- Rebooted into Safe Mode
- Ran Ad-Aware SE
- Ran findit's.bat
- Put it into KillBox
But, it didn't get rid of it, so we tried again. The second time, we:
- Rebooted into Safe Mode
- Ran remove.bat
- Scanned with Ewido
- Rebooted into normal
- Ran findit's.bat
- Named a random notepad document as nail.exe. When I saved it in my WINDOWS folder in my local drive, it asked me if I wanted to replace the existing nail.exe file. I clicked on yes.
- Rebooted. A notice then popped up and said that nail.exe was trying to do something illegal and if I wanted to stop it. I clicked yes.
- Ran hijackthis. And this is the log that I got:
Logfile of HijackThis v1.99.1
Scan saved at 5:51:08 PM, on 27/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Yahoo!\Messenger\ypager.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\ewido\security suite\ewidoguard.exe
D:\WINDOWS\system32\drivers\KodakCCS.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
D:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
D:\WINDOWS\system32\wscntfy.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
D:\Program Files\AIM95\aim.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and
Settings\Galang\Desktop\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://ynlfesazseibt...QJcRiLmrX9Z0T7M
kzDq8Hu6RyVBTtlt7KbyNimwSqFdIxViYE9wwW_2YsK
mGl.jsp
R0 - HKCU\Software\Microsoft\Internet
Explorer\Main,Start Page =
http://forums.rpgcha...splay.php?f=454
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL =
http://www.ozemail.com.au
R3 - URLSearchHook: (no name) -
_{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe
D:\WINDOWS\Nail.exe
O2 - BHO: (no name) -
{312FFB24-7C21-09EF-793F-9715E9B3ECAB} -
D:\PROGRA~1\NewLove\planhole.exe (file missing)
O2 - BHO: (no name) -
{BE5A0C41-E88A-5CF3-3A1B-CCD1AAD04EE3} -
D:\DOCUME~1\Galang\APPLIC~1\NewLove\planhole.ex
e
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program
Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: &AIM Search -
res://D:\Program Files\AIM
Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
D:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM -
{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -
D:\Program Files\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger -
{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -
D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -
D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program
Files\Messenger\msmsgs.exe
O14 - IERESET.INF:
START_PAGE_URL=http://www.ozemail.com.au
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C}
(Checkers Class) -
http://messenger.zon...sgrchkr.cab2857
8.cab
O16 - DPF:
{8E0D4DE5-3180-4024-A327-4DFAD1796A8D}
(MessengerStatsClient Class) -
http://messenger.zon...MessengerStatsC
lient.cab28578.cab
O16 - DPF:
{B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
(MsnMessengerSetupDownloadControl Class) -
http://messenger.msn...MsnMessengerSet
upDownloader.cab
O23 - Service: Adobe LM Service - Adobe Systems -
D:\Program Files\Common Files\Adobe Systems
Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido
networks - D:\Program Files\ewido\security
suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido
networks - D:\Program Files\ewido\security
suite\ewidoguard.exe
O23 - Service: Kodak Camera Connection Software
(KodakCCS) - Eastman Kodak Company -
D:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Trend Micro Central Control Component
(PcCtlCom) - Trend Micro Incorporated. -
D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) -
Trend Micro Incorporated. -
D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) -
Trend Micro Inc. -
D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) -
Trend Micro Inc. -
D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
Help pleeeease. I'm not sure if I'm clean yet. Thank you <3.