0

I followed all of the instructions that were sent to italianpest, e.g. running nailfix, ewido, etc. Please check my hijackthis log to see if I've missed anything, because I'm not convinced that I've completely removed the aurora pest. I do a lot of Internet surfing and shopping, and I'm afraid that I've overloaded my registries with junk. If you see anything "useless", please let me know.

Thanks a million.
Cindy

Logfile of HijackThis v1.99.1
Scan saved at 3:23:49 PM, on 6/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Cindy\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [szcoigp] c:\windows\system32\xgzfhmo.exe r
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: FlingIt - {83802292-824F-44b7-AD3F-75745CE7EE28} - C:\handheld computer\FlingIt\FlingIt.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {779844B5-6D28-414C-ABF1-8397EBE7B048} - C:\Program Files\Local Website Archive\wsarc_add.exe (file missing) (HKCU)
O9 - Extra button: (no name) - {BAF775D7-142D-4EB3-B72D-38BC6B302274} - C:\Program Files\Local Website Archive\wsarc_add.exe (file missing) (HKCU)
O16 - DPF: {47F591A2-8783-11D2-8343-00A0C945A819} (RFXPlayer Class) - http://download.richfx.com/player/mediaversion/005/latest/twophase.cab
O16 - DPF: {737D14F8-4090-11D4-AE0E-0010830243BD} (SysVerChk Control) - http://pointa.autodesk.com/portal/lang/neutral/SysVerChk.ocx
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2002\AcDcToday.ocx
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - http://pointa.autodesk.com/portal/lang/enu/InstBanr.Ocx
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - http://pointa.autodesk.com/portal/lang/enu/InstFred.Ocx
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2002\AcPreview.ocx
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

2
Contributors
7
Replies
8
Views
12 Years
Discussion Span
Last Post by DMR
0

There are still a couple of "nasties" indicated in your log, but the list of running processes in the log looks pretty short for a normal XP system. Did you run that HijackThis scan in Safe Mode? If so, please post a log generated while booted in Windows normally.

0

You could be right about Safe Mode. In any event, Aurora is back with a vengeance. Here is the HJ log in normal mode (and thanks for your help in advance).

Logfile of HijackThis v1.99.1
Scan saved at 8:58:15 PM, on 6/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
c:\windows\system32\hsgrhoj.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Cindy\Desktop\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [vhikjhv] c:\windows\system32\hsgrhoj.exe r
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: FlingIt - {83802292-824F-44b7-AD3F-75745CE7EE28} - C:\handheld computer\FlingIt\FlingIt.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {779844B5-6D28-414C-ABF1-8397EBE7B048} - C:\Program Files\Local Website Archive\wsarc_add.exe (file missing) (HKCU)
O9 - Extra button: (no name) - {BAF775D7-142D-4EB3-B72D-38BC6B302274} - C:\Program Files\Local Website Archive\wsarc_add.exe (file missing) (HKCU)
O16 - DPF: {47F591A2-8783-11D2-8343-00A0C945A819} (RFXPlayer Class) - http://download.richfx.com/player/mediaversion/005/latest/twophase.cab
O16 - DPF: {737D14F8-4090-11D4-AE0E-0010830243BD} (SysVerChk Control) - http://pointa.autodesk.com/portal/lang/neutral/SysVerChk.ocx
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2002\AcDcToday.ocx
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - http://pointa.autodesk.com/portal/lang/enu/InstBanr.Ocx
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - http://pointa.autodesk.com/portal/lang/enu/InstFred.Ocx
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2002\AcPreview.ocx
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

0

I don't know if these are the exact "nailfix" instructions you used before, but even if so, please do the following:

You will need to disconnect from the Internet for most of the cleaning procedures, so you should print out the following instructions or save them into a text file using Notepad.


Download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml


Once in Safe Mode, double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then run Ewido, and run a full scan. Save the logfile from the scan.

Next run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

0

Thank you for your help. I followed all of your instructions with one exception:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe did not appear in HijackThis.

HijackThis Log (Normal mode, after fix)

Logfile of HijackThis v1.99.1
Scan saved at 5:42:55 PM, on 6/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Documents and Settings\Cindy\Desktop\Hijack This\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.cnn.com/[/url]
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: FlingIt - {83802292-824F-44b7-AD3F-75745CE7EE28} - C:\handheld computer\FlingIt\FlingIt.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {779844B5-6D28-414C-ABF1-8397EBE7B048} - C:\Program Files\Local Website Archive\wsarc_add.exe (file missing) (HKCU)
O9 - Extra button: (no name) - {BAF775D7-142D-4EB3-B72D-38BC6B302274} - C:\Program Files\Local Website Archive\wsarc_add.exe (file missing) (HKCU)
O16 - DPF: {47F591A2-8783-11D2-8343-00A0C945A819} (RFXPlayer Class) - [url]http://download.richfx.com/player/mediaversion/005/latest/twophase.cab[/url]
O16 - DPF: {737D14F8-4090-11D4-AE0E-0010830243BD} (SysVerChk Control) - [url]http://pointa.autodesk.com/portal/lang/neutral/SysVerChk.ocx[/url]
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2002\AcDcToday.ocx
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - [url]http://toolbar.google.com/data/GoogleActivate.cab[/url]
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - [url]http://pointa.autodesk.com/portal/lang/enu/InstBanr.Ocx[/url]
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - [url]http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab[/url]
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - [url]http://pointa.autodesk.com/portal/lang/enu/InstFred.Ocx[/url]
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - [url]http://www.live365.com/players/play365.cab[/url]
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2002\AcPreview.ocx
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Ewido log - in SAFE mode

---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:          5:38:59 PM, 6/22/2005
 + Report-Checksum:     5740DC4A

 + Scan result:

    :mozilla.16:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Tribalfusion
    :mozilla.17:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Tribalfusion
    :mozilla.18:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Tribalfusion
    :mozilla.19:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Tribalfusion
    :mozilla.20:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Tribalfusion
    :mozilla.25:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Adserver
    :mozilla.26:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Adserver
    :mozilla.27:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Doubleclick
    :mozilla.28:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Imrworldwide
    :mozilla.29:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Imrworldwide
    :mozilla.30:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Clickability
    :mozilla.31:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Atdmt
    :mozilla.32:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Advertising
    :mozilla.33:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Advertising
    :mozilla.34:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Advertising
    :mozilla.35:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Advertising
    :mozilla.40:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Advertising
    :mozilla.41:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Advertising
    :mozilla.42:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Advertising
    :mozilla.43:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Advertising
    :mozilla.44:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Advertising
    :mozilla.45:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Advertising
    :mozilla.46:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Advertising
    :mozilla.47:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Advertising
    :mozilla.48:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Advertising
    :mozilla.49:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Advertising
    :mozilla.50:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Wwwcnn
    :mozilla.51:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Myway
    :mozilla.52:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Myway
    :mozilla.53:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Myway
    :mozilla.54:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Myway
    :mozilla.57:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Popuptraffic
    :mozilla.59:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Popuptraffic
    :mozilla.60:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Popuptraffic
    :mozilla.61:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Popuptraffic
    :mozilla.62:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Popuptraffic
    :mozilla.63:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Fastclick
    :mozilla.64:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Fastclick
    :mozilla.65:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Fastclick
    :mozilla.66:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Fastclick
    :mozilla.67:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Fastclick
    :mozilla.73:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Adjuggler
    :mozilla.108:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.2o7
    :mozilla.109:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.2o7
    :mozilla.110:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Mediaplex
    :mozilla.111:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Mediaplex
    :mozilla.117:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Zedo
    :mozilla.118:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Zedo
    :mozilla.119:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Zedo
    :mozilla.120:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Timeinc
    :mozilla.121:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Myaffiliateprogram
    :mozilla.122:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Specificclick
    :mozilla.123:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Specificclick
    :mozilla.124:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Specificclick
    :mozilla.125:C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\default.gcq\cookies.txt -> Spyware.Cookie.Specificclick
    C:\Program Files\Common Files\Intuit\Internet Client\msdun13.exe/iposr2.cab/wsock32.dll -> Worm.Mtx
    C:\Program Files\Common Files\Intuit\Internet Client\msdun13.exe/ipwin95.cab/wsock32.dll -> Worm.Happy
    C:\RECYCLER\NPROTECT\00000422.exe -> Trojan.Nail
    C:\RECYCLER\NPROTECT\00000423.EXE -> Spyware.BetterInternet
    C:\RECYCLER\NPROTECT\00000425.exe -> Trojan.Stervis.c
    C:\RECYCLER\NPROTECT\00000429.exe -> Spyware.BetterInternet
    C:\RECYCLER\NPROTECT\00000531.EXE -> Spyware.BetterInternet
    C:\RECYCLER\NPROTECT\00000622.EXE -> Spyware.BetterInternet
    C:\RECYCLER\NPROTECT\00000627.exe -> Spyware.BetterInternet
    C:\RECYCLER\NPROTECT\00000632.exe -> Trojan.Stervis.c
    C:\RECYCLER\NPROTECT\00000633.exe -> Trojan.Nail


::Report End

Edited by mike_2000_17: Fixed formatting

0

Good work- I see no signs of infections in your latest log. :)

There are a few (non-malicious) loose ends though:

1. Do you know what these entries reference; I'm not familiar with them?:

O9 - Extra button: (no name) - {779844B5-6D28-414C-ABF1-8397EBE7B048} - C:\Program Files\Local Website Archive\wsarc_add.exe (file missing) (HKCU)
O9 - Extra button: (no name) - {BAF775D7-142D-4EB3-B72D-38BC6B302274} - C:\Program Files\Local Website Archive\wsarc_add.exe (file missing) (HKCU)

If they relate to a program that you've uninstalled, have HijackThis fix the entries.


2. These are non-malicious entries, but they're also optional, non-critical processes which don't need to be automatically started every time you boot Winodws. Disabling then can speed up Windows start-up and free up a bit of system resources. You can have HJT fix the entries if you want:

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe

0

Thank you so very much! I really appreciate your help. I had HijackThis fix all of your suggested entries, and I'm up and running clean again.

0

Very good; glad we could help. :)

Could you please post one final HJT log so that we can review it and sign it off as "clean"? Thanks.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.