0

I have some problems with Aurora and Drpmon.dll, and I can't seem to remove it with ad-aware. Here is my Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 12:26:37 PM, on 7/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\gearsec.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
c:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AIM\aim.exe
c:\windows\system32\ckosdl.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {4A25D449-2BAA-4426-A992-D18CA70CF5A9} - C:\WINDOWS\system32\en5orbf.dll (file missing)
O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - (no file)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [J5dNw] C:\WINDOWS\lujpwaa.exe
O4 - HKLM\..\Run: [p2pnetwork] p2pnetwork.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [rwkofy] c:\windows\system32\ckosdl.exe
O4 - HKLM\..\RunServices: [p2pnetwork] p2pnetwork.exe
O4 - HKCU\..\Run: [UWICKCD] F:\AUTORUN\UWICK.EXE F:\AUTORUN
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunServices: [p2pnetwork] p2pnetwork.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://download.35mb.com/images/dlapplet.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{20CFFE22-5FF2-4C86-A1C3-6BD71C686420}: NameServer = 205.188.146.145
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

I really appreciate any help I get. Thanks in advance =)

3
Contributors
13
Replies
14
Views
12 Years
Discussion Span
Last Post by crunchie
0

The Aurora popups are popping up every time I touch the computer! I know that a lot of people have this problem and I've looked for the solution, but my HJT log is somewhat different from theirs. I truly beg for help!

0

Everyone's HJT logs will be different, because the contents and configurations of everyone's computers are different.

There is a standard Aurora fix though, which we can expand on to fit your particular system:

You will need to disconnect from the Internet for most of the cleaning procedures, so you should print out the following instructions or save them into a text file using Notepad.

1) Open the Services utility in your Administrative Tools control panel.

In the list of services, locate the service named "System Startup Service" or "SvcProc" and double-click on it.

In the General tab of the Properties window that opens, click the Stop button.

Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK. Close the Services utility after that.

2) Download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

3) Download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to the desktop but please do NOT run it yet.

4) Next, reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

5) Once in Safe Mode:

Double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then run Ewido, and run a full scan. Save the logfile from the scan.

Next run HijackThis, click Scan,
and put a check in the box to the left of the following entries:

 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
 R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
 O2 - BHO: (no name) - {4A25D449-2BAA-4426-A992-D18CA70CF5A9} - C:\WINDOWS\system32\en5orbf.dll (file missing)
 O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
 O4 - HKLM\..\Run: [J5dNw] C:\WINDOWS\lujpwaa.exe
 O4 - HKLM\..\Run: [p2pnetwork] p2pnetwork.exe
 O4 - HKLM\..\Run: [rwkofy] c:\windows\system32\ckosdl.exe
 O4 - HKLM\..\RunServices: [p2pnetwork] p2pnetwork.exe
 O4 - HKCU\..\RunServices: [p2pnetwork] p2pnetwork.exe
 O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
 O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - [url="http://download.35mb.com/images/dlapplet.cab"]http://download.35mb.com/images/dlapplet.cab[/url]
 O23 - Service: System Startup Service  (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Close all open windows except for HijackThis and click Fix Checked.

Once HJT finishes the fix, click on the "Config" button in the lower right corner of HijackThis' main window.

In the next window click on the "Misc Tools" button at the top then click the "Delete an NT service" button. Type the following in the box and click OK: svcproc

6) While still in Safe Mode:

Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

Locate and delete the following files (ewido may have deleted some of these already):
files:

C:\WINDOWS\system32\en5orbf.dll 
C:\WINDOWS\lujpwaa.exe
p2pnetwork.exe
c:\windows\system32\ckosdl.exe
c:\counter.cab
C:\WINDOWS\svcproc.exe

For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!

1) Cookies
2) Local Settings\Temp
3) Local Settings\History
4) Local Settings\Temporary Internet Files

Delete the entire content of your C:\Windows\Temp folder.

Delete the entire content of your C:\Windows\Prefetch folder.

Note: If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

Empty your Recycle Bin.

7) Reboot normally and run HijackThis again. Post the new HJT log, as well as the scan log that ewido gave you.

Edited by mike_2000_17: Fixed formatting

0

Thanks for the help! The popups seem to be gone now! Thank you so much :)
New HJT log and ewido:

Logfile of HijackThis v1.99.1
Scan saved at 9:32:50 PM, on 7/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\gearsec.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
c:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\PROGRA~1\AIM\aim.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [qmvpymw] c:\windows\system32\yjasshe.exe
O4 - HKCU\..\Run: [UWICKCD] F:\AUTORUN\UWICK.EXE F:\AUTORUN
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------


+ Created on:           9:04:36 PM, 7/6/2005
+ Report-Checksum:      37FD2E3


+ Scan result:


HKLM\SOFTWARE\Classes\ANSMTP.MassSender -> Spyware.007Spy : Cleaned with backup
HKLM\SOFTWARE\Classes\ANSMTP.MassSender\CLSID -> Spyware.007Spy : Cleaned with backup
HKLM\SOFTWARE\Classes\ANSMTP.MassSender\CurVer -> Spyware.007Spy : Cleaned with backup
HKLM\SOFTWARE\Classes\ANSMTP.OBJ -> Spyware.007Spy : Cleaned with backup
HKLM\SOFTWARE\Classes\ANSMTP.OBJ\CLSID -> Spyware.007Spy : Cleaned with backup
HKLM\SOFTWARE\Classes\ANSMTP.OBJ\CurVer -> Spyware.007Spy : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{771A1334-6B08-4a6b-AEDC-CF994BA2CEBE} -> Spyware.YourSiteBar : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{339D8AFF-0B42-4260-AD82-78CE605A9543} -> Spyware.SideFind : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{A36A5936-CFD9-4B41-86BD-319A1931887F} -> Spyware.SideFind : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Wbho.Band -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\Wbho.Band\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\Wbho.Band\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\YSBactivex.Installer -> Spyware.YourSiteBar : Cleaned with backup
HKLM\SOFTWARE\Classes\YSBactivex.Installer\CLSID -> Spyware.YourSiteBar : Cleaned with backup
HKLM\SOFTWARE\Classes\YSBactivex.Installer\CurVer -> Spyware.YourSiteBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} -> Spyware.YourSiteBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-3093650616-4081877627-3238620564-1003\Software\intexp -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-3093650616-4081877627-3238620564-1003\Software\Microsoft\Internet Explorer\Explorer Bars\{8CBA1B49-8144-4721-A7B1-64C578C9EED7} -> Spyware.SideFind : Cleaned with backup
HKU\S-1-5-21-3093650616-4081877627-3238620564-1003\Software\PowerScan -> Spyware.PowerScan : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\OptClean.exe -> Heuristic.Win32.Hijacker1 : Cleaned with backup
C:\Documents and Settings\Chih-Pin\Cookies\chih-pin@www.xxxtoolbar[1].txt -> Spyware.Cookie.Xxxtoolbar : Cleaned with backup
C:\Documents and Settings\Chih-Pin\Local Settings\Temp\bb.exe -> TrojanDownloader.Adload.a : Cleaned with backup
C:\Documents and Settings\Chih-Pin\Local Settings\Temp\iinstall.exe -> TrojanDownloader.IstBar : Cleaned with backup
C:\Documents and Settings\Chih-Pin\Local Settings\Temp\sidefind.exe -> TrojanDownloader.IstBar.jm : Cleaned with backup
C:\Documents and Settings\Chih-Pin\Local Settings\Temp\ypf.sys -> Trojan.Delf.cf : Cleaned with backup
C:\Documents and Settings\Chih-Pin\Local Settings\Temp\zqzl7.sys -> Trojan.Delf.cf : Cleaned with backup
C:\Documents and Settings\Chih-Pin\Local Settings\Temporary Internet Files\Content.IE5\03WZAHS7\sidefind13[1].dll -> Spyware.SideFind : Cleaned with backup
C:\Documents and Settings\Chih-Pin\Local Settings\Temporary Internet Files\Content.IE5\0PIH6V2J\optimize[1].exe -> TrojanDownloader.Dyfuca : Cleaned with backup
C:\Documents and Settings\Chih-Pin\Local Settings\Temporary Internet Files\Content.IE5\2T8RWB6N\bb[1].exe -> Spyware.BargainBuddy.l : Cleaned with backup
C:\Documents and Settings\Chih-Pin\Local Settings\Temporary Internet Files\Content.IE5\2T8RWB6N\bb[2].exe -> TrojanDownloader.Adload.a : Cleaned with backup
C:\Documents and Settings\Chih-Pin\Local Settings\Temporary Internet Files\Content.IE5\2T8RWB6N\istsvc[1].exe -> TrojanDownloader.IstBar : Cleaned with backup
C:\Documents and Settings\Chih-Pin\Local Settings\Temporary Internet Files\Content.IE5\ENUJCVOD\nem220[1].dll -> TrojanDownloader.Dyfuca : Cleaned with backup
C:\Documents and Settings\Chih-Pin\Local Settings\Temporary Internet Files\Content.IE5\ENUJCVOD\sidefind[1].exe -> TrojanDownloader.IstBar.jm : Cleaned with backup
C:\Documents and Settings\Chih-Pin\Local Settings\Temporary Internet Files\Content.IE5\ENUJCVOD\xxxzzz[1].exe/rebates.exe -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\Chih-Pin\Local Settings\Temporary Internet Files\Content.IE5\ENUJCVOD\xxxzzz[1].exe/toolbar.exe -> Trojan.Crypt.e : Cleaned with backup
C:\Documents and Settings\Chih-Pin\Local Settings\Temporary Internet Files\Content.IE5\ENUJCVOD\xxxzzz[1].exe/rebates.exe -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\Chih-Pin\Local Settings\Temporary Internet Files\Content.IE5\ENUJCVOD\xxxzzz[1].exe/toolbar.exe -> Trojan.Crypt.e : Cleaned with backup
C:\Documents and Settings\Chih-Pin\xxxzzz.exe/rebates.exe -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\Chih-Pin\xxxzzz.exe/toolbar.exe -> Trojan.Crypt.e : Cleaned with backup
C:\Documents and Settings\Chih-Pin\xxxzzz.exe/rebates.exe -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\Chih-Pin\xxxzzz.exe/toolbar.exe -> Trojan.Crypt.e : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\4s97xyzv.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\4s97xyzv.default\cookies.txt -> Spyware.Cookie.Euniverseads : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\4s97xyzv.default\cookies.txt -> Spyware.Cookie.Euniverseads : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\4s97xyzv.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\4s97xyzv.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Christine\Application Data\Mozilla\Firefox\Profiles\4s97xyzv.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Christine\Cookies\christine@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Christine\Cookies\christine@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Christine\Cookies\christine@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Christine\Cookies\christine@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Christine\Cookies\christine@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Christine\Cookies\christine@questionmarket[2].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Christine\Cookies\christine@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Christine\Cookies\christine@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Christine\Cookies\christine@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Christine\Cookies\christine@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Christine\Local Settings\Temp\50.tmp\thnall1ac.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Christine\Local Settings\Temp\71blz.sys -> Trojan.Delf.cf : Cleaned with backup
C:\Documents and Settings\Christine\Local Settings\Temp\bb.exe -> TrojanDownloader.Adload.a : Cleaned with backup
C:\Documents and Settings\Christine\Local Settings\Temp\crp.sys -> Trojan.Delf.cf : Cleaned with backup
C:\Documents and Settings\Christine\Local Settings\Temp\fWWY1vQ.exe -> TrojanDownloader.IstBar.jj : Cleaned with backup
C:\Documents and Settings\Christine\Local Settings\Temp\jfgudk.exe -> TrojanDownloader.IstBar.ju : Cleaned with backup
C:\Documents and Settings\Christine\Local Settings\Temp\liqp7c25q_.dll -> Adware.SAHA : Cleaned with backup
C:\Documents and Settings\Christine\Local Settings\Temp\setup4021.cab/liqp7c25q_.dll -> Adware.SAHA : Cleaned with backup
C:\Documents and Settings\Christine\Local Settings\Temp\sidefind.exe -> TrojanDownloader.IstBar.jd : Cleaned with backup
C:\Documents and Settings\Christine\Local Settings\Temp\uninstall.exe -> TrojanDownloader.IstBar.gi : Cleaned with backup
C:\Documents and Settings\Christine\Local Settings\Temp\ypf.sys -> Trojan.Delf.cf : Cleaned with backup
C:\Documents and Settings\Christine\Local Settings\Temp\zqzl7.sys -> Trojan.Delf.cf : Cleaned with backup
C:\Documents and Settings\Christine\Local Settings\Temporary Internet Files\Content.IE5\0YQ6VZ0Y\bb[1].exe -> TrojanDownloader.Adload.a : Cleaned with backup
C:\Documents and Settings\Christine\Local Settings\Temporary Internet Files\Content.IE5\0YQ6VZ0Y\istsvc[1].exe -> TrojanDownloader.IstBar : Cleaned with backup
C:\Documents and Settings\Christine\Local Settings\Temporary Internet Files\Content.IE5\0YQ6VZ0Y\power_remove[1].exe -> TrojanDownloader.IstBar.gi : Cleaned with backup
C:\Documents and Settings\Christine\Local Settings\Temporary Internet Files\Content.IE5\0YQ6VZ0Y\vice[1].exe/rebates.exe -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\Christine\Local Settings\Temporary Internet Files\Content.IE5\0YQ6VZ0Y\vice[1].exe/toolbar.exe -> Trojan.Crypt.e : Cleaned with backup
C:\Documents and Settings\Christine\Local Settings\Temporary Internet Files\Content.IE5\3ABF1ERG\optimize[1].exe -> TrojanDownloader.Dyfuca : Cleaned with backup
C:\Documents and Settings\Christine\Local Settings\Temporary Internet Files\Content.IE5\3ABF1ERG\powerscan[1].exe -> Spyware.PowerScan : Cleaned with backup
C:\Documents and Settings\Christine\Local Settings\Temporary Internet Files\Content.IE5\B6P5UYB9\xxxzzz[1].exe/rebates.exe -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\Christine\Local Settings\Temporary Internet Files\Content.IE5\B6P5UYB9\xxxzzz[1].exe/toolbar.exe -> Trojan.Crypt.e : Cleaned with backup
C:\Documents and Settings\Christine\Local Settings\Temporary Internet Files\Content.IE5\B6P5UYB9\xxxzzz[1].exe/rebates.exe -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\Christine\Local Settings\Temporary Internet Files\Content.IE5\B6P5UYB9\xxxzzz[1].exe/toolbar.exe -> Trojan.Crypt.e : Cleaned with backup
C:\Documents and Settings\Christine\Local Settings\Temporary Internet Files\Content.IE5\B6P5UYB9\xxxzzz[2].exe/rebates.exe -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\Christine\Local Settings\Temporary Internet Files\Content.IE5\B6P5UYB9\xxxzzz[2].exe/toolbar.exe -> Trojan.Crypt.e : Cleaned with backup
C:\Documents and Settings\Christine\Local Settings\Temporary Internet Files\Content.IE5\B6P5UYB9\xxxzzz[2].exe/rebates.exe -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\Christine\Local Settings\Temporary Internet Files\Content.IE5\B6P5UYB9\xxxzzz[2].exe/toolbar.exe -> Trojan.Crypt.e : Cleaned with backup
C:\Documents and Settings\Christine\Local Settings\Temporary Internet Files\Content.IE5\D8FMWOYT\istdownload[2].exe -> TrojanDownloader.IstBar.ju : Cleaned with backup
C:\Documents and Settings\Christine\Local Settings\Temporary Internet Files\Content.IE5\D8FMWOYT\sidefind13[1].dll -> Spyware.SideFind : Cleaned with backup
C:\Documents and Settings\Christine\Local Settings\Temporary Internet Files\Content.IE5\D8FMWOYT\sidefind[1].exe -> TrojanDownloader.IstBar.jd : Cleaned with backup
C:\Documents and Settings\Christine\rebates.exe/rebates.exe -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\Christine\rebates.exe/toolbar.exe -> Trojan.Crypt.e : Cleaned with backup
C:\Documents and Settings\Christine\xxxzzz.exe/rebates.exe -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\Christine\xxxzzz.exe/toolbar.exe -> Trojan.Crypt.e : Cleaned with backup
C:\Documents and Settings\Christine\xxxzzz.exe/rebates.exe -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\Christine\xxxzzz.exe/toolbar.exe -> Trojan.Crypt.e : Cleaned with backup
C:\Documents and Settings\Mei-Ling\Cookies\mei-ling@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Mei-Ling\Cookies\mei-ling@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Mei-Ling\Cookies\mei-ling@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Mei-Ling\Cookies\mei-ling@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Mei-Ling\Cookies\mei-ling@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Mei-Ling\Cookies\mei-ling@bfast[1].txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Documents and Settings\Mei-Ling\Cookies\mei-ling@citi.bridgetrack[1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Mei-Ling\Cookies\mei-ling@data.coremetrics[1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\Mei-Ling\Cookies\mei-ling@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Mei-Ling\Cookies\mei-ling@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Mei-Ling\Cookies\mei-ling@paycounter[1].txt -> Spyware.Cookie.Paycounter : Cleaned with backup
C:\Documents and Settings\Mei-Ling\Cookies\mei-ling@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Mei-Ling\Cookies\mei-ling@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Mei-Ling\Cookies\mei-ling@sexlist[1].txt -> Spyware.Cookie.Sexlist : Cleaned with backup
C:\Documents and Settings\Mei-Ling\Cookies\mei-ling@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Mei-Ling\Local Settings\Temp\jfgudk.exe -> TrojanDownloader.IstBar.ju : Cleaned with backup
C:\Documents and Settings\Mei-Ling\Local Settings\Temp\ypf.sys -> Trojan.Delf.cf : Cleaned with backup
C:\Documents and Settings\Mei-Ling\Local Settings\Temp\zqzl7.sys -> Trojan.Delf.cf : Cleaned with backup
C:\Documents and Settings\Mei-Ling\Local Settings\Temporary Internet Files\Content.IE5\3F1BRX0W\ncase_new[1].exe -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Mei-Ling\Local Settings\Temporary Internet Files\Content.IE5\3F1BRX0W\tb3[1].cab/toolbar.dll -> Spyware.WebSearch : Cleaned with backup
C:\Documents and Settings\Mei-Ling\Local Settings\Temporary Internet Files\Content.IE5\3F1BRX0W\WinTS[1].cab/WToolsS.exe -> TrojanDownloader.Wintool.f : Cleaned with backup
C:\Documents and Settings\Mei-Ling\Local Settings\Temporary Internet Files\Content.IE5\E9RCDO3Y\power_remove[1].exe -> TrojanDownloader.IstBar.gi : Cleaned with backup
C:\Documents and Settings\Mei-Ling\Local Settings\Temporary Internet Files\Content.IE5\E9RCDO3Y\Toolbar3[1].cab/IExploreSkins.exe -> Spyware.WebSearch : Cleaned with backup
C:\Documents and Settings\Mei-Ling\Local Settings\Temporary Internet Files\Content.IE5\E9RCDO3Y\Toolbar3[1].cab/TBPS.exe -> Spyware.WebSearch : Cleaned with backup
C:\Documents and Settings\Mei-Ling\Local Settings\Temporary Internet Files\Content.IE5\E9RCDO3Y\Toolbar3[1].cab/common.dll -> Spyware.WebSearch : Cleaned with backup
C:\Documents and Settings\Mei-Ling\Local Settings\Temporary Internet Files\Content.IE5\E9RCDO3Y\Toolbar3[1].cab/radio.exe -> Spyware.WebSearch : Cleaned with backup
C:\Documents and Settings\Mei-Ling\Local Settings\Temporary Internet Files\Content.IE5\E9RCDO3Y\Toolbar3[1].cab/toolbar.dll -> Spyware.WebSearch : Cleaned with backup
C:\Documents and Settings\Mei-Ling\Local Settings\Temporary Internet Files\Content.IE5\GRV3YW9D\istdownload[1].exe -> TrojanDownloader.IstBar.ju : Cleaned with backup
C:\Documents and Settings\Mei-Ling\Local Settings\Temporary Internet Files\Content.IE5\GRV3YW9D\istsvc[1].exe -> TrojanDownloader.IstBar : Cleaned with backup
C:\Documents and Settings\Mei-Ling\Local Settings\Temporary Internet Files\Content.IE5\GRV3YW9D\powerscan[1].exe -> Spyware.PowerScan : Cleaned with backup
C:\Documents and Settings\Mei-Ling\Local Settings\Temporary Internet Files\Content.IE5\GRV3YW9D\TBPSSvc[1].cab/TBPSSvc.exe -> Spyware.WebSearch : Cleaned with backup
C:\Documents and Settings\Mei-Ling\Local Settings\Temporary Internet Files\Content.IE5\GRV3YW9D\xxxzzz[1].exe/rebates.exe -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\Mei-Ling\Local Settings\Temporary Internet Files\Content.IE5\GRV3YW9D\xxxzzz[1].exe/toolbar.exe -> Trojan.Crypt.e : Cleaned with backup
C:\Documents and Settings\Mei-Ling\Local Settings\Temporary Internet Files\Content.IE5\GRV3YW9D\xxxzzz[1].exe/rebates.exe -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\Mei-Ling\Local Settings\Temporary Internet Files\Content.IE5\GRV3YW9D\xxxzzz[1].exe/toolbar.exe -> Trojan.Crypt.e : Cleaned with backup
C:\Documents and Settings\Mei-Ling\xxxzzz.exe/rebates.exe -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\Mei-Ling\xxxzzz.exe/toolbar.exe -> Trojan.Crypt.e : Cleaned with backup
C:\Documents and Settings\Mei-Ling\xxxzzz.exe/rebates.exe -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\Mei-Ling\xxxzzz.exe/toolbar.exe -> Trojan.Crypt.e : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.107:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.109:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.111:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.113:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.115:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.116:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.118:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.119:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.120:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.121:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.122:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.123:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.124:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.125:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.126:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.157:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.158:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.187:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.188:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.200:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.222:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.224:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@247realmedia[1].txt -> Spyware.Cookie.247realmedia : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@adorigin[1].txt -> Spyware.Cookie.Adorigin : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@ads.euniverseads[2].txt -> Spyware.Cookie.Euniverseads : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@citi.bridgetrack[2].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@clickagents[2].txt -> Spyware.Cookie.Clickagents : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@edge.ru4[2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@ehg-comcast.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@targetnet[1].txt -> Spyware.Cookie.Targetnet : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@tradedoubler[2].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Owner\iexplorer.exe -> Worm.Dod.a : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\AolCoach.cab/.\Data\player\aolnysev.exe -> Heuristic.Win32.Hijacker1 : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\atiupdate.exe -> TrojanDownloader.Delf.ep : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\bb.exe -> TrojanDownloader.Adload.a : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\D2696\abiuninst.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\dealhelper.exe -> TrojanDownloader.Agent.hw : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\fWWY1vQ.exe -> TrojanDownloader.IstBar.ju : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\GKC\aurareco.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\hvr.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\iinstall.exe -> Heuristic.Win32.Hijacker1 : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\jfgudk.exe -> TrojanDownloader.IstBar.ju : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\sidefind.exe -> TrojanDownloader.IstBar.jm : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\uninstall.exe -> TrojanDownloader.IstBar.gi : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\whenu.exe -> Adware.SaveNow : Cleaned with backup
C:\Documents and Settings\Owner\xxxzzz.exe/rebates.exe -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\Owner\xxxzzz.exe/toolbar.exe -> Trojan.Crypt.e : Cleaned with backup
C:\Documents and Settings\Owner\xxxzzz.exe/rebates.exe -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\Owner\xxxzzz.exe/toolbar.exe -> Trojan.Crypt.e : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\Program Files\C2Media\Setup.exe -> Spyware.Lop : Cleaned with backup
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\Program Files\Common Files\aolback\Comps\coach\aolcinst.exe/data\player\aolnysev.exe -> Heuristic.Win32.Hijacker1 : Cleaned with backup
C:\Program Files\Common Files\aolshare\Coach\en_en\player\AOLNySEV.exe -> Heuristic.Win32.Hijacker1 : Cleaned with backup
C:\Program Files\Common Files\rfmk\rfmka.exe -> TrojanDownloader.TSUpdate.l : Cleaned with backup
C:\Program Files\Common Files\rfmk\rfmkl.exe -> TrojanDownloader.TSUpdate.j : Cleaned with backup
C:\Program Files\Common Files\rfmk\rfmkm.exe -> TrojanDownloader.TSUpdate.k : Cleaned with backup
C:\Program Files\Common Files\rfmk\rfmkp.exe -> Spyware.Xupiter : Cleaned with backup
C:\Program Files\Online Services\AOL90US\comps\coach\aolcinst.exe/.\Data\player\aolnysev.exe -> Heuristic.Win32.Hijacker1 : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\YSBactivex.dll -> TrojanDownloader.IstBar.fy : Cleaned with backup
C:\WINDOWS\hvr.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\WINDOWS\lzzarcy.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\systb.dll -> Spyware.ImiBar : Cleaned with backup
C:\WINDOWS\system32\1r77a97b.dll -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\system32\8b8kpqpd.exe -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ENUJCVOD\bobby[1].exe -> TrojanDownloader.Small.sg : Cleaned with backup
C:\WINDOWS\system32\File.zip/Corrupt.scr -> Worm.Dod.a : Cleaned with backup
C:\WINDOWS\system32\fo0ky.exe -> Trojan.Kolweb.b : Cleaned with backup
C:\WINDOWS\system32\Fzuqpa.exe -> Spyware.DealHelper : Cleaned with backup
C:\WINDOWS\system32\hvr.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\WINDOWS\system32\iviresizepx.exe -> TrojanDownloader.Small.us : Cleaned with backup
C:\WINDOWS\system32\llaqb6sk.exe -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\system32\mirindaspf.exe -> Trojan.Kolweb.b : Cleaned with backup
C:\WINDOWS\system32\msxct.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\rebates.exe/WEBREB~1.EXE -> Spyware.WinAD : Cleaned with backup
C:\WINDOWS\system32\uqvnc2ga.dll -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\system32\webrebates.exe/rebates.exe -> Spyware.WinAD : Cleaned with backup
C:\WINDOWS\system32\webrebates.exe/toolbar.exe -> Trojan.Crypt.e : Cleaned with backup
C:\WINDOWS\system32\yjasshe.exe -> Trojan.Agent.cp : Cleaned with backup
C:\WINDOWS\tattldozhm.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\tdtb.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\WINDOWS\wupdt.exe -> TrojanDownloader.Intexp.c : Cleaned with backup



::Report End

Edited by pritaeas: Fixed formatting

0

*grrr*

Something has retriggered pieces of Aurora and the "Win Server Updt" infection. Let's carefully and completely repeat the basic Aurora cleaning proceedure, with the following adjustments:

* Reboot into Safe Mode again.

* Once in Safe Mode, double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly (this is normal).


* Then run Ewido, and run a full scan. Save the logfile from the scan.


* Next run HijackThis, click Scan, and put a check in the box to the left of:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [qmvpymw] c:\windows\system32\yjasshe.exe

Close all open windows except for HijackThis and click Fix Checked.

- Close HijackThis.


* Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Locate and delete the following files:
C:\WINDOWS\Nail.exe
C:\WINDOWS\wupdt.exe
c:\windows\system32\yjasshe.exe

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!

1. Cookies
2. Local Settings\Temp
3. Local Settings\History
4. Local Settings\Temporary Internet Files

- Delete the entire content of your C:\Windows\Temp folder.

- Delete the entire content of your C:\Windows\Prefetch folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

- Empty your Recycle Bin.


* Restart your computer in normal mode and post a new HijackThis log, as well as the log from the Ewido scan.

0
Logfile of HijackThis v1.99.1
Scan saved at 1:36:35 PM, on 7/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\gearsec.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
c:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [UWICKCD] F:\AUTORUN\UWICK.EXE F:\AUTORUN
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------


+ Created on:           1:05:08 PM, 7/8/2005
+ Report-Checksum:      C70822E2


+ Scan result:


:mozilla.14:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k8ecodrr.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe -> Heuristic.Win32.Dialer : Cleaned with backup

::Report End

And, whenever I startup my computer, I get this error message:

http://img.photobucket.com/albums/v291/kenshikw/nailerror.jpg

I looked up in msconfig and disabled all the stuff, but this message still shows up...

Edited by pritaeas: Fixed formatting

0

OK- your log is clean now. :)

In terms of the error message, did you see and/or disable a reference to Nail.exe in the System.ini tab of msconfig? What else (if anything) did you disable with msconfig?

0

I didn't see any reference to Nail.exe at all, unless the name for that is totally different.
Here is what currently is enabled with msconfig in the startup section:
qttask
realsched
AOLDial
AUTORUN
aim
ctfmon

The only one item that I don't recognize is the ctfmon. I keeps on getting enabled after I disable it...maybe that's what causing the error message?


I really appreciate your help, DMR. Thanks again:)

0

Here is what currently is enabled with msconfig in the startup section:

If you find no reference to Nail.exe in any of the msconfig tabs, then the entry is in the following Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini

Click on the "Run..." option in your Start menu, type the following in the resulting "Open:" dialog box, and then hit Enter:

regedit

In the left-hand pane of the Registry Editor, navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini folder and click on it to display its contents in the right-hand pane.

In the right-hand pane, look for a "Shell" value (or any other value, for that matter) which refers to "Nail.exe". If you find such an entry, just write down exactly what's listed there, but DO NOT edit/change anything yet!

If you don't see a Nail.exe reference in the main "system.ini" key, also look in the "Boot" subkey.

The only one item that I don't recognize is the ctfmon. I keeps on getting enabled after I disable it...maybe that's what causing the error message?

Here's the scoop on ctfmon.exe:

http://support.microsoft.com/?kbid=282599

0

I believe so. Computer's running just as fast as it was before, no popups, etc. I even got my laptop fixed! Laptop still has some stuff here and there but I think I can fix it :)
Thanks again! I'll be more careful while surfing the web now :)

0

Very good. We'll call this one solved then. :)


Now that your system is clean, here are a few things you can/should do to minimize your chances of future virus/malware infections:


1. Enable Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security and bug fixes.

2. Stop using Internet Explorer as your web browser. Because IE is so closely tied into the Windows operating system itself and contains so many security flaws, switching to another browser such as Netscape, Firefox, or Opera will reduce the avenues through which spyware/adware/hijackers/etc. can infect your computer.

3. Install preventative utilities such as SpywareBlaster and SpywareGuard (links are in my sig below), especially if you absolutely have to continue using Internet Exploder. These utilities protect areas of your system known to be vulnerable to malicious attacks. IE-SPYAD is another helpful tool; it can be downloaded here:
https://netfiles.uiuc.edu/ehowes/www/resource.htm

4. Tighten up some of Internet Explorer's existing, default settings to make it more secure. Some info on that can be found here: http://tomcoyote.org/ieoe.php

5. Obviously-install a good anti-virus program and enable its "auto-protect" and email-scanning features.

6. Install a stand-alone firewall program such as Zone Alarm, Sygate Personal Firewall, or Kerio Personal Firewall, or purchase the "Internet Security" packages offered by Symantec and McAfee.

7. None of your utilities are of much good if you don't check for updates frequently; updates for anti-spyware/anti-virus programs can be released as often as every two or three days.

0

This thread is now closed. If you need it reopened, please send a PM to one of our Mods.

Include the link to the thread and detail why you need it reopened.

If this is not your thread please start a New Topic.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.