Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Aurora Popups - [ Nail.exe ] [RESOLVED]


  • This topic is locked This topic is locked

#1
Gloss Bite

Gloss Bite

    New Member

  • Member
  • Pip
  • 4 posts
I randomly got an aurora popup two days ago. A friend helped me through it- this is what we did.

- Rebooted into Safe Mode
- Ran Ad-Aware SE
- Ran findit's.bat
- Put it into KillBox

But, it didn't get rid of it, so we tried again. The second time, we:

- Rebooted into Safe Mode
- Ran remove.bat
- Scanned with Ewido
- Rebooted into normal
- Ran findit's.bat
- Named a random notepad document as nail.exe. When I saved it in my WINDOWS folder in my local drive, it asked me if I wanted to replace the existing nail.exe file. I clicked on yes.
- Rebooted. A notice then popped up and said that nail.exe was trying to do something illegal and if I wanted to stop it. I clicked yes.
- Ran hijackthis. And this is the log that I got:

Logfile of HijackThis v1.99.1
Scan saved at 5:51:08 PM, on 27/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Yahoo!\Messenger\ypager.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\ewido\security suite\ewidoguard.exe
D:\WINDOWS\system32\drivers\KodakCCS.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
D:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
D:\WINDOWS\system32\wscntfy.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
D:\Program Files\AIM95\aim.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and

Settings\Galang\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Search Bar =

http://ynlfesazseibt...QJcRiLmrX9Z0T7M

kzDq8Hu6RyVBTtlt7KbyNimwSqFdIxViYE9wwW_2YsK

mGl.jsp
R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page =

http://forums.rpgcha...splay.php?f=454
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://www.ozemail.com.au
R3 - URLSearchHook: (no name) -

_{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe

D:\WINDOWS\Nail.exe
O2 - BHO: (no name) -

{312FFB24-7C21-09EF-793F-9715E9B3ECAB} -

D:\PROGRA~1\NewLove\planhole.exe (file missing)
O2 - BHO: (no name) -

{BE5A0C41-E88A-5CF3-3A1B-CCD1AAD04EE3} -

D:\DOCUME~1\Galang\APPLIC~1\NewLove\planhole.ex

e
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program

Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: &AIM Search -

res://D:\Program Files\AIM

Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

D:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM -

{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -

D:\Program Files\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger -

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -

D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -

D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program

Files\Messenger\msmsgs.exe
O14 - IERESET.INF:

START_PAGE_URL=http://www.ozemail.com.au
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C}

(Checkers Class) -

http://messenger.zon...sgrchkr.cab2857

8.cab
O16 - DPF:

{8E0D4DE5-3180-4024-A327-4DFAD1796A8D}

(MessengerStatsClient Class) -

http://messenger.zon...MessengerStatsC

lient.cab28578.cab
O16 - DPF:

{B38870E4-7ECB-40DA-8C6A-595F0A5519FF}

(MsnMessengerSetupDownloadControl Class) -

http://messenger.msn...MsnMessengerSet

upDownloader.cab
O23 - Service: Adobe LM Service - Adobe Systems -

D:\Program Files\Common Files\Adobe Systems

Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido

networks - D:\Program Files\ewido\security

suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido

networks - D:\Program Files\ewido\security

suite\ewidoguard.exe
O23 - Service: Kodak Camera Connection Software

(KodakCCS) - Eastman Kodak Company -

D:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Trend Micro Central Control Component

(PcCtlCom) - Trend Micro Incorporated. -

D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) -

Trend Micro Incorporated. -

D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) -

Trend Micro Inc. -

D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) -

Trend Micro Inc. -

D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


Help pleeeease. I'm not sure if I'm clean yet. Thank you <3.

  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

I still see it there. Could you repost the HijackThis log and make sure that Word Wrap is turned OFF in Notepad? As you can see, the format it created is not easy to read.
  • 0

#3
Gloss Bite

Gloss Bite

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Logfile of HijackThis v1.99.1
Scan saved at 5:51:08 PM, on 27/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Yahoo!\Messenger\ypager.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\ewido\security suite\ewidoguard.exe
D:\WINDOWS\system32\drivers\KodakCCS.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
D:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
D:\WINDOWS\system32\wscntfy.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
D:\Program Files\AIM95\aim.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\Galang\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ynlfesazseibt...wwW_2YsKmGl.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.rpgcha...splay.php?f=454
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ozemail.com.au
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe D:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {312FFB24-7C21-09EF-793F-9715E9B3ECAB} - D:\PROGRA~1\NewLove\planhole.exe (file missing)
O2 - BHO: (no name) - {BE5A0C41-E88A-5CF3-3A1B-CCD1AAD04EE3} - D:\DOCUME~1\Galang\APPLIC~1\NewLove\planhole.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: &AIM Search - res://D:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.ozemail.com.au
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab28578.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - D:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe



Sorry about that ^-^. Hope this helps.
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please print out the instructions here (or save it in Notepad) so that you can follow along more easily.

Download Ewido Security Suite at http://www.ewido.net/en/download/ and install it. Update to the newest definitions. Do NOT run it yet.

Please download nailfix at http://users.pandora...chy/nailfix.zip (for Windows XP) or http://users.pandora...y/nailfix2k.zip (for Windows 2000) Unzip it to the desktop but do NOT run it yet.

Reboot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Once in Safe Mode, please double-click on nailfix.cmd (or nailfix2k.bat if you have Windows 2000). Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Next run a full scan in Ewido. Post the log from the Ewido scan here.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ynlfesazseibt...wwW_2YsKmGl.jsp
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe D:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {312FFB24-7C21-09EF-793F-9715E9B3ECAB} - D:\PROGRA~1\NewLove\planhole.exe (file missing)
O2 - BHO: (no name) - {BE5A0C41-E88A-5CF3-3A1B-CCD1AAD04EE3} - D:\DOCUME~1\Galang\APPLIC~1\NewLove\planhole.exe


Close all open windows except for HijackThis and click Fix Checked.

Delete this folder -> D:\DOCUME~1\Galang\APPLIC~1\NewLove\

Restart your computer in normal mode and post a new HijackThis log, as well as the log from the Ewido scan.

Download FindIt's.zip to your desktop: http://forums.net-in...=post&id=142443

1. Unzip/extract the files inside to a folder on your desktop.
2. Open the folder. Double click on FindIt's.bat and wait for Notepad to open a text file. It will take a while so please be patient ...
3. Then post the results here.
  • 0

#5
Gloss Bite

Gloss Bite

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hijackthis Log:

Logfile of HijackThis v1.99.1
Scan saved at 4:15:35 PM, on 28/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Documents and Settings\Galang\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.rpgcha...splay.php?f=454
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ozemail.com.au
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe D:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {312FFB24-7C21-09EF-793F-9715E9B3ECAB} - D:\PROGRA~1\NewLove\planhole.exe (file missing)
O2 - BHO: (no name) - {BE5A0C41-E88A-5CF3-3A1B-CCD1AAD04EE3} - D:\DOCUME~1\Galang\APPLIC~1\NewLove\planhole.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: &AIM Search - res://D:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.ozemail.com.au
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab28578.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - D:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Ewido Scan:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:14:44 PM, 28/05/2005
+ Report-Checksum: EBDBB47A

+ Date of database: 28/05/2005
+ Version of scan engine: v3.0

+ Duration: 51 min
+ Scanned Files: 86783
+ Speed: 27.88 Files/Second
+ Infected files: 14
+ Removed files: 14
+ Files put in quarantine: 14
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\

+ Scan result:
D:\WINDOWS\fnbevvbzvvw.exe -> Spyware.BetterInternet -> Cleaned with backup
D:\Documents and Settings\All Users\Application Data\Pribi\Pribi.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
D:\Documents and Settings\Galang\Local Settings\Temp\iinstall.exe -> TrojanDownloader.IstBar -> Cleaned with backup
D:\Documents and Settings\Galang\Cookies\galang@lop[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\System Volume Information\_restore{0A592502-5E32-46D4-B70E-C46345C21B18}\RP29\A0015084.exe -> Spyware.WebRebates -> Cleaned with backup
D:\System Volume Information\_restore{0A592502-5E32-46D4-B70E-C46345C21B18}\RP29\A0015085.exe -> Spyware.WebRebates -> Cleaned with backup
D:\System Volume Information\_restore{0A592502-5E32-46D4-B70E-C46345C21B18}\RP31\A0016276.exe -> Spyware.WebRebates -> Cleaned with backup
D:\System Volume Information\_restore{0A592502-5E32-46D4-B70E-C46345C21B18}\RP31\A0016277.exe -> Spyware.WebRebates -> Cleaned with backup
D:\System Volume Information\_restore{0A592502-5E32-46D4-B70E-C46345C21B18}\RP50\A0026811.exe -> Spyware.Bargainbuddy -> Cleaned with backup
D:\System Volume Information\_restore{0A592502-5E32-46D4-B70E-C46345C21B18}\RP50\A0026812.exe -> Spyware.BetterInternet -> Cleaned with backup
D:\System Volume Information\_restore{0A592502-5E32-46D4-B70E-C46345C21B18}\RP50\A0026813.EXE -> Trojan.Agent.cp -> Cleaned with backup
D:\System Volume Information\_restore{0A592502-5E32-46D4-B70E-C46345C21B18}\RP50\A0026814.EXE -> Trojan.Stervis.c -> Cleaned with backup
D:\System Volume Information\_restore{0A592502-5E32-46D4-B70E-C46345C21B18}\RP50\A0026815.EXE -> Spyware.BetterInternet -> Cleaned with backup
D:\System Volume Information\_restore{0A592502-5E32-46D4-B70E-C46345C21B18}\RP50\A0026827.exe -> Trojan.Nail -> Cleaned with backup


::Report End


Findit's Log:

Microsoft Windows XP [Version 5.1.2600]
The current date is: Sat 28/05/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first


»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive D has no label.
Volume Serial Number is 1513-12DD

Directory of D:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive D has no label.
Volume Serial Number is 1513-12DD

Directory of D:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»».
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, I will ask you to get a newer version of that nailfix program. So delete the one you have now and get the new one below:

Please print out the instructions here (or save it in Notepad) so that you can follow along more easily.

Download Ewido Security Suite at http://www.ewido.net/en/download/ and install it. Update to the newest definitions. Do NOT run it yet.

Please download nailfix at http://www.noidea.us...050515010747824 Unzip it to the desktop but do NOT run it yet.

Reboot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Once in Safe Mode, please double-click on nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Next run a full scan in Ewido. Post the log from the Ewido scan here.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe c:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {312FFB24-7C21-09EF-793F-9715E9B3ECAB} - c:\PROGRA~1\NewLove\planhole.exe (file missing)
O2 - BHO: (no name) - {BE5A0C41-E88A-5CF3-3A1B-CCD1AAD04EE3} - c:\DOCUME~1\Galang\APPLIC~1\NewLove\planhole.exe


Close all open windows except for HijackThis and click Fix Checked.

Delete these if found:

c:\WINDOWS\Nail.exe
c:\PROGRA~1\NewLove\
c:\DOCUME~1\Galang\APPLIC~1\NewLove\


Restart your computer in normal mode and post a new HijackThis log, as well as the log from the Ewido scan. Also give me a new FindIt's log.
  • 0

#7
Gloss Bite

Gloss Bite

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Ewido Scan [ In Safe Mode ]

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:30:17 PM, 29/05/2005
+ Report-Checksum: 7EAD57E2

+ Date of database: 29/05/2005
+ Version of scan engine: v3.0

+ Duration: 52 min
+ Scanned Files: 86909
+ Speed: 27.70 Files/Second
+ Infected files: 2
+ Removed files: 2
+ Files put in quarantine: 2
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\

+ Scan result:
D:\System Volume Information\_restore{0A592502-5E32-46D4-B70E-C46345C21B18}\RP50\A0026920.exe -> Spyware.BetterInternet -> Cleaned with backup
D:\System Volume Information\_restore{0A592502-5E32-46D4-B70E-C46345C21B18}\RP50\A0026921.dll -> Spyware.Hijacker.Generic -> Cleaned with backup


::Report End

Hijackthis Scan [ Safe mode ]

Logfile of HijackThis v1.99.1
Scan saved at 3:30:53 PM, on 29/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Documents and Settings\Galang\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.rpgcha...splay.php?f=454
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ozemail.com.au
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: &AIM Search - res://D:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.ozemail.com.au
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab28578.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - D:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Hijackthis Scan [ Normal Mode ]

Logfile of HijackThis v1.99.1
Scan saved at 3:30:53 PM, on 29/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Documents and Settings\Galang\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.rpgcha...splay.php?f=454
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ozemail.com.au
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: &AIM Search - res://D:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.ozemail.com.au
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab28578.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - D:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Findits Log [ Normal Mode ]


Microsoft Windows XP [Version 5.1.2600]
The current date is: Sun 29/05/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first


»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive D has no label.
Volume Serial Number is 1513-12DD

Directory of D:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive D has no label.
Volume Serial Number is 1513-12DD

Directory of D:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»».


  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
No need for both logs next time :tazz: Just the log in Normal Mode will do.

Your log is clean.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Make sure to get the latest updates for Windows and Internet Explorer at http://v5.windowsupd...t.aspx?ln=en-us.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#9
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP