora\ || aub3d5om (ID = 4407472)
12:22 PM: HKU\S-1-5-21-1343024091-1202660629-725345543-1004\software\aurora\ || auc1o3d5eofsfinalad (ID = 4407473)
12:22 PM: HKU\S-1-5-21-1343024091-1202660629-725345543-1004\software\aurora\ || auc3n5tfyl (ID = 4407474)
12:22 PM: HKU\S-1-5-21-1343024091-1202660629-725345543-1004\software\aurora\ || auc3n5trmsgsdisp (ID = 4407475)
12:22 PM: HKU\S-1-5-21-1343024091-1202660629-725345543-1004\software\aurora\ || auc3u5rrentsmode (ID = 4407476)
12:22 PM: HKU\S-1-5-21-1343024091-1202660629-725345543-1004\software\aurora\ || aud3s5tssend (ID = 4407477)
12:22 PM: HKU\S-1-5-21-1343024091-1202660629-725345543-1004\software\aurora\ || aue3v5nt (ID = 4407478)
12:22 PM: HKU\S-1-5-21-1343024091-1202660629-725345543-1004\software\aurora\ || aui3d5ofsinst (ID = 4407479)
12:22 PM: HKU\S-1-5-21-1343024091-1202660629-725345543-1004\software\aurora\ || aui3g5nores (ID = 4407480)
12:22 PM: HKU\S-1-5-21-1343024091-1202660629-725345543-1004\software\aurora\ || aui3n5progscab (ID = 4407481)
12:22 PM: HKU\S-1-5-21-1343024091-1202660629-725345543-1004\software\aurora\ || aui3n5progsex (ID = 4407482)
12:22 PM: HKU\S-1-5-21-1343024091-1202660629-725345543-1004\software\aurora\ || aui3n5progslstest (ID = 4407483)
12:22 PM: HKU\S-1-5-21-1343024091-1202660629-725345543-1004\software\aurora\ || aul3n5title (ID = 4407484)
12:22 PM: HKU\S-1-5-21-1343024091-1202660629-725345543-1004\software\aurora\ || aum3o5dessync (ID = 4407485)
12:22 PM: HKU\S-1-5-21-1343024091-1202660629-725345543-1004\software\aurora\ || aup3d5om (ID = 4407486)
12:22 PM: HKU\S-1-5-21-1343024091-1202660629-725345543-1004\software\aurora\ || aus3t5atusofsinst (ID = 4407487)
12:22 PM: HKU\S-1-5-21-1343024091-1202660629-725345543-1004\software\aurora\ || aus3t5icky1s (ID = 4407488)
12:22 PM: HKU\S-1-5-21-1343024091-1202660629-725345543-1004\software\aurora\ || aus3t5icky2s (ID = 4407489)
12:22 PM: HKU\S-1-5-21-1343024091-1202660629-725345543-1004\software\aurora\ || aus3t5icky3s (ID = 4407490)
12:22 PM: HKU\S-1-5-21-1343024091-1202660629-725345543-1004\software\aurora\ || aus3t5icky4s (ID = 4407491)
12:22 PM: HKU\S-1-5-21-1343024091-1202660629-725345543-1004\software\aurora\ || aut3h5rshsbath (ID = 4407492)
12:22 PM: HKU\S-1-5-21-1343024091-1202660629-725345543-1004\software\aurora\ || aut3h5rshschecksin (ID = 4407493)
12:22 PM: HKU\S-1-5-21-1343024091-1202660629-725345543-1004\software\aurora\ || aut3h5rshsmots (ID = 4407494)
12:22 PM: HKU\S-1-5-21-1343024091-1202660629-725345543-1004\software\aurora\ || aut3h5rshsyssinf (ID = 4407495)
12:22 PM: HKU\S-1-5-21-1343024091-1202660629-725345543-1004\software\aurora\ || aut3i5m7eofsfinalad (ID = 4407496)
12:22 PM: HKLM\software\microsoft\windows\currentversion\uninstall\abi-1\ (6 subtraces) (ID = 4407772)
12:22 PM: HKLM\system\currentcontrolset\control\print\monitors\zepmon\ (1 subtraces) (ID = 4407796)
12:22 PM: HKLM\system\currentcontrolset\services\svcproc\ (12 subtraces) (ID = 4407797)
12:22 PM: Found Adware: winad
12:22 PM: HKCR\appid\mediagateway.exe\ (1 subtraces) (ID = 4408841)
12:22 PM: HKCR\appid\{735c5a0c-f79f-47a1-8ca1-2a2e482662a8}\ (1 subtraces) (ID = 4408842)
12:22 PM: HKCR\clsid\{1e5f0d38-214b-4085-ad2a-d2290e6a2d2c}\ (14 subtraces) (ID = 4408844)
12:22 PM: HKCR\clsid\{15ad6789-cdb4-47e1-a9da-992ee8e6bad6}\ (6 subtraces) (ID = 4408846)
12:22 PM: HKCR\mediagateway.installer\ (5 subtraces) (ID = 4408850)
12:22 PM: HKLM\software\classes\appid\mediagateway.exe\ (1 subtraces) (ID = 4408858)
12:22 PM: HKLM\software\classes\appid\{735c5a0c-f79f-47a1-8ca1-2a2e482662a8}\ (1 subtraces) (ID = 4408859)
12:23 PM: HKLM\software\classes\clsid\{1e5f0d38-214b-4085-ad2a-d2290e6a2d2c}\ (14 subtraces) (ID = 4408861)
12:23 PM: HKLM\software\classes\clsid\{15ad6789-cdb4-47e1-a9da-992ee8e6bad6}\ (6 subtraces) (ID = 4408863)
12:23 PM: HKLM\software\classes\mediagateway.installer\ (5 subtraces) (ID = 4408867)
12:23 PM: HKLM\software\classes\typelib\{15696ae2-6ea4-47f4-bea6-a3d32693efc7}\ (9 subtraces) (ID = 4408871)
12:23 PM: HKLM\software\media gateway\ (5 subtraces) (ID = 4408878)
12:23 PM: HKLM\software\microsoft\code store database\distribution units\{15ad6789-cdb4-47e1-a9da-992ee8e6bad6}\ (10 subtraces) (ID = 4408881)
12:23 PM: HKCR\typelib\{15696ae2-6ea4-47f4-bea6-a3d32693efc7}\ (9 subtraces) (ID = 4408944)
12:23 PM: Registry Sweep Complete, Elapsed Time:00:00:09
12:23 PM: Starting Cookie Sweep
12:23 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
12:23 PM: Starting File Sweep
12:23 PM: Found Adware: sexdownloader
12:23 PM: c:\windows\bdibv4 (1 subtraces) (ID = 4119151)
12:23 PM: Found Adware: internetoptimizer
12:23 PM: c:\windows\stwsi (ID = 4106249)
12:23 PM: 00912009.exe (ID = 4128372)
12:23 PM: svcproc.exe (ID = 4128208)
12:27 PM: drpmon.dll (ID = 4127918)
12:33 PM: 00912008.exe (ID = 4105477)
12:35 PM: 00912007.exe (ID = 4128208)
12:36 PM: abiuninst.htm (ID = 4127732)
12:39 PM: Found Adware: visfx
12:39 PM: vfx8.0-1.exe (ID = 4127681)
12:39 PM: File Sweep Complete, Elapsed Time: 00:16:12
12:39 PM: Full Sweep has completed. Elapsed time 00:18:39
12:39 PM: Traces Found: 359
12:59 PM: Removal process initiated
12:59 PM: Quarantining All Traces: abetterinternet
12:59 PM: Quarantining All Traces: begin2search
12:59 PM: Quarantining All Traces: cas
12:59 PM: Quarantining All Traces: ieplugin
12:59 PM: Quarantining All Traces: drsnsrch.com hijacker
12:59 PM: Quarantining All Traces: internexus dialer
12:59 PM: Quarantining All Traces: privacyscan
12:59 PM: Quarantining All Traces: winad
12:59 PM: Quarantining All Traces: sexdownloader
12:59 PM: Quarantining All Traces: internetoptimizer
12:59 PM: Quarantining All Traces: visfx
12:59 PM: Preparing to restart your computer. Please wait...
12:59 PM: Removal process completed. Elapsed time 00:00:28
1:01 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 7C910370 in module 'ntdll.dll'. Read of address 00000058
1:01 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 7C910370 in module 'ntdll.dll'. Read of address 00000024
1:01 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 7C910370 in module 'ntdll.dll'. Read of address 00000024
********
12:15 PM: |··· Start of Session, Monday, July 25, 2005 ···|
12:15 PM: Spy Sweeper started
12:15 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 7C910370 in module 'ntdll.dll'. Read of address 00000058
12:20 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 7C910370 in module 'ntdll.dll'. Read of address 00000024
12:20 PM: |··· End of Session, Monday, July 25, 2005 ···|

#8
Rawe

Posted 26 July 2005 - 06:20 AM

Visiting Staff

Member
4,746 posts

Ok, can you please run CleanUp!
making sure to reboot.
Run a scan with Trend Micro.
It's a free online A/V scan - Use the "Auto-clean" - option, save the log it produces and post it along with a fresh HiJackThis log.

- Rawe

#9
Rawe

Posted 12 August 2005 - 03:04 AM

Visiting Staff

Member
4,746 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.