Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Computer infected with Aurora&nail.exe [resolved]

Started by shatter , Jun 11 2005 08:52 AM

  • This topic is locked This topic is locked

#1
shatter
Posted 11 June 2005 - 08:52 AM

shatter

    New Member

  • Member
  • Pip
  • 4 posts
I've been trying to free my computer from spyware and trojans for the past week, but it just keeps coming back. I think I have aurora and I'm know I have nail.exe. I did everything in the 'before you post a hijackthis log' post, twice to make sure, but I'm still infected. A little help would be very much appreciated.

Here's my log:

Logfile of HijackThis v1.99.1
Scan saved at 10:44:33 AM, on 6/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\S24EvMon.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\System32\igfxpers.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\System32\RegSrvc.exe
C:\WINNT\System32\RoamMgr.exe
c:\winnt\system32\vmqbbc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\Program Files\SETI@home\[email protected]
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Semagic\LiveJournalU.exe
C:\Documents and Settings\Administrator\Desktop\logs\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 24.34.241.9:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 24.34.241.9;<local>
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: WinStat - {F007E221-018D-4baf-924A-B0E9092F3853} - C:\WINNT\System32\WinStat11.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [yswl] C:\WINNT\System32\yswl.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Persistence] C:\WINNT\System32\igfxpers.exe
O4 - HKLM\..\Run: [mrgmtgu] c:\winnt\system32\vmqbbc.exe
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\[email protected] -min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw2.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1107099074856
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://racing.youbet...s/ybrequest.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.st.../soesysinfo.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: Sebring - C:\WINNT\System32\LgNotify.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation - C:\Program Files\Intel\Switching\User\RoamSvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\System32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINNT\System32\RoamMgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\System32\S24EvMon.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe
  • 0

Advertisements

#2
g2i2r4
Posted 15 June 2005 - 05:13 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Welcome shatter to Geeks to Go!

Please read these instructions carefully. You may want to print them. Copy the text to a Notepad file and save it to your desktop! We will need the file later.
Be sure to follow ALL instructions!

***

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

***

download the Killbox.
Unzip it to the desktop but do NOT run it yet.

***

Please download Nailfix from here:
http://www.noidea.us...050515010747824
Unzip it to the desktop but please do NOT run it yet.

***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

***

Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

***

Next please run HijackThis, click Scan, and check:

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe

O2 - BHO: WinStat - {F007E221-018D-4baf-924A-B0E9092F3853} -
C:\WINNT\System32\WinStat11.dll (file missing)

O4 - HKLM\..\Run: [yswl] C:\WINNT\System32\yswl.exe

O4 - HKLM\..\Run: [Persistence] C:\WINNT\System32\igfxpers.exe

O4 - HKLM\..\Run: [mrgmtgu] c:\winnt\system32\vmqbbc.exe

O15 - Trusted Zone: http://www.neededware.com

O16 - DPF: NDWCab - http://www.neededware.com/ndw2.cab

Close all open windows except for HijackThis and click Fix Checked.

***

Please double-click Killbox.exe to run it.

Select "Delete on Reboot".

Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

C:\WINNT\System32\igfxpers.exe
c:\winnt\system32\vmqbbc.exe
C:\WINNT\System32\yswl.exe

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

***

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

***

Then please run Ewido, and run a full scan. Save the logfile from the scan.

***

Restart your computer in normal mode.

***

Please run this online virus scan:
ActiveScan

Copy the results of the ActiveScan and paste them here

***

And please post a new HijackThis log, as well as the log from the Ewido scan.
  • 0

#3
shatter
Posted 15 June 2005 - 08:39 PM

shatter

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thank you very much. ^.^

The Panda scan is at the bottom, because I was typing this while it scanned.

Here's the new Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:08:47 PM, on 6/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\S24EvMon.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\SETI@home\[email protected]
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\System32\RegSrvc.exe
C:\WINNT\System32\RoamMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Opera7\opera.exe
C:\WINNT\System32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\logs\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 24.34.241.9:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 24.34.241.9;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: WinStat - {F007E221-018D-4baf-924A-B0E9092F3853} - C:\WINNT\System32\WinStat11.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\[email protected] -min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1107099074856
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://racing.youbet...s/ybrequest.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.st.../soesysinfo.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: Sebring - C:\WINNT\System32\LgNotify.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Avgrdsheuinic - GRISOFT, s.r.o. - (no file)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation - C:\Program Files\Intel\Switching\User\RoamSvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\System32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINNT\System32\RoamMgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\System32\S24EvMon.exe


And the ewido log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:06:01 PM, 6/15/2005
+ Report-Checksum: F950A3EA

+ Date of database: 6/15/2005
+ Version of scan engine: v3.0

+ Duration: 90 min
+ Scanned Files: 120661
+ Speed: 22.29 Files/Second
+ Infected files: 47
+ Removed files: 47
+ Files put in quarantine: 47
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@realmedia[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Administrator\SSK3_B5 Verticlick 8.exe -> TrojanDropper.Small.qn -> Cleaned with backup
C:\System Volume Information\_restore{D7F59E68-F72A-418D-8724-BD50B2A19162}\RP1\A0000007.dll -> Spyware.SurfSide -> Cleaned with backup
C:\System Volume Information\_restore{D7F59E68-F72A-418D-8724-BD50B2A19162}\RP21\A0001280.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{D7F59E68-F72A-418D-8724-BD50B2A19162}\RP21\A0001281.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\System Volume Information\_restore{D7F59E68-F72A-418D-8724-BD50B2A19162}\RP21\A0001282.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{D7F59E68-F72A-418D-8724-BD50B2A19162}\RP21\A0001284.dll -> Trojan.Agent.db -> Cleaned with backup
C:\System Volume Information\_restore{D7F59E68-F72A-418D-8724-BD50B2A19162}\RP21\A0001285.exe -> TrojanDownloader.Lastad.h -> Cleaned with backup
C:\System Volume Information\_restore{D7F59E68-F72A-418D-8724-BD50B2A19162}\RP21\A0001286.dll -> TrojanDownloader.Lastad.h -> Cleaned with backup
C:\System Volume Information\_restore{D7F59E68-F72A-418D-8724-BD50B2A19162}\RP21\A0001296.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{D7F59E68-F72A-418D-8724-BD50B2A19162}\RP21\A0001307.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{D7F59E68-F72A-418D-8724-BD50B2A19162}\RP22\A0001337.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{D7F59E68-F72A-418D-8724-BD50B2A19162}\RP22\A0001338.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{D7F59E68-F72A-418D-8724-BD50B2A19162}\RP22\A0001354.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\System Volume Information\_restore{D7F59E68-F72A-418D-8724-BD50B2A19162}\RP22\A0001355.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{D7F59E68-F72A-418D-8724-BD50B2A19162}\RP22\A0001376.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{D7F59E68-F72A-418D-8724-BD50B2A19162}\RP22\A0001385.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{D7F59E68-F72A-418D-8724-BD50B2A19162}\RP22\A0001408.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\System Volume Information\_restore{D7F59E68-F72A-418D-8724-BD50B2A19162}\RP22\A0001409.dll -> Trojan.Agent.db -> Cleaned with backup
C:\System Volume Information\_restore{D7F59E68-F72A-418D-8724-BD50B2A19162}\RP22\A0001410.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{D7F59E68-F72A-418D-8724-BD50B2A19162}\RP22\A0001540.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{D7F59E68-F72A-418D-8724-BD50B2A19162}\RP22\A0001580.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\System Volume Information\_restore{D7F59E68-F72A-418D-8724-BD50B2A19162}\RP22\A0001581.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{D7F59E68-F72A-418D-8724-BD50B2A19162}\RP22\A0001591.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{D7F59E68-F72A-418D-8724-BD50B2A19162}\RP22\A0001592.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{D7F59E68-F72A-418D-8724-BD50B2A19162}\RP22\A0001628.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{D7F59E68-F72A-418D-8724-BD50B2A19162}\RP24\A0001728.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{D7F59E68-F72A-418D-8724-BD50B2A19162}\RP24\A0001766.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{D7F59E68-F72A-418D-8724-BD50B2A19162}\RP24\A0001777.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{D7F59E68-F72A-418D-8724-BD50B2A19162}\RP24\A0001787.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{D7F59E68-F72A-418D-8724-BD50B2A19162}\RP24\A0002798.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{D7F59E68-F72A-418D-8724-BD50B2A19162}\RP24\A0002804.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{D7F59E68-F72A-418D-8724-BD50B2A19162}\RP24\A0002813.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{D7F59E68-F72A-418D-8724-BD50B2A19162}\RP24\A0002852.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{D7F59E68-F72A-418D-8724-BD50B2A19162}\RP24\A0002870.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{D7F59E68-F72A-418D-8724-BD50B2A19162}\RP24\A0002892.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{D7F59E68-F72A-418D-8724-BD50B2A19162}\RP24\A0002909.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{D7F59E68-F72A-418D-8724-BD50B2A19162}\RP24\A0002926.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{D7F59E68-F72A-418D-8724-BD50B2A19162}\RP24\A0003107.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{D7F59E68-F72A-418D-8724-BD50B2A19162}\RP24\A0003130.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{D7F59E68-F72A-418D-8724-BD50B2A19162}\RP24\A0003163.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{D7F59E68-F72A-418D-8724-BD50B2A19162}\RP24\A0003164.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\System Volume Information\_restore{D7F59E68-F72A-418D-8724-BD50B2A19162}\RP24\A0003165.dll -> Trojan.Agent.db -> Cleaned with backup
C:\WINNT\system32\gpjjfw.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINNT\zzwkydsuh.exe -> Spyware.BetterInternet -> Cleaned with backup


::Report End


And finally the log from the virus scan:


Incident Status Location

Spyware:Spyware/SurfSideKick No disinfected Windows Registry
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Administrator\Application Data\Sskcwrd.dll
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Administrator\Application Data\Sskknwrd.dll
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Administrator\Application Data\Sskuknwrd.dll
Possible Virus. No disinfected C:\Program Files\Avi2Dvd\Programs\BeSweet\BeSweet.exe
Adware:Adware/Transponder No disinfected C:\WINNT\dgngkds.exe
  • 0

#4
g2i2r4
Posted 16 June 2005 - 02:19 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O2 - BHO: WinStat - {F007E221-018D-4baf-924A-B0E9092F3853} - C:\WINNT\System32\WinStat11.dll (file missing)

Click on Fix Checked when finished and exit HijackThis.

Grand permission to Spybot for the change we are making.

***

Open HijackThis
Go to ‘config’
Go to ‘misc tools’
Press the button ‘open uninstall manager’
Press the button 'save list'. It will open a Notepad file. Place the content of that file here in your answer please.
  • 0

#5
shatter
Posted 16 June 2005 - 09:07 AM

shatter

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Alright, done.

Here's the uninstall-list log:

3ds max 7
3ds max 7 Additional Maps and Materials
3ds max 7 Architectural Materials
3ds max 7 Reference Files
ABBYY FineReader 5.0 Sprint
Ad-Aware SE Personal
Adobe Photoshop Album 2.0 Starter Edition
Adobe Photoshop CS
Adobe Reader 6.0
Agere Systems AC'97 Modem
Ahead Nero BurnRights
AOL Instant Messenger
ArcSoft PhotoImpression
AVG Free Edition
Avi2Dvd 0.2.8 beta
AviSynth 2.5
BitTornado 0.3.7
BitTorrent 3.4.2
Booster Logic 1.0.3
Campaign Cartographer 2
Campaign Mapper
CC2-Pro Demo
CGoban 2.6.4
City Designer 2
Civilization III
CleanUp!
Community Expansion Pack version 1.50
Cortona® VRML Client
DAEMON Tools
Deep Space Nine The Fallen
Delete Virtual-Mate Launcher
DivX
DivX Player
DoMore
Dungeon Designer 2
DVD
DVD Profiler Version 2.3.1
EAX Unified
eMule
eMule Plus 1i
EPSON CardMonitor
EPSON Copy Utility
EPSON Photo Print
EPSON PhotoStarter3.0
EPSON Print CD
EPSON Printer Software
EPSON Scan
EPSON Smart Panel
EPSON SPR300 Reference Guide
ewido security suite
ezgm4
FastCAD
FastCAD Demo
FeedReader
GameSpy Arcade
Gateway Ink Monitor
Gateway Rhapsody
GENS
Gmask 1.70 English
GunBound
HijackThis 1.99.1
Intel® Extreme Graphics 2 Driver
Intel® PRO Network Adapters and Drivers
Intel® PROSet
InterActual Player
irock! Audio Manager
irock! Download Manager
Jardinains!
Java 2 Runtime Environment, SE v1.4.2
Jigs@w Puzzle
Jigs@w Puzzle Nature Edition
KingKanji
Logitech Gaming Software
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Macromedia Fireworks MX 2004
Macromedia Flash MX 2004
Macromedia FreeHand MXa
Macromedia Shockwave Player
MapleStory
MapX 0.5.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft AntiSpyware
mIRC
Mozilla Firefox (1.0.4)
MS Access 97 SP2
MSXML4 Parser
MUSH Formatter 2.53
Myst for Windows 95
Nero Digital
Nero OEM
Network Play System (Patching)
Neverwinter Nights
NoteWorthy Composer
openCanvas3.05E Plus
Opera
Outlook Express Update Q330994
PeerCast (remove only)
Planescape - Torment
PlayFKiSS
Presto! BizCard 4.1 Eng
Quicken 2004
QuickTime
RealPlayer Basic
ScanToWeb
SecondLife (remove only)
Semagic (remove only)
SETI@home
Shockwave
Sierra Utilities
SimpleMU MUD Client
SmartFTP
SpeechRedist
Spybot - Search & Destroy 1.3.1 TX
StepMania (remove only)
Synaptics Pointing Device Driver
Tcl
The ABI Network- A Division of Direct Revenue
Trillian
uliGo 0.3
WFEducator v7.0
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows XP Hotfix - KB282010
Windows XP Hotfix - KB821187
Windows XP Hotfix - KB821557
Windows XP Hotfix - KB822603
Windows XP Hotfix - KB824146
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892944
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Hotfix (SP2) [See Q329048 for more information]
Windows XP Hotfix (SP2) [See Q329115 for more information]
Windows XP Hotfix (SP2) [See Q329390 for more information]
Windows XP Hotfix (SP2) [See Q329834 for more information]
Windows XP Hotfix (SP2) Q327979
Windows XP Hotfix (SP2) Q328310
Windows XP Hotfix (SP2) Q329170
Windows XP Hotfix (SP2) Q329441
Windows XP Hotfix (SP2) Q331958
Windows XP Hotfix (SP2) Q810565
Windows XP Hotfix (SP2) Q810577
Windows XP Hotfix (SP2) Q810833
Windows XP Hotfix (SP2) Q811493
Windows XP Hotfix (SP2) Q814033
Windows XP Hotfix (SP2) Q814696
Windows XP Hotfix (SP2) Q814995
Windows XP Hotfix (SP2) Q815021
Windows XP Hotfix (SP2) Q816048
Windows XP Hotfix (SP2) Q817287
Windows XP Hotfix (SP2) Q817357
Windows XP Hotfix (SP2) Q817606
Windows XP Hotfix (SP2) Q819636
Windows XP Hotfix (SP2) Q819696
WinPhlash
WinRAR archiver
WinSCP 3.6.5 beta
WinZip
XviD MPEG-4 Codec
zbattle.net 1.09 SR-1 beta
  • 0

#6
g2i2r4
Posted 16 June 2005 - 10:07 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Nothing there at first glance.

How are things now?
  • 0

#7
shatter
Posted 16 June 2005 - 10:57 AM

shatter

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Everything looks pretty good. ^.^ I no longer have pop-ups come up whenever I use Internet Explorer, which is nice, and AVG has stopped telling me there's a virus it can't get rid of.

The only thing that worries me is, on the uninstall list, is 'The ABI Network- A Division of Direct Revenue'. That's what the pop-ups had on them. Is it okay to uninstall that? I don't want to just do it in case uninstalling it causes the entire infection to come back.
  • 0

#8
g2i2r4
Posted 16 June 2005 - 11:56 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Thanks for reminding me to clean up. It's an orphan.

Open HijackThis.
Go to ‘config’
Go to ‘misc tools’
Press the button ‘open uninstall manager’
In the list find:
The ABI Network- A Division of Direct Revenue
Press ‘delete this entry’.
Close HijackThis.
Reboot the system.



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware, Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. You should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.

Edited by g2i2r4, 16 June 2005 - 11:59 AM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP