Options

Trojan Horse Collected.6.BV

Unknown
edited July 2005 in Spyware & Virus Removal
There's a file called Poller.exe infected with this virus and it keeps ressurecting every time I try deleting it. This virus is slowing my pc down and sometimes it opens a window named Aurora with nothing in it.

Here's my Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 14:41:56, on 23/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\RunDll32.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe
C:\Arquivos de programas\QuickTime\qttask.exe
C:\program files\180search assistant\saap.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Arquivos de programas\Windows Media Player\wmplayer.exe
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Hgk\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Arquivos de programas\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\ARQUIV~1\INSTAF~1\INSTAF~1.DLL
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\ARQUIV~1\FlashGet\jccatch.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Arquivos de programas\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\ARQUIV~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Arquivos de programas\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [saap] c:\program files\180search assistant\saap.exe
O4 - HKLM\..\Run: [unazsr] C:\WINDOWS\unazsr.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Arquivos de programas\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O8 - Extra context menu item: Download All by FlashGet - C:\ARQUIV~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\ARQUIV~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\ARQUIV~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\ARQUIV~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O17 - HKLM\System\CCS\Services\Tcpip\..\{83C14148-8B7C-48A7-9597-677254212EF0}: NameServer = 192.168.254.254,200.149.55.140
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Help me please!!!

Comments

  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited May 2005
    You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.


    Step 1
    Please download the trial version of Ewido Security Suite
    Install it, and download all updates. Then exit Ewido once all updates are installed.

    Step 2
    Please download and install Cleanup 4.0, but do not run it yet.

    Step 3
    Please download the Nail/Aurora Spyware Fix from NoIdea.US. (Alternate download link: dknoppix mirror)
    Unzip it to the desktop but do NOT run yet.

    Step 4
    Reboot your computer into Safe Mode

    Step 5
    Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
    How to see hidden files in Windows

    Step 6
    Please double-click on nailfix.cmd that you unzipped earlier. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

    Step 7
    Run CleanUp 4.0 that you installed earlier.

    Step 8
    Run a full scan with Ewido, remove anything found, and then restart into normal mode and post the logfile from the scan for me.

    Step 9
    Now open up Hijackthis. Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Arquivos de programas\MyWay\myBar\1.bin\MYBAR.DLL
    O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\ARQUIV~1\INSTAF~1\INSTAF~1.DLL
    O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Arquivos de programas\MyWay\myBar\1.bin\MYBAR.DLL
    O4 - HKLM\..\Run: [saap] c:\program files\180search assistant\saap.exe
    O4 - HKLM\..\Run: [unazsr] C:\WINDOWS\unazsr.exe
    O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

    Step 10
    Then delete these files or directories (Do not be concerned if they do not exist):

    C:\WINDOWS\svcproc.exe
    C:\WINDOWS\unazsr.exe
    C:\WINDOWS\Nail.exe
    C:\Arquivos de programas\MyWay
    c:\program files\180search assistant



    Restart your computer and please post a new HijackThis log and the Ewido log.
  • Izlude
    edited May 2005
    thanks man :)

    My new Hijack log:

    Logfile of HijackThis v1.99.1
    Scan saved at 00:08:36, on 25/5/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\RunDll32.exe
    C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Arquivos de programas\ewido\security suite\ewidoctrl.exe
    C:\Arquivos de programas\ewido\security suite\ewidoguard.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Hgk\HijackThis.exe
    C:\Hgk\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O8 - Extra context menu item: Download All by FlashGet - C:\ARQUIV~1\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\ARQUIV~1\FlashGet\jc_link.htm
    O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
    O17 - HKLM\System\CCS\Services\Tcpip\..\{83C14148-8B7C-48A7-9597-677254212EF0}: NameServer = 192.168.254.254,200.149.55.140
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Arquivos de programas\ewido\security suite\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Arquivos de programas\ewido\security suite\ewidoguard.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited May 2005
    Your log looks clean. Are you having any more problems?
  • Izlude
    edited May 2005
    the pc is still slow... when i execute for exemple a music or a game it runs slowly and freezing sometimes and it was really fast before.
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited May 2005
    Let's double check and make sure you're clean.

    Please run at least two of these online scans.
    Make sure they are set to clean automatically:

    Panda Virus Scan

    Bit Defender

    TrendMicro Housecall

    There will be files that these scans will not remove. Please include that information in your next post.


    Reboot and post a new hijackthis log and the info from your virus scans.
  • zigne
    edited July 2005
    thanks a lot!!!
    ewido security suite - Scan report

    + Created on: 10:15:42 AM, 7/6/2005
    + Report-Checksum: 28B55192

    + Scan result:

    HKLM\SOFTWARE\Classes\CLSID\{00000000-59D4-4008-9058-080011001200} -> Spyware.VX2 : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{2E65A557-173C-4DE9-860B-28FC5CACA542} -> Spyware.FastFind : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{4E7BD74F-2B8D-469E-DCF7-F96DA086B434} -> Spyware.MyWebSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\DLMaxDll.DLMaxDllObj -> Spyware.BetterInternet : Cleaned with backup
    HKLM\SOFTWARE\Classes\DLMaxDll.DLMaxDllObj\CLSID -> Spyware.BetterInternet : Cleaned with backup
    HKLM\SOFTWARE\Classes\DLMaxDll.DLMaxDllObj\CurVer -> Spyware.BetterInternet : Cleaned with backup
    HKLM\SOFTWARE\Classes\instafin.INSTAFIN -> Spyware.InstaFinder : Cleaned with backup
    HKLM\SOFTWARE\Classes\instafin.INSTAFIN\Clsid -> Spyware.InstaFinder : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{3F74E0D4-2D45-4CA1-A361-A957B81D9FF0} -> Dialer.Generic : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{5326B223-DC21-43A4-9B79-635E2D18DCB2} -> Spyware.HotBar : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{63D0E78E-3E7A-4E1E-AF5C-3E051F314682} -> Dialer.Generic : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E1357} -> Spyware.NaviSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E2468} -> Spyware.NaviSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{96B3B1B9-A510-4603-BD66-2BB2C9F21542} -> Spyware.AdRotator : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{C08175C6-B2B2-47FC-AF1A-32F77A6CB673} -> Spyware.VX2 : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED11357} -> Spyware.NaviSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED12468} -> Spyware.NaviSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\TwaintecDll.TwaintecDllObj -> Spyware.BetterInternet : Cleaned with backup
    HKLM\SOFTWARE\Classes\TwaintecDll.TwaintecDllObj\CLSID -> Spyware.BetterInternet : Cleaned with backup
    HKLM\SOFTWARE\Classes\TwaintecDll.TwaintecDllObj\CurVer -> Spyware.BetterInternet : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{230C3786-1C2C-45BD-9D2D-9D277FCE6289} -> Spyware.VX2 : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516E2A3} -> Spyware.NaviSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{69DB5061-FF0A-418B-ADA6-68AC77D69E44} -> Spyware.AdRotator : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{72892E8E-75DF-4CD2-BE11-E9A0077F44A8} -> Spyware.HotBar : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{F090C7AC-6C57-4317-BDC1-63EE150CA7E8} -> Dialer.Generic : Cleaned with backup
    HKLM\SOFTWARE\Classes\UDConn.UDConnect -> Dialer.Generic : Cleaned with backup
    HKLM\SOFTWARE\Classes\UDConn.UDConnect\CLSID -> Dialer.Generic : Cleaned with backup
    HKLM\SOFTWARE\Classes\UDConn.UDConnect\CurVer -> Dialer.Generic : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{706F3805-27D7-478D-80E5-E25D2BB030B3} -> Spyware.RoingsSearch : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2E65A557-173C-4DE9-860B-28FC5CACA542} -> Spyware.FastFind : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4E7BD74F-2B8D-469E-DCF7-F96DA086B434} -> Spyware.MyWebSearch : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\INSTAFIN -> Spyware.InstaFinder : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\unebmm350 -> Spyware.MoneyMaker : Cleaned with backup
    HKLM\SOFTWARE\msbb -> Spyware.180Solutions : Cleaned with backup
    HKU\S-1-5-21-2678538677-3680156889-315008940-500\Software\btgrab -> Spyware.BetterInternet : Cleaned with backup
    HKU\S-1-5-21-2678538677-3680156889-315008940-500\Software\DLMax -> Spyware.BetterInternet : Cleaned with backup
    HKU\S-1-5-21-2678538677-3680156889-315008940-500\Software\INSTAFIN -> Spyware.InstaFinder : Cleaned with backup
    HKU\S-1-5-21-2678538677-3680156889-315008940-500\Software\INSTAFIN\Reports -> Spyware.InstaFinder : Cleaned with backup
    HKU\S-1-5-21-2678538677-3680156889-315008940-500\Software\INSTAFIN\Reports\38452 -> Spyware.InstaFinder : Cleaned with backup
    HKU\S-1-5-21-2678538677-3680156889-315008940-500\Software\INSTAFIN\Reports\38452\Click -> Spyware.InstaFinder : Cleaned with backup
    HKU\S-1-5-21-2678538677-3680156889-315008940-500\Software\INSTAFIN\Reports\38453 -> Spyware.InstaFinder : Cleaned with backup
    HKU\S-1-5-21-2678538677-3680156889-315008940-500\Software\INSTAFIN\Reports\38453\Click -> Spyware.InstaFinder : Cleaned with backup
    HKU\S-1-5-21-2678538677-3680156889-315008940-500\Software\Microsoft\Internet Explorer\Extensions\{6685509E-B47B-4f47-8E16-9A5F3A62F683} -> Spyware.MoneyMaker : Cleaned with backup
    HKU\S-1-5-21-2678538677-3680156889-315008940-500\Software\Microsoft\Internet Explorer\MenuExt\Ebates -> Spyware.MoneyMaker : Cleaned with backup
    HKU\S-1-5-21-2678538677-3680156889-315008940-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-59D4-4008-9058-080011001200} -> Spyware.VX2 : Cleaned with backup
    HKU\S-1-5-21-2678538677-3680156889-315008940-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2E65A557-173C-4DE9-860B-28FC5CACA542} -> Spyware.FastFind : Cleaned with backup
    HKU\S-1-5-21-2678538677-3680156889-315008940-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{30CE93AE-4987-483C-9ABE-F2BD5301AB70} -> Spyware.KeenValue : Cleaned with backup
    HKU\S-1-5-21-2678538677-3680156889-315008940-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4E7BD74F-2B8D-469E-DCF7-F96DA086B434} -> Spyware.MyWebSearch : Cleaned with backup
    HKU\S-1-5-21-2678538677-3680156889-315008940-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6685509E-B47B-4F47-8E16-9A5F3A62F683} -> Spyware.MoneyMaker : Cleaned with backup
    HKU\S-1-5-21-2678538677-3680156889-315008940-500\Software\msbb -> Spyware.180Solutions : Cleaned with backup
    C:\Documents and Settings\Administrator\Desktop\DUBAI HARD DISCK\galal\ecommerce\dialer.exe -> Dialer.Generic : Cleaned with backup
    C:\Documents and Settings\Administrator\Desktop\DUBAI HARD DISCK\galal\Foton Edutainment\Foton IOM\Filing\DirectAccess.exe -> Heuristic.Win32.Dialer : Cleaned with backup
    C:\Program Files\aaascreensavers\Bikini Heaven\VVSN_AAAS0741Inst.exe -> Adware.SaveNow : Cleaned with backup
    C:\Program Files\Common Files\crrleflf\cllhbdhplp\hdfrtpena.exe -> Adware.Gator : Cleaned with backup
    C:\Program Files\Common Files\crrleflf\epdhplcd\pbfttlla.exe -> Adware.Gator : Cleaned with backup
    C:\Program Files\Ebates_MoeMoneyMaker\disp350.exe -> Spyware.WebRebates : Cleaned with backup
    C:\WINDOWS\2_0_1browserhelper2.dll_tobedeleted -> Spyware.Hijacker.Generic : Cleaned with backup
    C:\WINDOWS\Downloaded Program Files\internazionale_ver3.ocx -> Spyware.AdPowerZone : Cleaned with backup
    C:\WINDOWS\Downloaded Program Files\potwbar.dll -> Spyware.MegaSearch : Cleaned with backup
    C:\WINDOWS\iClearSearch\aaaP026.exe -> Backdoor.Ruledor.b : Cleaned with backup
    C:\WINDOWS\iNetPal\3ASavers_34yf28fg.exe -> TrojanDropper.Small.sc : Cleaned with backup
    C:\WINDOWS\iOneEighty\saap.exe -> Spyware.180Solutions : Cleaned with backup
    C:\WINDOWS\rkrnpiu.exe -> Adware.BetterInternet : Cleaned with backup
    C:\WINDOWS\system32\34yf28fg.exe -> Spyware.F1Organizer : Cleaned with backup
    C:\WINDOWS\system32\apuc.dll -> Spyware.BargainBuddy : Cleaned with backup
    C:\WINDOWS\system32\ATPartners.dll -> TrojanDownloader.Rameh.c : Cleaned with backup
    C:\WINDOWS\system32\bpkhk.dll -> TrojanSpy.PerfectKeyLogger.ac : Cleaned with backup
    C:\WINDOWS\system32\bpkr.exe -> TrojanDownloader.Agent.fz : Cleaned with backup
    C:\WINDOWS\system32\bpkwb.dll -> TrojanSpy.Perfectkeylogger.Ad : Cleaned with backup
    C:\WINDOWS\system32\btrujm.exe -> Adware.BetterInternet : Cleaned with backup
    C:\WINDOWS\system32\dmiebyd.exe -> Adware.BetterInternet : Cleaned with backup
    C:\WINDOWS\system32\dzzwpi.exe -> Adware.BetterInternet : Cleaned with backup
    C:\WINDOWS\system32\exdl.exe -> Adware.eXact : Cleaned with backup
    C:\WINDOWS\system32\exul.exe -> Spyware.BargainBuddy : Cleaned with backup
    C:\WINDOWS\system32\hdumqoh.exe -> Adware.BetterInternet : Cleaned with backup
    C:\WINDOWS\system32\icjsqk.exe -> Adware.BetterInternet : Cleaned with backup
    C:\WINDOWS\system32\InstaFinder_inst.exe -> Spyware.InstaFinder.a : Cleaned with backup
    C:\WINDOWS\system32\johpbcy.exe -> Adware.BetterInternet : Cleaned with backup
    C:\WINDOWS\system32\kukvtaa.exe -> Adware.BetterInternet : Cleaned with backup
    C:\WINDOWS\system32\kxwodgc.exe -> Adware.BetterInternet : Cleaned with backup
    C:\WINDOWS\system32\mrunjy.exe -> Adware.BetterInternet : Cleaned with backup
    C:\WINDOWS\system32\msbe.dll -> Spyware.BargainBuddy : Cleaned with backup
    C:\WINDOWS\system32\mscb.dll -> Spyware.BargainBuddy : Cleaned with backup
    C:\WINDOWS\system32\nagnavs.exe -> Adware.BetterInternet : Cleaned with backup
    C:\WINDOWS\system32\nvms.dll -> Spyware.BargainBuddy : Cleaned with backup
    C:\WINDOWS\system32\odmdpgr.exe -> Adware.BetterInternet : Cleaned with backup
    C:\WINDOWS\system32\pruleu.exe -> Adware.BetterInternet : Cleaned with backup
    C:\WINDOWS\system32\qfyeaiz.exe -> Adware.BetterInternet : Cleaned with backup
    C:\WINDOWS\system32\stmtreco.exe -> Adware.BetterInternet : Cleaned with backup
    C:\WINDOWS\system32\swyfjad.exe -> Adware.BetterInternet : Cleaned with backup
    C:\WINDOWS\system32\TriacomUD.dll -> Dialer.Generic : Cleaned with backup
    C:\WINDOWS\system32\tt_reco.exe -> Adware.BetterInternet : Cleaned with backup
    C:\WINDOWS\system32\ugxnbs.exe -> Adware.BetterInternet : Cleaned with backup
    C:\WINDOWS\system32\xsustko.exe -> Adware.BetterInternet : Cleaned with backup
    C:\WINDOWS\UnstSA2.exe -> TrojanDropper.Delf.z : Cleaned with backup
    C:\WINDOWS\ZServ.dll_tobedeleted -> Spyware.DlMax : Cleaned with backup


    ::Report End

    Logfile of HijackThis v1.99.1
    Scan saved at 10:19:57 AM, on 7/6/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\iisvers.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\Program Files\ewido\security suite\ewidoguard.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
    C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
    C:\Compaq\EAKDRV\EAUSBKBD.EXE
    C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Documents and Settings\Administrator\Desktop\progs\HJT1991.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/uk/*http://www.yahoo.co.uk
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/uk/*http://www.yahoo.co.uk
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.compaq.com/1Q00CDT/0409/bl7.asp
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 212.11.191.11:8080
    R3 - URLSearchHook: UB Class - {00000000-15D9-4736-AB29-131578A45F2B} - C:\WINDOWS\system32\wsrchc3.dll
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {37AB3726-B335-2FE8-D724-67550BAE7A3E} - C:\WINDOWS\System32\khguhge.dll
    O2 - BHO: (no name) - {4BDEF18D-DF78-45A8-A290-767902AC1511} - C:\Program Files\CSBB\CSBB.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {54C18050-B0BE-454A-9156-1B6B09E3FC32} - C:\Program Files\CSBB\CSBB.dll (file missing)
    O2 - BHO: (no name) - {A017DF32-FCBF-4100-ADD2-C3C5021721A0} - C:\WINDOWS\System32\ldnj.dll (file missing)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {D361D39F-B879-4540-B380-7F8E1B58562A} - C:\Program Files\CSBB\CSBB.dll (file missing)
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
    O4 - HKLM\..\Run: [Norton Antivirus AV] C:\WINDOWS\FVProtect.exe
    O4 - HKLM\..\Run: [wtyjmr] C:\WINDOWS\wtyjmr.exe
    O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
    O4 - HKLM\..\Run: [Gtwatch] C:\WINDOWS\gtwatch.exe
    O4 - HKLM\..\Run: [wmv] C:\WINDOWS\system32\winmonv.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [iisvers] C:\WINDOWS\iisvers.exe
    O4 - HKLM\..\Run: [wvqmezy] c:\windows\system32\nxzhsl.exe
    O4 - HKLM\..\Run: [cottci] c:\windows\system32\yeeprk.exe r
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Gryrw] C:\WINDOWS\System32\zxzmutr.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094644147840
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
    O16 - DPF: {D62B5127-8D03-4175-BA71-E0041595DA4B} (UDConnect Class) - http://goto.tria-com.net/html/TriacomUD_1.0.0.3ie.cab?
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DB5D9EA3-3F5B-4ADF-AAEA-BE86C950DAF3}: NameServer = 212.11.191.200,212.11.191.201
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited July 2005
    zigne - if you need help please start your own thread and post your hijackthis log.
Sign In or Register to comment.