0

Hi

I'm new. I've just been slogging my way through the removal processes for Aurora/Nail (and there's me thinking I just had a 'small' problem with Trojan.Cachecachekit...). I've followed the instructions in the "Fixes for Specific Infections", and here are the two logs.

First Ewido:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------


+ Created on:           19:48:16, 01/08/2005
+ Report-Checksum:      E63087F1


+ Scan result:


HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller\CLSID -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller\CurVer -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{99410CDE-6F16-42ce-9D49-3807F78F0287} -> Spyware.Zango : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9F95F736-0F62-4214-A4B4-CAA6738D4C07} -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{2B0ECEAC-F597-4858-A542-D966B49055B9} -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C285D18D-43A2-4AEF-83FB-BF280E660A97} -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{DDEA2E1D-8555-45E5-AF09-EC9AA4EA27AD} -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Classes\MediaAccess.Installer -> Spyware.WinAd : Cleaned with backup
HKLM\SOFTWARE\Classes\MediaAccess.Installer\CLSID -> Spyware.WinAd : Cleaned with backup
HKLM\SOFTWARE\Classes\MediaAccess.Installer\CurVer -> Spyware.WinAd : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{5B6689B5-C2D4-4DC7-BFD1-24AC17E5FCDA} -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{99410CDE-6F16-42ce-9D49-3807F78F0287} -> Spyware.Zango : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\salm -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\salm -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\VGroup -> Spyware.SAHA : Cleaned with backup
HKLM\SOFTWARE\VGroup\SAHAgent -> Spyware.SAHA : Cleaned with backup
HKU\.DEFAULT\Software\salm -> Spyware.180Solutions : Cleaned with backup
HKU\S-1-5-18\Software\salm -> Spyware.180Solutions : Cleaned with backup
[776] c:\windows\system32\iddiey.exe -> Adware.BetterInternet : Cleaned with backup
C:\clearlogs.exe -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\M5LO5ROM\clearlogs[1].rar -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\M5LO5ROM\ftplog[1].rar -> TrojanDownloader.Small.aqt : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\RE0R38JU\clearlogs[1].rar -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\RE0R38JU\optimize314[1].exe -> TrojanDownloader.Dyfuca.ei : Cleaned with backup
C:\Documents and Settings\User\.jpi_cache\file\1.0\SecurityClassLoader.class-6fd9f626-285662fe.class -> TrojanDownloader.Small.wv : Cleaned with backup
C:\Documents and Settings\User\.jpi_cache\jar\1.0\ar3.jar-1d22a678-2d32ace6.zip/Gummy.class -> Trojan.Java.Femad : Cleaned with backup
C:\Documents and Settings\User\.jpi_cache\jar\1.0\ar3.jar-1f8b980f-7be2d10e.zip/Gummy.class -> Trojan.Java.Femad : Cleaned with backup
C:\Documents and Settings\User\.jpi_cache\jar\1.0\ar3.jar-7429efec-2e10985d.zip/Gummy.class -> Trojan.Java.Femad : Cleaned with backup
:mozilla.11:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.12:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.15:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.17:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.18:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.21:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.23:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Adviva : Cleaned with backup
:mozilla.24:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Adviva : Cleaned with backup
:mozilla.25:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.28:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.29:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.30:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.31:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.34:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.35:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.38:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.39:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.40:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.41:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.42:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.58:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.73:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.74:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.75:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.80:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.86:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.87:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.98:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.99:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.100:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.104:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.105:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.106:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.107:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.108:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.110:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.111:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.112:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.113:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.114:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.116:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.120:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.123:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.124:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.126:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.127:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.128:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.129:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.130:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.131:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Adviva : Cleaned with backup
:mozilla.132:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.133:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.134:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.135:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.138:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Oewabox : Cleaned with backup
:mozilla.141:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.142:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.149:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.150:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.151:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.152:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.153:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.154:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.155:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.159:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.160:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.170:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.171:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.174:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.177:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
:mozilla.181:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
:mozilla.186:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.189:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.190:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.197:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.198:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
C:\Documents and Settings\User\Cookies\user@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\User\Local Settings\Temp\temp.fr583D\MediaAccess.exe -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\User\Local Settings\Temp\temp.fr583D\MediaAccK.exe -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\3KYQHI05\AuroraHandler[1].dll -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\3KYQHI05\aurora[1].exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\GH6FGL67\abiuninst[1].exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\GH6FGL67\MediaAccK[1].exe -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\Q30X3BHN\DrPMon[1].dll -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\ZC8V0Z0T\Nail[1].exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\ZC8V0Z0T\Poller[1].exe -> Adware.BetterInternet : Cleaned with backup
C:\ftplog.exe -> TrojanDownloader.Small.aqt : Cleaned with backup
C:\Program Files\180searchassistant\salm.exe -> Spyware.180Solutions : Cleaned with backup
C:\Program Files\180searchassistant\salmhook.dll -> Spyware.180Solutions : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\Program Files\cdmdownld\mqcsmdkmvs.dll -> Spyware.SmartPops : Cleaned with backup
C:\Program Files\cdmdownld\mqcsmdkmvs.exe -> Spyware.SmartPops : Cleaned with backup
C:\Program Files\Media Access\MediaAccC.dll -> Spyware.WinAD : Cleaned with backup
C:\Program Files\Media Access\MediaAccess.exe -> Spyware.WinAD : Cleaned with backup
C:\Program Files\Media Access\MediaAccK.exe -> Spyware.WinAD : Cleaned with backup
C:\Program Files\Netscape\Netscape\Plugins\npwthost.dll -> Spyware.WildTangent : Cleaned with backup
C:\Program Files\SurfSideKick 3\Ssk.exe -> Spyware.SurfSide : Cleaned with backup
C:\Program Files\SurfSideKick 3\SskBho.dll -> Spyware.SurfSide : Cleaned with backup
C:\Program Files\SurfSideKick 3\SskCore.dll -> Spyware.SurfSide : Cleaned with backup
C:\Temp\bundle_cdt1006.exe -> Adware.Saha : Cleaned with backup
C:\Temp\EDowST3.exe -> TrojanDownloader.QDown.z : Cleaned with backup
C:\Temp\optimize.exe -> TrojanDownloader.Dyfuca.ei : Cleaned with backup
C:\WINDOWS\cxid.exe -> Spyware.180Solutions : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\ClientAX.dll -> Spyware.180Solutions : Cleaned with backup
C:\WINDOWS\ihuyeb.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\SSK3_B5.exe -> TrojanDropper.Small.qn : Cleaned with backup
C:\WINDOWS\system32\eraseme_14172.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup
C:\WINDOWS\system32\iddiey.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\rdriv.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\WINDOWS\Temp\180sainstaller.exe/clientax.dll -> Spyware.180Solutions : Cleaned with backup
C:\WINDOWS\Temp\bundle_cdt1006.exe -> Adware.Saha : Cleaned with backup
C:\WINDOWS\Temp\nst17.EXE -> Spyware.SmartPops : Cleaned with backup
C:\WINDOWS\tsecure.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup
C:\WINDOWS\ucmoreiex.exe/UCMTSAIE.DLL -> Spyware.UCmore : Cleaned with backup
C:\WINDOWS\ucmoreiex.exe/IUCMORE.DLL -> Spyware.UCmore : Cleaned with backup



::Report End


And then HijackThis:
Logfile of HijackThis v1.99.1
Scan saved at 19:58:30, on 01/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\anvshell.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\ctfmon.exe
c:\windows\system32\arwdscm.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\HijackThis\HijackThis.exe


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.blueyonder.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.brinkster.com"); (C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_06.src"); (C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\prefs.js)
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\WINDOWS\AuroraHandler.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6988740F-2990-3160-7ED2-B86380211C8C} - C:\Program Files\cdmdownld\mqcsmdkmvs.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [salm] c:\program files\180searchassistant\salm.exe
O4 - HKLM\..\Run: [cxid] C:\WINDOWS\cxid.exe
O4 - HKLM\..\Run: [SAHBundle] C:\WINDOWS\TEMP\bundle_cdt1006.exe run
O4 - HKLM\..\Run: [lklzes] c:\windows\system32\arwdscm.exe r
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.blueyonder.co.uk
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ASUS Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: tsecure - Unknown owner - C:\WINDOWS\tsecure.exe (file missing)

Have I got rid of Aurora? Nail? Or do I have another problem lurking?

Many, many, many thankyous and genuflections to the folks who've created the instructions I've followed so far.

Ath

Edited by happygeek: fixed formatting

3
Contributors
9
Replies
10
Views
12 Years
Discussion Span
Last Post by DMR
0

Well, I don't see any signs of Aurora/Nail in your log :).

Did you look through that Ewido log? It looks like you had a lot more going on then you thought! (Probably from using file sharing programs.)

Before continuing, you should also follow the recommendations in the Protection and Cleaning threads (links below).

Then, go to Add/Remove Programs in your Control Panel and remove (if present):

Media Access
180searchassistant
BetterInternet
SAH
Cdmdownld

I would also recommend removing BearShare.

Download the removal tool for BetterInternet from here:
http://securityresponse.symantec.com/avcenter/FixBinet.exe

Open FixBinet.exe and click Start to begin the removal process.

Next, download, install, update, and run these utilities:

CWShredder -- http://www.intermute.com/spysubtract/cwshredder_download.html
about:Buster -- http://www.majorgeeks.com/download4289.html
HSRemove -- http://www.majorgeeks.com/download4286.html
PurityScan uninstaller -- http://www.purityscan.com/uninstall.html
CCleaner –- http://www.filehippo.com/download/Qi6RR0U86febzhqUrQQIBQ2/download.html (don't run this one yet)

After that, scan with HJT and have it fix the following entries:

R3 - Default URLSearchHook is missing
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\WINDOWS\AuroraHandler.dll (file missing)
O2 - BHO: (no name) - {6988740F-2990-3160-7ED2-B86380211C8C} - C:\Program Files\cdmdownld\mqcsmdkmvs.dll (file missing)
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [salm] c:\program files\180searchassistant\salm.exe
O4 - HKLM\..\Run: [SAHBundle] C:\WINDOWS\TEMP\bundle_cdt1006.exe run
O4 - HKLM\..\Run: [lklzes] c:\windows\system32\arwdscm.exe r
O23 - Service: tsecure - Unknown owner - C:\WINDOWS\tsecure.exe (file missing)

Remember to close any open windows, other then HJT, before hitting Fix checked.

Go to the following locations and delete the highlighted files and folders (if present):

C:\WINDOWS\AuroraHandler.dll
C:\WINDOWS\tsecure.exe
C:\WINDOWS\TEMP\bundle_cdt1006.exe
C:\windows\system32\arwdscm.exe

C:\Program Files\Media Access
C:\program files\180searchassistant
C:\Program Files\cdmdownld
C:\Program Files\BetterInternet
C:\Program Files\SAH
C:\Program Files\ABetterInternet

If any of these files could not be deleted, try booting into Safe Mode and deleting them from there.

Now you can run CCleaner.

Go to C:\WINDOWS and locate cxid.exe; right-click on it and select Properties. Give us whatever info you can on it (Company, version, etc.).

Matcli.exe is spyware from Blueyonder, if you remove it, some help menus in help and support will not be available. You decide whether or not you wish to keep it. If you wish to remove it, let us know and we'll tell you how.

Reboot, close any open browser windows, scan with HJT, and post a new log please.

0

Whew. I've done all that lot (barring the CClean, which I couldn't dl as the link 404'd) and come up with the following new log:

Logfile of HijackThis v1.99.1
Scan saved at 19:34:54, on 02/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\livenote.exe
C:\WINDOWS\anvshell.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.brinkster.com"); (C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_06.src"); (C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [cxid] C:\WINDOWS\cxid.exe
O4 - HKLM\..\Run: [abricd] c:\windows\system32\atgnfv.exe r
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.blueyonder.co.uk
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122923604640
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ASUS Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

I'd actually uninstalled (allegedly!) Bearshare about six months ago. The Blueyonder thing's actually a diagnostic tool my ISP (Blueyonder) sent to me - so you'd have thought it wouldn't be too evil (or maybe not!) - which I've at least taken out of my startup.

I can't actually see cxid.exe in my Windows directory (as far as I can see, XP isn't hiding any file types, either - I have double checked that). What I *did* find, though was awvfehluwxk.exe - which, when I mouse over, says it's Aurora. Should that be zapped or will that be nice and inert having got rid of everything else? Or is that completely unconnected to my problems?

Many, many thanks

Ath

0

Here's the link to the latest version of CCleaner -- http://www.filehippo.com/download/lixhbccfafpilfwflhddbjzbwcxefhrh/download.html

Scan with HJT and have it fix the following:

O4 - HKLM\..\Run: [abricd] c:\windows\system32\atgnfv.exe r

Remember to close any open windows before hitting Fix checked.

Do a search for the following files and delete any instances found:

Atgnfv.exe
Awvfehluwxk.exe

If either of these could not be deleted (or located), open HijackThis and click on the Config... button in the lower right corner of the main window. In the next window, click on the Misc Tools button at the top, and then click the Delete a file on reboot... button. Type (or copy & paste) the file into the box, and click Open. A new window will pop up asking if you want to restart your computer now; click Yes.

If you haven't done so already, go to C:\Program Files and delete the BearShare folder.

Run CCleaner.

Please go to http://virusscan.jotti.org/ and have this file scanned:
C:\WINDOWS\cxid.exe
Post the results back here.

Reboot, close any open browser windows, scan with HJT, and post a new log.

0

Thanks for that. Done and deleted the files and the HJT line and run CCleaner.

Couldn't scan the file as it really doesn't seem to actually be there in the directory. I googled the file name and it appears to be some part of either Bios or drivers - so I don't think it's entirely evil (just rather shy)...

(info [in English!] here: http://www.bios-drivers.com/drivers/51/51964.htm)

New HJT log as requested:
Logfile of HijackThis v1.99.1
Scan saved at 19:03:54, on 03/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\anvshell.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.brinkster.com"); (C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_06.src"); (C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\cpjoyuwo.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [cxid] C:\WINDOWS\cxid.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.blueyonder.co.uk
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122923604640
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ASUS Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Hopefully, I've now got a nice, clean and behaving PC...

Is it worth my while switching from Netscape (which I currently use) to Firefox, or should I be OK staying with Netscape? (As near as I can trace, my recent problems have come about courtesy of an idiot *cough*my brother*cough* using Internet Explorer incautiously, but I'm obviously keen NOT to go through this again and if Netscape isn't much of a defence, I'll switch!)

Many, many, many, many, MANY thanks

Ath

0

Couldn't scan the file as it really doesn't seem to actually be there in the directory. I googled the file name and it appears to be some part of either Bios or drivers - so I don't think it's entirely evil (just rather shy)...

(info [in English!] here: http://www.bios-drivers.com/drivers/51/51964.htm)

That's why I wanted you to have the file scanned (or get info via Properties)... it could be a legit file from Cyrix, but if it were, it seems more likely to me it should be in a 'drivers' folder, not running directly from the Windows folder. Also, the part in brackets in your log, [cxid] C:\WINDOWS\cxid.exe, should have the manufacturers name, Cyrix.

Now, if that entry looked more like this -- [Cyrix] C:\WINDOWS\System32\Drivers\cxid.exe -- I would have no problem believing it is indeed a legit file.

It also strikes me as very odd that you can't see the file even with having your system set to 'Show hidden files and folders.'

I'll see if I can get someone else to have a look at this for a second opinion.

0

I know what you mean about it being suspicious; to be honest, I'm suspicious for the same reason. On the other hand, though, unless I've found some new and previously undocumented problem (with my history, this isn't as unlikely as you'd think!), if there WAS an evil nasty lurking in there, I'd have thought a google search would pull up some reference to it. As it is, the only hits are the one in English that I linked to and about five in French that are clearly the same thing...

If anyone else can shed light, though, I'd be delighted!

Ath *beginning to feel a little paranoid*

0

Hi Athersgeo,

dlh6213 asked for a "second opinion" on the cxid.exe file, so here it is:

The file almost certainly bogus/malicious.

1) Look carefully at the info in the bios-drivers.com link you posted: it states that a cxid.exe file is indeed part of a Cyrix driver upgrade package, but one related to 386/486-era processors. First- your machine certainly isn't that old, considering that you're running Windows XP, and second- Cyrix was gobbled up by Via Technologies years ago. In other words, Cyrix hasn't been a player in the computer chip business for ages.

2) Have a look back over the original ewido log you posted; that log has this to say about cxid.exe:

C:\WINDOWS\cxid.exe -> Spyware.180Solutions : Cleaned with backup

180Solutions is a well-known and well-hated maker of spyware/adware; if ewido identified cxid.exe as a component of some piece of 180Solutions malware, I'd believe that.

As far as your inability to locate the file, that could quite possibly be due to the fact that ewido said it deleted the file; the reference to cxid.exe that you see in your HJT log could just be a loose end. If you haven't done so already, run HJT again and have it fix:

O4 - HKLM\..\Run: [cxid] C:\WINDOWS\cxid.exe

After doing that, reboot your computer, run HJT again, and let us know if the above entry returns.

0

Thanks Dave! I totally missed that Ewido entry (C:\WINDOWS\cxid.exe -> Spyware.180Solutions : Cleaned with backup) :o .

I don't think Ath has tried to fix it with HJT yet because I wasn't sure it was bad. Hopefully this will finally clear things up so Ath is no longer paranoid :).

By the way Ath, you can reset your homepage from 'hsremove' to whatever you prefer.

You may also want to check your Add/Remove Programs for 180Solutions.

0

Thanks Dave!

You're welcome Danny; glad I could help. :)


Athersgeo,

In terms of your question about browsers, you're OK with Netscape if that's what you're comfortable with; switching to Firefox would be a matter of personal choice/preference.

Basically, both Netscape and Firefox are less susceptible than IE (at the present time, anyway) to the methods that most "spyware" infections use to get their hooks into your system, primarilly for the following reasons:

1) The majority of spyware infections rely, at least in some way, on the ability to exploit particular components of Internet Explorer such as Browser Helper Objects (BHOs) and ActiveX controls. Netscape, Firefox, and other non-Microsoft browsers are not based on those technologies, and as such, they are immune to attacks which use such exploits.


2) Internet Explorer is an integral component of the modern Windows operating systems themselves. That being the case, infections which can "take control" of IE via known vulnerabilities in that browser have greater access to your operating system as a whole than do infections which hook into third-party browsers such as Nescape or Firefox.

However, it is worth mentioning that IE can be made more secure by changing some of its default settings. A good run-down of the recommended settings can be found here.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.