Viruses, Spyware and...

Viruses, Spyware and other Nasties RSS

abi removal HELP PLEASE!

•

Join Date: Jul 2005

Posts: 4

Reputation: tinacolo1717 is an unknown quantity at this point

Solved Threads: 0

tinacolo1717 tinacolo1717 is offline

Offline

Newbie Poster

abi removal HELP PLEASE!

Jul 19th, 2005

Please help me remove aurora...

Logfile of HijackThis v1.99.1
Scan saved at 7:18:50 PM, on 7/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\isrvs\desktop.exe
c:\windows\system32\aqxdwce.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\lqlukfxjac.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\TINA'S\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.websearch.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Var2Helper Class - {7412C042-43B8-4F63-AEF3-E786DFAD1484} - C:\WINDOWS\System32\imwire29.dll
O2 - BHO: (no name) - {8E13DDE1-E013-47ec-9C4C-27C2F78BDD26} - C:\WINDOWS\System32\req.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [rmixpip] c:\windows\system32\aqxdwce.exe r
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-12.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: req - C:\WINDOWS\System32\req.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thank you!
Tina

Last edited by dlh6213; Jul 20th, 2005 at 11:44 am. Reason: Change font for easier reading

•

Join Date: Jul 2004

Posts: 2,964

Reputation: dlh6213 is on a distinguished road

Solved Threads: 210

dlh6213

Offline

Posting Maven

Re: abi removal HELP PLEASE!

Jul 20th, 2005

Hi Tina, welcome to DaniWeb

Please follow the suggestions in these threads (in sequence):

http://www.daniweb.com/techtalkforums/thread27519.html

http://www.daniweb.com/techtalkforums/thread27570.html

http://www.daniweb.com/techtalkforums/thread28196.html

When you scan with HijackThis, have it fix the following (in addition to what was in the previous thread):

All of the R1 and R0 entries except:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/

And all of the O1 entries.

Then go to post #5 (of the Specific Fix thread) and follow those instructions.

Post a new HijackThis log when the suggested steps have been completed, along with the Ewido log (from the instructions in post #5).

Links to help you help yourself :

Protect Your PC & Avoid Infections -- http://www.daniweb.com/techtalkforums/thread27519.html

Cleanup Procedures & Tools -- http://www.daniweb.com/techtalkforums/thread27570.html

Infection Removal & HijackThis Use -- http://www.daniweb.com/techtalkforums/thread28196.html

•

Join Date: Jul 2005

Posts: 4

Reputation: tinacolo1717 is an unknown quantity at this point

Solved Threads: 0

tinacolo1717 tinacolo1717 is offline

Offline

Newbie Poster

Re: abi removal HELP PLEASE!

Jul 23rd, 2005

Hi,
I think I did something wrong. I followed your suggestions and had a problem with post #5 procedures. I downloaded nailfix, but not sure if I did it right, since I did not see "Nailfix.cmd" on the desktop when I rebooted in safe mode, nor did I see the Hijackthis.exe icon which I have already downloaded. The only icons in safe mode are IE, ewido, and mozilla. So I tried to download nailfix again from noidea website, and when I reboot in normal mode, an error message comes up "Windows cannot find C:\windows\nail.exe. Make sure typed name correctly, then try again"
Please help, or did I royally screw up?
Thanks, Tina

•

Originally Posted by dlh6213

Hi Tina, welcome to DaniWeb

Please follow the suggestions in these threads (in sequence):

http://www.daniweb.com/techtalkforums/thread27519.html

http://www.daniweb.com/techtalkforums/thread27570.html

http://www.daniweb.com/techtalkforums/thread28196.html

When you scan with HijackThis, have it fix the following (in addition to what was in the previous thread):

All of the R1 and R0 entries except:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/

And all of the O1 entries.

Then go to post #5 (of the Specific Fix thread) and follow those instructions.

Post a new HijackThis log when the suggested steps have been completed, along with the Ewido log (from the instructions in post #5).

•

Join Date: Jul 2004

Posts: 2,964

Reputation: dlh6213 is on a distinguished road

Solved Threads: 210

dlh6213

Offline

Posting Maven

Re: abi removal HELP PLEASE!

Jul 24th, 2005

When you booted into Safe Mode, did you log in as Administrator or Tina?

That error just means that nail has been successfully cleaned up (a good thing), but something else is still trying to find it; we just need to get the rest cleaned up. Were you able to eventually run nailfix?

Please post a new HijackThis log, and the Ewido log, so we can see where you are now.

•

Join Date: Jul 2005

Posts: 4

Reputation: tinacolo1717 is an unknown quantity at this point

Solved Threads: 0

tinacolo1717 tinacolo1717 is offline

Offline

Newbie Poster

Re: abi removal HELP PLEASE!

Jul 24th, 2005

Hello,
Thanks for your reply. I have included a recent ewido and HJT log. I tried to follow the instructions on post #5, but could not find the entry to fix in HJT:
023 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
In safe mode, I logged in as administrator.
These logs were made in normal mode.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:24:00 AM, 7/22/2005
+ Report-Checksum: E1167BBC

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{6DF5E318-6994-4A41-85BD-45CCADA616F8} -> Spyware.eZula : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{7412C042-43B8-4F63-AEF3-E786DFAD1484} -> Spyware.SafeSurfing : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{370F6327-41C4-4FA6-A2DF-1BA57EE0FBB9} -> Spyware.eZula : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{EFA52460-8822-4191-BA38-FACDD2007910} -> Spyware.eZula : Cleaned with backup
HKLM\SOFTWARE\Classes\Wbho.Band -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\Wbho.Band\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\Wbho.Band\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ISTbarISTbar -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7412C042-43B8-4F63-AEF3-E786DFAD1484} -> Spyware.SafeSurfing : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\unebmm350 -> Spyware.MoneyMaker : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\delprot -> Spyware.iSearch : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\delprot\Security -> Spyware.iSearch : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\delprot\Enum -> Spyware.iSearch : Cleaned with backup
C:\1.exe -> TrojanDropper.Delf.jm : Cleaned with backup
:mozilla.20:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.27:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.28:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.29:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.30:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.32:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.40:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.41:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.42:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.43:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.44:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.45:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.48:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.49:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.50:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.51:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.52:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.53:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.68:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.85:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.86:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.93:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.94:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.95:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.96:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.97:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.98:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.99:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.100:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.101:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.122:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
:mozilla.127:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.128:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.149:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.150:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.151:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.152:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.153:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.154:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.155:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.156:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.157:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.158:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.159:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.160:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.161:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.162:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.163:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.174:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.180:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
:mozilla.216:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.217:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.218:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.219:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.220:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.226:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.227:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.228:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.236:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.242:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.246:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.253:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.267:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.268:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.310:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\TINA'S\Cookies\tina's@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\TINA'S\Cookies\tina's@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\TINA'S\Cookies\tina's@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\TINA'S\Cookies\tina's@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\TINA'S\Cookies\tina's@bfast[2].txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Documents and Settings\TINA'S\Cookies\tina's@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\TINA'S\Cookies\tina's@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\TINA'S\Cookies\tina's@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\TINA'S\Cookies\tina's@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\TINA'S\Cookies\tina's@qksrv[2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\TINA'S\Cookies\tina's@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\TINA'S\Cookies\tina's@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\TINA'S\Cookies\tina's@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\TINA'S\Local Settings\Temp\cxtpls_loader.exe -> TrojanDownloader.Apropo.r : Cleaned with backup
C:\Documents and Settings\TINA'S\Local Settings\Temp\EWX\aurareco.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\TINA'S\Local Settings\Temp\FPL\aurareco.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\TINA'S\Local Settings\Temp\idcs50202.exe -> Spyware.iSearch : Cleaned with backup
C:\Documents and Settings\TINA'S\Local Settings\Temp\optimize.exe -> TrojanDownloader.Dyfuca.cy : Cleaned with backup
C:\Documents and Settings\TINA'S\Local Settings\Temp\randreco.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\TINA'S\Local Settings\Temp\SSF\aurareco.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\TINA'S\Local Settings\Temp\temp.fr9F8F\EbatesMoeMoneyMaker0.exe -> Spyware.WebRebates : Cleaned with backup
C:\Documents and Settings\TINA'S\Local Settings\Temp\THI758.tmp\wupdt.exe -> TrojanDownloader.Intexp.b : Cleaned with backup
C:\Program Files\Mozilla Firefox\extensions\{2bafa858-4ff3-4207-822e-ef46d1b431de}\chrome\isearch.jar/content/isearch/isearch.js -> Spyware.iSearch : Cleaned with backup
C:\WINDOWS\bbchk.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\Buddy.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\ceres.dll -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\isrvs\desktop.exe -> Spyware.iSearch : Cleaned with backup
C:\WINDOWS\isrvs\edmond.exe -> Trojan.Isearch : Cleaned with backup
C:\WINDOWS\isrvs\isearch.xpi/chrome/isearch.jar/content/isearch/isearch.js -> Spyware.iSearch : Cleaned with backup
C:\WINDOWS\isrvs\mfiltis.dll -> Spyware.iSearch : Cleaned with backup
C:\WINDOWS\isrvs\msdbhk.dll -> Spyware.iSearch : Cleaned with backup
C:\WINDOWS\systb.dll -> Spyware.ImiBar : Cleaned with backup
C:\WINDOWS\systb.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\system32\drivers\delprot.sys -> Trojan.Delprot.a : Cleaned with backup
C:\WINDOWS\system32\in10b6s.dll -> Adware.eZula : Cleaned with backup
C:\WINDOWS\system32\kdlpvo.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\thinInstall12.dll -> Adware.eZula : Cleaned with backup
C:\WINDOWS\system32\winpack.exe -> TrojanDownloader.Agent.gg : Cleaned with backup
C:\WINDOWS\tdtb.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\wupdt.exe -> TrojanDownloader.Intexp.c : Cleaned with backup

::Report End

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:50:35 PM, 7/24/2005
+ Report-Checksum: 4E62A1FF

+ Scan result:

HKU\S-1-5-21-4147624450-2210884689-3932758423-1007\Software\intexp -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-4147624450-2210884689-3932758423-1007\Software\intexp\Config -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-4147624450-2210884689-3932758423-1007\Software\intexp\MyFileSystem2 -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-4147624450-2210884689-3932758423-1007\Software\Microsoft\Internet Explorer\Extensions\{6685509E-B47B-4f47-8E16-9A5F3A62F683} -> Spyware.MoneyMaker : Cleaned with backup
:mozilla.8:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.137:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.138:C:\Documents and Settings\TINA'S\Application Data\Mozilla\Firefox\Profiles\bwsnnou9.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\WINDOWS\lqlukfxjac.exe -> Adware.BetterInternet : Cleaned with backup

::Report End

Logfile of HijackThis v1.99.1
Scan saved at 2:54:27 PM, on 7/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jucheck.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\TINA'S\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {8E13DDE1-E013-47ec-9C4C-27C2F78BDD26} - C:\WINDOWS\System32\req.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [poonek] c:\windows\system32\kdlpvo.exe r
O4 - HKLM\..\Run: [ydmf] C:\WINDOWS\ydmf.exe
O4 - HKLM\..\Run: [vareucvmaj] C:\WINDOWS\System32\bmrvpn.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msbb] c:\program files\180solutions\msbb.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IMwire] C:\WINDOWS\System32\imwireup.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [winpack] C:\WINDOWS\System32\winpack.exe
O4 - HKCU\..\Run: [winnls] C:\WINDOWS\System32\winnls.exe
O4 - HKCU\..\Run: [msrd3x40] C:\WINDOWS\System32\msrd3x40.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-12.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: req - C:\WINDOWS\System32\req.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thank you,
Tina

•

Originally Posted by dlh6213

When you booted into Safe Mode, did you log in as Administrator or Tina?

That error just means that nail has been successfully cleaned up (a good thing), but something else is still trying to find it; we just need to get the rest cleaned up. Were you able to eventually run nailfix?

Please post a new HijackThis log, and the Ewido log, so we can see where you are now.

Last edited by tinacolo1717; Jul 24th, 2005 at 6:08 pm. Reason: add to entry

•

Join Date: Jul 2004

Posts: 2,964

Reputation: dlh6213 is on a distinguished road

Solved Threads: 210

dlh6213

Offline

Posting Maven

Re: abi removal HELP PLEASE!

Jul 25th, 2005

Download, install, update, and run CCleaner -- http://www.filehippo.com/download/Qi.../download.html

Open Firefox, go to Tools, Options, and then click on Privacy (padlock icon on the left); click on the Clear All button.

Go to Add/Remove Programs in your Control Panel and remove the following, if present.

180Solutions
BullsEye Network (or BullsEye)
Ezula
PartyPoker
Web Offer

Disconnect from the net and reboot into Safe Mode; this time try logging in under Tina.

Double-click on the Nailfix.cmd that is on your desktop (hopefully). Your desktop and icons will disappear and reappear, and a window should open and close very quickly -- this is normal.

Then run a full system scan with Ewido, allowing it to fix whatever it finds (yes, again; please post the new log with your next reply).

Still in Safe Mode, scan with HijackThis and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {8E13DDE1-E013-47ec-9C4C-27C2F78BDD26} - C:\WINDOWS\System32\req.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [poonek] c:\windows\system32\kdlpvo.exe r
O4 - HKLM\..\Run: [ydmf] C:\WINDOWS\ydmf.exe
O4 - HKLM\..\Run: [vareucvmaj] C:\WINDOWS\System32\bmrvpn.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [msbb] c:\program files\180solutions\msbb.exe
O4 - HKLM\..\Run: [IMwire] C:\WINDOWS\System32\imwireup.exe
O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKCU\..\Run: [winpack] C:\WINDOWS\System32\winpack.exe
O4 - HKCU\..\Run: [winnls] C:\WINDOWS\System32\winnls.exe
O4 - HKCU\..\Run: [msrd3x40] C:\WINDOWS\System32\msrd3x40.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/act...l_v1-0-3-12.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yah...utocomplete.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: req - C:\WINDOWS\System32\req.dll (file missing)

Close any open windows, other then HijackThis, and click on Fix checked.

Go to the following locations and delete the highlighted files and folders:

C:\WINDOWS\Nail.exe
C:\WINDOWS\wupdt.exe
C:\WINDOWS\ydmf.exe
C:\WINDOWS\conscorr.exe
C:\WINDOWS\bxxs5.dll
C:\WINDOWS\System32\req.dll
C:\windows\system32\kdlpvo.exe
C:\WINDOWS\System32\winpack.exe
C:\WINDOWS\System32\winnls.exe
C:\WINDOWS\System32\msrd3x40.exe
C:\WINDOWS\System32\bmrvpn.exe
C:\WINDOWS\System32\imwireup.exe

C:\WINDOWS\isrvs
C:\Program Files\Common files\updater
C:\Program Files\180solutions
C:\Program Files\BullsEye Network
C:\Program Files\Web Offer
C:\Program Files\ezula
C:\Program Files\PartyPoker

Empty your Recycle Bin and reboot normally.

Close any open browser windows, scan with HJT, and post a new log along with the new Ewido log.

•

Join Date: Jul 2005

Posts: 4

Reputation: tinacolo1717 is an unknown quantity at this point

Solved Threads: 0

tinacolo1717 tinacolo1717 is offline

Offline

Newbie Poster

Re: abi removal HELP PLEASE!

Aug 6th, 2005

Hi,
I still can't get it to work! I have followed instructions until I reboot in safemode, I can't log as Tina, there is only Administrator option. When I do log in, there is no Nailfix icon.
I tried uninstalling and downloading Nailfix again, but an error still comes up that states,
"cannot find Windows/nailfix.exe." Do I need to use Winzip to unzip/extract the file?
I'm sorry if I'm a pain. :rolleyes:

Thanks,
Tina

•

Originally Posted by dlh6213

Download, install, update, and run CCleaner -- http://www.filehippo.com/download/Qi.../download.html

Open Firefox, go to Tools, Options, and then click on Privacy (padlock icon on the left); click on the Clear All button.

Go to Add/Remove Programs in your Control Panel and remove the following, if present.

180Solutions
BullsEye Network (or BullsEye)
Ezula
PartyPoker
Web Offer

Disconnect from the net and reboot into Safe Mode; this time try logging in under Tina.

Double-click on the Nailfix.cmd that is on your desktop (hopefully). Your desktop and icons will disappear and reappear, and a window should open and close very quickly -- this is normal.

Then run a full system scan with Ewido, allowing it to fix whatever it finds (yes, again; please post the new log with your next reply).

Still in Safe Mode, scan with HijackThis and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {8E13DDE1-E013-47ec-9C4C-27C2F78BDD26} - C:\WINDOWS\System32\req.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [poonek] c:\windows\system32\kdlpvo.exe r
O4 - HKLM\..\Run: [ydmf] C:\WINDOWS\ydmf.exe
O4 - HKLM\..\Run: [vareucvmaj] C:\WINDOWS\System32\bmrvpn.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [msbb] c:\program files\180solutions\msbb.exe
O4 - HKLM\..\Run: [IMwire] C:\WINDOWS\System32\imwireup.exe
O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKCU\..\Run: [winpack] C:\WINDOWS\System32\winpack.exe
O4 - HKCU\..\Run: [winnls] C:\WINDOWS\System32\winnls.exe
O4 - HKCU\..\Run: [msrd3x40] C:\WINDOWS\System32\msrd3x40.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/act...l_v1-0-3-12.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yah...utocomplete.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: req - C:\WINDOWS\System32\req.dll (file missing)

Close any open windows, other then HijackThis, and click on Fix checked.

Go to the following locations and delete the highlighted files and folders:

C:\WINDOWS\Nail.exe
C:\WINDOWS\wupdt.exe
C:\WINDOWS\ydmf.exe
C:\WINDOWS\conscorr.exe
C:\WINDOWS\bxxs5.dll
C:\WINDOWS\System32\req.dll
C:\windows\system32\kdlpvo.exe
C:\WINDOWS\System32\winpack.exe
C:\WINDOWS\System32\winnls.exe
C:\WINDOWS\System32\msrd3x40.exe
C:\WINDOWS\System32\bmrvpn.exe
C:\WINDOWS\System32\imwireup.exe

C:\WINDOWS\isrvs
C:\Program Files\Common files\updater
C:\Program Files\180solutions
C:\Program Files\BullsEye Network
C:\Program Files\Web Offer
C:\Program Files\ezula
C:\Program Files\PartyPoker

Empty your Recycle Bin and reboot normally.

Close any open browser windows, scan with HJT, and post a new log along with the new Ewido log.

•

Join Date: Jul 2004

Posts: 2,964

Reputation: dlh6213 is on a distinguished road

Solved Threads: 210

dlh6213

Offline

Posting Maven

Re: abi removal HELP PLEASE!

Aug 7th, 2005

Hi Tina,

You're not being a pain. We'll try this first, if you still don't have it on the Administrator's desktop, we can try saving it somewhere else.

Open Internet Explorer and click on this link (for Nailfix):

http://www.noidea.us/easyfile/file.p...50515010747824

When the 'File Download' window comes up, click on Open; a new window should pop up named 'Nailfix.zip' and on the left side there should be an option to Extract all files. Click on that box and the Extracton Wizard should come up. Click Next, and in the next window select Browse. A 'Select a destination' window will come up; find Desktop and click on it to highlight it, click OK, and you will be brought back to the Wizard. Click Next, and then Finish.

Nailfix.cmd should now be on your desktop; try rebooting into Safe Mode and logging in as Administrator, and see if the file is now on the desktop. If it is, follow the Aurora removal instructions.

If it's still not there (or you can do this initially if you think it will be easier), reboot normally and follow the above instructions for downloading and extracting Nailfix, but this time when you select a destination, go to 'My Computer,' then your 'C' drive, 'Windows,' 'Temp;' click OK, then Next, and Finish.

Now when you boot into Safe Mode and log in as Administrator, go to C:\WINDOWS\Temp and Nailfix.cmd should be there. You should now move it to the desktop so it doesn't get deleted accidentally.

Now that the file is on the desktop, follow the Aurora removal instructions.

(Sorry if this seems long, just want to make sure you're able to get it

)