New to all this, but got this pain in the proverbial aurora thing the other day, and its bugging the [bleep] out of me.
I've scanned a few of the forums, and followed some of the advice there, getting me to this point. I've downloaded and run nailfix, done a ewido scan, and a hijack this log.
Question is, am I now clean!
Ewido lo here
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 13:35:26, 18/05/2005
+ Report-Checksum: 80B3B520
+ Date of database: 18/05/2005
+ Version of scan engine: v3.0
+ Duration: 29 min
+ Scanned Files: 113634
+ Speed: 63.63 Files/Second
+ Infected files: 14
+ Removed files: 14
+ Files put in quarantine: 14
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0
+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes
+ Scanned items:
C:\
D:\
E:\
+ Scan result:
C:\Documents and Settings\fatboy\Local Settings\Temporary Internet Files\Content.IE5\4XURGH2Z\Poller[1].exe -> Trojan.Agent.cp -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\019F8EDC-1BD4-4AC9-9CF4-D0423F\083DE058-20F7-4B68-9966-1D1F8C -> Trojan.Agent.db -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\3F6F24D2-A0F5-44F0-A4F5-F0F728\E0E04A0B-948C-4F3C-8C3C-FAD5DA -> Trojan.Agent.db -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\DB43A215-A4D5-4595-B02C-F46E55\264ED6A9-0DA1-4841-A49F-4279E6 -> Trojan.Nail -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\DB43A215-A4D5-4595-B02C-F46E55\577B8D2A-4A9C-4B86-B926-BBC7A8 -> Spyware.BetterInternet.c -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\DB43A215-A4D5-4595-B02C-F46E55\BDAD9432-4754-4B91-B3C4-B716DD -> Trojan.Stervis.c -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\DE98650B-9FA5-4978-B630-735200\E4955903-0D17-4908-95C1-2A5263 -> Trojan.Agent.db -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\E176A4C6-4263-4A9B-AD78-D18D40\10E24F4E-1E7B-47B3-BC27-712B11 -> Trojan.Agent.db -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\E176A4C6-4263-4A9B-AD78-D18D40\1D460E50-2663-4F53-B348-F0A4D3 -> Trojan.Agent.db -> Cleaned with backup
C:\WINDOWS\ravbogzgyy.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\system32\drivers\etc\HOSTS.bak -> Trojan.Qhost.av -> Cleaned with backup
E:\program files and downloads\WinXP CDKey Changer [sUprass]\xp_cd_key_changer\update_xp_cd_key.exe -> TrojanSpy.DakrOmen.13 -> Cleaned with backup
E:\program files and downloads\WinXP CDKey Changer [sUprass].zip/xp_cd_key_changer/update_xp_cd_key.exe -> TrojanSpy.DakrOmen.13 -> Cleaned with backup
E:\program files and downloads\xpkeykit.zip/changekey.exe -> TrojanSpy.DakrOmen.13 -> Cleaned with backup
::Report End
And my hijack this log is as follows
Logfile of HijackThis v1.99.1
Scan saved at 13:36:17, on 18/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\fatboy\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://community.cha...57&f=5796002921
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://community.cha...57&f=5796002921
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [RAMpage] "C:\Program Files\RAMpage\RAMpage.exe" M=150 T=4 P="C:\Program Files\RAMpage\RAMpageConfig.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [DeleteDAE] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\system32\dae.dll"
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe " -silent
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] "C:\Program Files\Creative\SBAudigy2ZS\Program\Startup Menu\ChkColor.EXE"
O4 - Startup: DigiGuide.lnk = C:\Program Files\DigiGuide\client.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Autorun Killer.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....009/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtec...ntrol_en_US.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://H:\Resources\IntraLaunch.CAB
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15010/CTPID.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{48148DBB-6FA8-4794-A60D-659F0FDD21D7}: NameServer = 195.112.4.4,195.112.4.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B249D21-FAAD-42AF-B96C-1F3465AE56F0}: NameServer = 195.112.4.4,195.112.4.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{D08737A7-B35B-439F-9D33-93201AE4317A}: NameServer = 195.112.4.4,195.112.4.7
O23 - Service: 3Com DMI Agent (3ComDMIService) - 3Com Corporation - C:\WINDOWS\System32\3Com_DMI\3CDMINIC.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
Thanks in advance for your help, you guys rule!
Paul