Member Avatar for tsmai

Hi,
While yrying to solve the abi network virus, I did your suggestions, here are the logs:

Logfile of HijackThis v1.99.1
Scan saved at 17:05:26, on 02/07/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\ABI WAR\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = c:\searchpage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.uzit.co.il/[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\telwn.dll (file missing)
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\telwn.dll (file missing)
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [Microsofts Updates] wuamgrd.exe
O4 - HKLM\..\Run: [WindowsRegKey%update] ethernet32m.exe
O4 - HKLM\..\Run: [Windows Guard] waumgrd.exe
O4 - HKLM\..\Run: [Microsoft Update] wuamagrd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\RunServices: [Microsofts Updates] wuamgrd.exe
O4 - HKLM\..\RunServices: [WindowsRegKey%update] ethernet32m.exe
O4 - HKLM\..\RunServices: [Windows Guard] waumgrd.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamagrd.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Microsofts Updates] wuamgrd.exe
O4 - HKCU\..\Run: [Windows Guard] waumgrd.exe
O4 - HKCU\..\Run: [WindowsRegKey%update] ethernet32m.exe
O4 - HKCU\..\Run: [Microsoft Update] wuamagrd.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: c:\searchpage.html?page=
O13 - WWW Prefix: c:\searchpage.html?page=
O13 - Home Prefix: c:\searchpage.html?page=
O13 - Mosaic Prefix: c:\searchpage.html?page=
O15 - Trusted Zone: [url]http://*.windupdates.com[/url]
O15 - Trusted Zone: [url]http://*.xxxtoolbar.com[/url]
O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht![url]http://195.95.218.82/users/zoom/web/axe/x.chm::/update.exe[/url]
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - [url]http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c7.cab[/url]
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - [url]https://hb2.bankleumi.co.il/Premium/download/CfxIEAx.cab[/url]
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - [url]http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab[/url]
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - [url]http://www.bcn.es/vserver/AxisCamControl.ocx[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{3A01C959-3977-43C3-95D0-F018530DCDD7}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA8B489B-E656-49B4-BEFF-8354E03304F6}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS1\Services\Tcpip\..\{3A01C959-3977-43C3-95D0-F018530DCDD7}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS2\Services\Tcpip\..\{3A01C959-3977-43C3-95D0-F018530DCDD7}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:          17:02:13, 02/07/2005
 + Report-Checksum:     EFB5F1C6

 + Scan result:

    HKLM\SOFTWARE\Classes\CLSID\{3F143C3A-1457-6CCA-03A7-7AA23B61E40F} -> Spyware.JKSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{7C559105-9ECF-42b8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{0985C112-2562-46F2-8DA6-92648BA4630F} -> Spyware.ISTBar : Cleaned with backup
    HKLM\SOFTWARE\Classes\ISTx.Installer -> Spyware.ISTBar : Cleaned with backup
    HKLM\SOFTWARE\Classes\ISTx.Installer\CLSID -> Spyware.ISTBar : Cleaned with backup
    HKLM\SOFTWARE\Classes\MediaAccess.Installer -> Spyware.WinAd : Cleaned with backup
    HKLM\SOFTWARE\Classes\MediaAccess.Installer\CLSID -> Spyware.WinAd : Cleaned with backup
    HKLM\SOFTWARE\Classes\MediaAccess.Installer\CurVer -> Spyware.WinAd : Cleaned with backup
    HKLM\SOFTWARE\Classes\MediaAccX.Installer -> Spyware.WinAd : Cleaned with backup
    HKLM\SOFTWARE\Classes\MediaAccX.Installer\CLSID -> Spyware.WinAd : Cleaned with backup
    HKLM\SOFTWARE\Classes\ToolBand.ToolBandObj -> Spyware.CoolWebSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\ToolBand.ToolBandObj\CLSID -> Spyware.CoolWebSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\ToolBand.ToolBandObj\CurVer -> Spyware.CoolWebSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{110FA82F-DB6C-3C24-8929-60961D10C56E} -> Spyware.CoolWebSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{67907B3C-A6EF-4A01-99AD-3FCD5F526429} -> Spyware.ISTBar : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/istactivex.dll -> Spyware.ISTBar : Cleaned with backup
    HKLM\SOFTWARE\WildMedia -> Spyware.MidAddle : Cleaned with backup
    HKLM\SOFTWARE\WildMedia\LicenseStores -> Spyware.MidAddle : Cleaned with backup
    HKU\S-1-5-21-861567501-1957994488-1708537768-1003\Software\IST -> Spyware.ISTBar : Cleaned with backup
    C:\Documents and Settings\maimon\Cookies\maimon@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
    C:\Documents and Settings\maimon\Cookies\maimon@bfast[2].txt -> Spyware.Cookie.Bfast : Cleaned with backup
    C:\Documents and Settings\maimon\Cookies\maimon@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
    C:\Documents and Settings\maimon\Cookies\maimon@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
    C:\Documents and Settings\maimon\Cookies\maimon@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
    C:\Documents and Settings\maimon\Cookies\maimon@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP330\A0112649.exe -> TrojanDropper.Delf.fd : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP361\A0127108.exe -> Heuristic.Win32.Downloader : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP361\A0127109.exe -> Heuristic.Win32.Downloader : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP361\A0127110.exe -> Spyware.WinAD : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP361\A0127111.exe -> Heuristic.Win32.Downloader : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP361\A0127112.exe -> Heuristic.Win32.Downloader : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP361\A0127113.exe -> Heuristic.Win32.Downloader : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP361\A0127114.exe -> Heuristic.Win32.Downloader : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP361\A0127115.exe -> TrojanDropper.Agent.k : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP361\A0128142.exe -> TrojanDropper.Agent.nj : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP361\A0128146.exe -> Spyware.BetterInternet : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP361\A0128147.exe -> Trojan.DNSChanger.r : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP361\A0128153.exe -> Spyware.Gator : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP361\A0128156.dll -> Spyware.Gator : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP361\A0128158.dll -> TrojanSpy.Agent.am : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP361\A0128159.exe -> Trojan.Stervis.c : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP361\A0128162.dll -> Spyware.Gator : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP361\A0128184.exe -> Spyware.Gator : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP361\A0128187.exe -> Spyware.Gator : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP361\A0128188.exe -> Spyware.Gator : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP361\A0128216.exe -> TrojanDropper.Agent.nj : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP361\A0128221.exe -> Spyware.BetterInternet : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP361\A0128222.exe -> Trojan.DNSChanger.r : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP361\A0128224.exe -> Spyware.BetterInternet : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP361\A0128225.exe -> Trojan.Nail : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP361\A0128226.exe -> Spyware.BetterInternet : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP361\A0128227.dll -> TrojanSpy.Agent.am : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP361\A0128228.exe -> Trojan.Stervis.c : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP361\A0128236.exe -> TrojanDropper.Agent.nj : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP361\A0128240.exe -> Spyware.BetterInternet : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP361\A0128241.exe -> Spyware.BetterInternet : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP361\A0128242.exe -> Trojan.DNSChanger.r : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP361\A0128245.exe -> Spyware.BetterInternet : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP361\A0128247.exe -> Trojan.Nail : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP361\A0128248.exe -> Trojan.Stervis.c : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP362\A0129236.exe -> TrojanDropper.Agent.nj : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP362\A0129241.exe -> Spyware.BetterInternet : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP362\A0129242.exe -> Trojan.DNSChanger.r : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP362\A0129244.exe -> Trojan.Stervis.c : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP362\A0129246.exe -> Spyware.BetterInternet : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP362\A0130236.exe -> TrojanDropper.Agent.nj : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP362\A0130241.exe -> Spyware.BetterInternet : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP362\A0130242.exe -> Spyware.BetterInternet : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP362\A0130243.exe -> Trojan.DNSChanger.r : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP362\A0130245.exe -> Trojan.Stervis.c : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP363\A0131236.exe -> TrojanDropper.Agent.nj : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP363\A0131241.exe -> Spyware.BetterInternet : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP363\A0131242.exe -> Trojan.DNSChanger.r : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP363\A0131244.exe -> Trojan.Stervis.c : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP363\A0131245.exe -> Spyware.BetterInternet : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP363\A0132236.exe -> TrojanDropper.Agent.nj : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP363\A0132241.exe -> Spyware.BetterInternet : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP363\A0132242.exe -> Trojan.DNSChanger.r : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP363\A0132244.exe -> Trojan.Stervis.c : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP363\A0133236.exe -> TrojanDropper.Agent.nj : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP363\A0133241.exe -> Spyware.BetterInternet : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP363\A0133242.exe -> Trojan.DNSChanger.r : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP363\A0133245.exe -> Trojan.Stervis.c : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP363\A0133247.exe -> TrojanDropper.Agent.nj : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP363\A0133252.exe -> Spyware.BetterInternet : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP363\A0133253.exe -> Trojan.DNSChanger.r : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP363\A0133256.exe -> Trojan.Stervis.c : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP364\A0133266.exe -> TrojanDropper.Agent.nj : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP364\A0133271.exe -> Spyware.BetterInternet : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP364\A0133272.exe -> Trojan.DNSChanger.r : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP364\A0133275.exe -> Spyware.BetterInternet : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP364\A0133276.exe -> Trojan.Stervis.c : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP364\A0133280.exe -> TrojanDropper.Agent.nj : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP364\A0133285.exe -> Spyware.BetterInternet : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP364\A0133287.exe -> Trojan.Stervis.c : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP365\A0133291.exe -> TrojanDropper.Agent.nj : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP365\A0133296.exe -> Spyware.BetterInternet : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP365\A0133298.exe -> Trojan.Stervis.c : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP365\A0133300.exe -> Spyware.BetterInternet : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP366\A0133306.exe -> TrojanDropper.Agent.nj : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP366\A0133311.exe -> Spyware.BetterInternet : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP366\A0133313.exe -> Trojan.Stervis.c : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP366\A0133317.dll -> TrojanSpy.Agent.am : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP366\A0133318.exe -> Spyware.FindSpy : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP366\A0133319.exe -> Spyware.Hijacker.Generic : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP366\A0133320.exe -> Spyware.BetterInternet : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP366\A0134306.exe -> TrojanDropper.Agent.nj : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP366\A0134311.exe -> Spyware.BetterInternet : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP366\A0135306.exe -> TrojanDropper.Agent.nj : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP366\A0135311.exe -> Spyware.BetterInternet : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP366\A0136306.exe -> TrojanDropper.Agent.nj : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP366\A0136311.exe -> Spyware.BetterInternet : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP366\A0136313.exe -> Spyware.BetterInternet : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP366\A0136314.exe -> Trojan.Stervis.c : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP368\A0136519.exe -> TrojanDropper.Agent.nj : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP368\A0136524.exe -> Spyware.BetterInternet : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP368\A0136842.exe -> Spyware.BetterInternet : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP368\A0136843.exe -> Trojan.Nail : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP368\A0136844.exe -> Spyware.BetterInternet : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP368\A0136845.dll -> TrojanSpy.Agent.am : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP368\A0136846.exe -> Spyware.FindSpy : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP369\A0136851.dll -> TrojanSpy.Agent.am : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP369\A0136855.exe -> TrojanDropper.Agent.nj : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP369\A0136860.dll -> TrojanSpy.Agent.am : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP369\A0136861.exe -> Spyware.FindSpy : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP369\A0136879.exe -> TrojanDropper.Agent.nj : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP370\A0136887.dll -> TrojanSpy.Agent.am : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP370\A0136888.exe -> Spyware.FindSpy : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP370\A0137879.exe -> TrojanDropper.Agent.nj : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP370\A0137887.exe -> TrojanDropper.Agent.nj : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP370\A0137893.exe -> TrojanDropper.Agent.nj : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP370\A0138893.exe -> TrojanDropper.Agent.nj : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP370\A0139893.exe -> TrojanDropper.Agent.nj : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP370\A0139902.exe -> TrojanDropper.Agent.nj : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP370\A0140900.exe -> TrojanDropper.Agent.nj : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP370\A0140906.exe -> TrojanDropper.Agent.nj : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP370\A0140911.dll -> TrojanSpy.Agent.am : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP370\A0140912.exe -> Spyware.FindSpy : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP370\A0140916.exe -> TrojanDropper.Agent.nj : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP370\A0140922.dll -> TrojanSpy.Agent.am : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP370\A0140925.exe -> TrojanDropper.Agent.nj : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP370\A0141925.exe -> TrojanDropper.Agent.nj : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP370\A0142925.exe -> TrojanDropper.Agent.nj : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP371\A0142939.exe -> TrojanDropper.Agent.nj : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP372\A0143939.exe -> TrojanDropper.Agent.nj : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP372\A0143945.exe -> TrojanDropper.Agent.nj : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP372\A0143952.exe -> TrojanDropper.Agent.nj : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP372\A0144952.exe -> TrojanDropper.Agent.nj : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP372\A0144958.exe -> TrojanDropper.Agent.nj : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP372\A0144963.dll -> TrojanSpy.Agent.am : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP372\A0144964.exe -> Spyware.FindSpy : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP373\A0144971.exe -> TrojanDropper.Agent.nj : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP374\A0145971.exe -> TrojanDropper.Agent.nj : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP374\A0145982.exe -> Heuristic.Win32.Downloader : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP374\A0145983.exe -> Trojan.Nail : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP374\A0145984.dll -> TrojanSpy.Agent.am : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP374\A0145985.exe -> Spyware.FindSpy : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP374\A0146055.exe -> TrojanDropper.Agent.nj : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP374\A0146062.dll -> TrojanSpy.Agent.am : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP374\A0146066.exe -> TrojanDropper.Agent.nj : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP374\A0146080.dll -> TrojanSpy.Agent.am : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP374\A0146081.exe -> Spyware.FindSpy : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP374\A0146085.dll -> Spyware.SBSoft : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP374\A0146089.exe -> TrojanDropper.Agent.nj : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP374\A0146121.exe -> TrojanDropper.Agent.nj : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP374\A0146123.exe -> Trojan.Nail : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP374\A0146124.exe -> Trojan.Stervis.c : Cleaned with backup
    C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP374\A0146125.dll -> TrojanSpy.Agent.am : Cleaned with backup
    C:\WINDOWS\Downloaded Program Files\HDPlugin1101.dll -> Spyware.Gator : Cleaned with backup
    C:\WINDOWS\ors-syms.exe -> Spyware.Hijacker.Generic : Cleaned with backup
    C:\WINDOWS\SPhhPE.exe -> Spyware.Hijacker.Generic : Cleaned with backup
    C:\WINDOWS\SPSP.exe -> Spyware.Hijacker.Generic : Cleaned with backup
    C:\WINDOWS\system32\64PE.exe -> Spyware.Hijacker.Generic : Cleaned with backup
    C:\WINDOWS\system32\nthhorhh.exe -> Spyware.Hijacker.Generic : Cleaned with backup
    C:\WINDOWS\system32\PEs-SP32.exe -> Spyware.Hijacker.Generic : Cleaned with backup
    C:\WINDOWS\system32\sy64PEhh.exe -> Spyware.Hijacker.Generic : Cleaned with backup
    C:\WINDOWS\system32\waumgrd.exe -> Backdoor.Rbot : Cleaned with backup


::Report End
Edited by mike_2000_17 because: Fixed formatting
  • 2 Contributors
  • 9 Replies
  • 372 Views
  • 2 Weeks Discussion Span
  • Latest Post Latest Post by swatkat
Member Avatar for swatkat

Download the NailFix from NoIdea.us. Extract it to a folder on Desktop, and do not run it now.

Download CCleaner and install it. Click "Options" button and here go to "Settings" tab and uncheck the option "Only delete files in Windows Temp folder older than 48 hours". Click OK to exit from the Options.Then exit from CCLeaner.

Download AboutBuster, and extract it to a folder. Download SpywareBlaster, and install it, dont run it now.


Reboot in Safe Mode, restart (or switch ON) the PC. Then, keep tapping the F8 Key. From the menu that will be displayed, out of which choose Safe Mode and press Enter.


Double-click on the nailfix.cmd file, a DOS type window opens up and closes automatically, and the Desktop icons may disappear and appear back, this is normal.
Run Ewido, Click on the "Scanner" button in the left menu, then click on the "Start" button. If ewido finds anything, it will pop up a notification. You can select "Clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK. When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.


Go to Add/Remove Programs in Control Panel, and uninstall the entry WindUpdates, if you find it.


Run HijackThis and click Do only a System scan.
Then put a check mark infront of below listed entries:-

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = c:\searchpage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uzit.co.il/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\telwn.dll (file missing)
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\telwn.dll (file missing)
O4 - HKLM\..\Run: [Microsofts Updates] wuamgrd.exe
O4 - HKLM\..\Run: [WindowsRegKey%update] ethernet32m.exe
O4 - HKLM\..\Run: [Windows Guard] waumgrd.exe
O4 - HKLM\..\Run: [Microsoft Update] wuamagrd.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\RunServices: [Microsofts Updates] wuamgrd.exe
O4 - HKLM\..\RunServices: [WindowsRegKey%update] ethernet32m.exe
O4 - HKLM\..\RunServices: [Windows Guard] waumgrd.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamagrd.exe
O4 - HKCU\..\Run: [Microsofts Updates] wuamgrd.exe
O4 - HKCU\..\Run: [Windows Guard] waumgrd.exe
O4 - HKCU\..\Run: [WindowsRegKey%update] ethernet32m.exe
O4 - HKCU\..\Run: [Microsoft Update] wuamagrd.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O13 - DefaultPrefix: c:\searchpage.html?page=
O13 - WWW Prefix: c:\searchpage.html?page=
O13 - Home Prefix: c:\searchpage.html?page=
O13 - Mosaic Prefix: c:\searchpage.html?page=
O15 - Trusted Zone: http://*.windupdates.com
O15 - Trusted Zone: http://*.xxxtoolbar.com
O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://195.95.218.82/users/zoom/web/axe/x.chm::/update.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c7.cab
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - https://hb2.bankleumi.co.il/Premium/download/CfxIEAx.cab

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.


Exit from HijackThis. Delete these files:-
C:\Program Files\Media Access\MediaAccK.exe
wuamgrd.exe
ethernet32m.exe
waumgrd.exe
wuamagrd.exe
Delete this folder:-
C:\Program Files\Media Access


Run CCleaner, click "Run Cleaner" and click "OK" to the warning message to start cleaning. Run About:Buster, click "Begin removal". After this, run SpywareBlaster, click "Enable All Protection" and exit from it.


Reboot to Normal Mode. Perform an online virus scan at Panda ActiveScan with the "Disinfection" option enalbed. After the scan, save the log file.
Run HijackThis again, click Do a System scan and save log, and post the fresh log, along with Ewido log and Panda log.

Member Avatar for tsmai

Here are the log you asked me to make (11.7.05)

and btw, what is the protection I should enable after that (for normal days)?
norton/ ewido/ or other
10x

Incident                      Status                        Location


Spyware:Spyware/ISTbar        No disinfected                Windows Registry
Adware:Adware/CWS             No disinfected                C:\Documents and Settings\All Users\Favorites\AdultGambling.url
Adware:Adware/WUpd            No disinfected                C:\WINDOWS\System32\ide21201.vxd
Adware:Adware/SBSoft          No disinfected                Windows Registry
Adware:Adware/CWS             No disinfected                C:\Documents and Settings\All Users\Favorites\AdultGambling.url
Adware:Adware/CWS             No disinfected                C:\Documents and Settings\All Users\Favorites\Free Online Dating.url
Adware:Adware/CWS             No disinfected                C:\Documents and Settings\All Users\Favorites\FUCK Real Girls.url
Adware:Adware/CWS             No disinfected                C:\Documents and Settings\All Users\Favorites\Kill Annoying Popups.url
Adware:Adware/CWS             No disinfected                C:\Documents and Settings\All Users\Favorites\Online Sex Poker Rooms.url
Adware:Adware/CWS             No disinfected                C:\Documents and Settings\All Users\Favorites\Play Adult-Poker.url
Adware:Adware/CWS             No disinfected                C:\Documents and Settings\All Users\Favorites\Remove Toolbars.url
Adware:Adware/CWS             No disinfected                C:\Documents and Settings\All Users\Favorites\Spyware Uninstall.url
Adware:Adware/CWS             No disinfected                C:\Documents and Settings\All Users\Favorites\XXX personal photos.url
Adware:Adware/WUpd            No disinfected                C:\WINDOWS\system32\ide21201.vxd
Adware:Adware/QuickWeb        No disinfected                C:\WINDOWS\system32\ntfsnlpa.exe
**********************************

.

Logfile of HijackThis v1.99.1
Scan saved at 22:43:42, on 11/07/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_SICN03.EXE
C:\ABI WAR\hijackthis\HijackThis.exe


O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.bcn.es/vserver/AxisCamControl.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3A01C959-3977-43C3-95D0-F018530DCDD7}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA8B489B-E656-49B4-BEFF-8354E03304F6}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS1\Services\Tcpip\..\{3A01C959-3977-43C3-95D0-F018530DCDD7}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS2\Services\Tcpip\..\{3A01C959-3977-43C3-95D0-F018530DCDD7}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------


+ Created on:           21:16:55, 11/07/2005
+ Report-Checksum:      183CEFDB


+ Scan result:


C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP380\A0150307.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP380\A0150312.exe -> TrojanDropper.Agent.nj : Cleaned with backup
C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP380\A0150321.exe -> TrojanDropper.Agent.nj : Cleaned with backup
C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP380\A0150325.exe -> TrojanDropper.Agent.nj : Cleaned with backup
C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP381\A0150334.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP381\A0150335.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP381\A0150341.exe -> TrojanDropper.Agent.nj : Cleaned with backup
C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP382\A0150365.exe -> TrojanDropper.Agent.nj : Cleaned with backup
C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP382\A0151365.exe -> TrojanDropper.Agent.nj : Cleaned with backup
C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP382\A0152365.exe -> TrojanDropper.Agent.nj : Cleaned with backup
C:\System Volume Information\_restore{9F829F0E-F1F6-41A3-9143-D7E8EF79C8CE}\RP383\A0152384.exe -> TrojanDropper.Agent.nj : Cleaned with backup



::Report End
Edited by Nick Evan because: Fixed formatting
Member Avatar for swatkat

Download CleanUp! and install it. Do not run it now.

Open NotePad, and copy the contents of the below "Code" box:-

cd %windir%
cd System32
attrib -s -r -h ide21201.vxd
attrib -s -r -h ntfsnlpa.exe  
del ide21201.vxd
del ntfsnlpa.exe

Go to File Menu > Save As, and save the file with the name Test.bat and exit from NotePad.

Boot in SAFE mode.


Run HijackThis and click Do only a System scan.
Then put a check mark infront of below listed entries:-

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.


Double-Click on the file Test.bat, a small DOS type window should open and close immediately.


Run CleanUp!, click "Options" button, move the "Quick Setup" slider to "Thorough CleanUp!" and click "Yes" for the warning message and exit from Options. Click "CleanUp!" to start cleaning. After cleaning, click "Close", and choose "Yes" to restart the PC to Normal Mode.


Once in Normal Mode, run HijackThis again, and perform a scan, and post a fresh log.

And, for the protection from Spywares/Malwares/Viruses, you can use both Norton and Ewido together. Norton is an AntiVirus which specialises in detecting/removing viruses/trojans. And Ewido is an anti spyware, trojan, hijacker tool, which detects/removes browser hijackers, spywares, adwares etc.

Along with the above two softwares, you can use SpyBot SnD, AdAware and SpywareBlaster too.

For more security applications and descriptions, you can visit this thread.

Member Avatar for tsmai

OK,
first, thanks you very much for your time and help.

second, The abi network progra, still appears in the add/remove program list.

third, here are the hijackthis log that you told me to make.

:)

Logfile of HijackThis v1.99.1
Scan saved at 14:20:01, on 22/07/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_SICN03.EXE
C:\ABI WAR\hijackthis\HijackThis.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.bcn.es/vserver/AxisCamControl.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3A01C959-3977-43C3-95D0-F018530DCDD7}: NameServer = 69.50.176.157,85.255.112.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA8B489B-E656-49B4-BEFF-8354E03304F6}: NameServer = 69.50.176.157,85.255.112.6
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.176.157,85.255.112.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{3A01C959-3977-43C3-95D0-F018530DCDD7}: NameServer = 69.50.176.157,85.255.112.6
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.176.157,85.255.112.6
O17 - HKLM\System\CS2\Services\Tcpip\..\{3A01C959-3977-43C3-95D0-F018530DCDD7}: NameServer = 69.50.176.157,85.255.112.6
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.176.157,85.255.112.6
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Member Avatar for swatkat

Hi,
Download the FixBinet, a removal tool from Symantec.

Download RegCleaner and install it.

Go to Add/Remove Programs in Control Panel, and select the "ABI Network" and click "Remove". If you receive any error message like "the specified program can not be uninstalled, click OK to remove the entry from the Add/Remove list", then click "OK".
Even after this, the ABI Network entry is present in the Add/Remove list, then run RegCleaner. Click "Uninstall Menu" tab. Then select the "ABI Network" entry from the list and click "Remove Selected" button.


Reboot to safe mode. Run FixBinet.exe and click "Start" to start the tool.


After this run HijackThis, and select this entry:-

O1 - Hosts: localhost 127.0.0.1

Close all other open programs, and click "Fix Checked" in HiajckThis.


Reboot back to normal mode. Run HijackThis again, click Do a System scan and save log, and post the fresh log. Also post whether the FixBinet removal tool found anything or not.

Member Avatar for tsmai

Hi,

1. FibBinet: 1 deleted file reported.

2. Removing abi network from add/remove programs failed, and straight after trying, I got a norton warning: "Trojan.Dropper was found and deleted" and the computer was stuck for few seconds.
I removed it with RegCleaner (as you kindly suggested).

3. Hijackthis: The 01 entry appeared again on normal mode, so i deleted it again (in normal mode), here is the log after doing so:

Logfile of HijackThis v1.99.1
Scan saved at 16:51:59, on 22/07/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_SICN03.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\ABI WAR\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.bcn.es/vserver/AxisCamControl.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3A01C959-3977-43C3-95D0-F018530DCDD7}: NameServer = 69.50.176.157,85.255.112.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA8B489B-E656-49B4-BEFF-8354E03304F6}: NameServer = 69.50.176.157,85.255.112.6
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.176.157,85.255.112.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{3A01C959-3977-43C3-95D0-F018530DCDD7}: NameServer = 69.50.176.157,85.255.112.6
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.176.157,85.255.112.6
O17 - HKLM\System\CS2\Services\Tcpip\..\{3A01C959-3977-43C3-95D0-F018530DCDD7}: NameServer = 69.50.176.157,85.255.112.6
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.176.157,85.255.112.6
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Member Avatar for swatkat

Hi,
Log looks clean :D Do you still receive any popups or warnings from Norton? I suggest you to perform a full system scan using Norton to check whether it finds something or not.

Member Avatar for tsmai

I did the full system scan and it deleted a trojan, and one risk file.

anyway, it looks much better and I dont see any popups.

You are the best!
Thank you very much, and have a great day!
:) :) :)

Member Avatar for swatkat

Hi,
Thank you :) A very good tool you can use is SpywareBlaster, to prevent the installation of IE based malwares. Install SpywareBlaster, run and click "Enable All Protection" and close it.

Just to make sure that the system is clean, you can perform online virus scans at Panda ActiveScan, TrendMicro HouseCall.

For much more safer browsing, you can use alternate browsers like Opera and FireFox. These browsers are safer and more feature rich than IE.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.