Post by: kai on May 30, 2005, 05:25:59 AM
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> tbh i only signed up to get some help with this damned virus. I've downloaded and run all your suggested programs and fixed anything I found not quite right; even manually tried to delete the TODO associated files that were running on my pc. another problem are recurring virus', my av prog keeps detecting two different trojans,
TROJ_BUDDY affecting c:\windows\ddjsvheji.exe
TROJ_STERVIS.C affecting c:\windows\svcproc.exe
Anyway, heres the HJT Logfile
Code: [Select]
Logfile of HijackThis v1.99.1
Scan saved at 7:02:22 PM, on 30/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
U:\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
K:\Trend Micro\Internet Security\PCClient.exe
K:\Trend Micro\Internet Security\TMOAgent.exe
c:\windows\system32\jmximbo.exe
K:\steam\steam.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
K:\Trend Micro\Internet Security\Tmntsrv.exe
K:\Trend Micro\Internet Security\tmproxy.exe
K:\Programs\Spybot\TeaTimer.exe
K:\Programs\SpywareGuard\sgmain.exe
K:\Programs\SpywareGuard\sgbhp.exe
K:\Trend Micro\Internet Security\PccPfw.exe
C:\WINDOWS\system32\wuauclt.exe
K:\HJT\HijackThis.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE 4.x-6.x BHO for Internet Download Accelerator - {2A646672-9C3A-4C28-9A7A-1FB0F63F28B6} - C:\PROGRA~1\IDA\idaiehlp.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - K:\Programs\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - K:\Programs\Spybot\SDHelper.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PCClient.exe] "K:\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "K:\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [htzhlx] c:\windows\system32\jmximbo.exe
O4 - HKLM\..\Run: [mddwga] c:\windows\system32\irpesgb.exe
O4 - HKCU\..\Run: [Steam] "k:\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] K:\Programs\Spybot\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = K:\Programs\SpywareGuard\sgmain.exe
O8 - Extra context menu item: Download ALL with IDA - C:\Program Files\IDA\idaieall.htm
O8 - Extra context menu item: Download with IDA - C:\Program Files\IDA\idaie.htm
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\IDA\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\IDA\ida.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1116923669207
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq.com/cab/prod/Driver_Detective_v43_Non_Member.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D4179C6-D066-4781-94E1-10037159CEC4}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{19C9AC89-A9C2-4216-A253-955278B1CEF2}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{971ACAC0-A642-49FC-88FA-635D2A3DDD18}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{0D4179C6-D066-4781-94E1-10037159CEC4}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\..\{0D4179C6-D066-4781-94E1-10037159CEC4}: Domain = vic.bigpond.net.au
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - U:\Ahead\InCD\InCDsrv.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - K:\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - K:\Programs\SiSoftware Sandra Professional 2005\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - K:\Programs\SiSoftware Sandra Professional 2005\RpcSandraSrv.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - K:\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - K:\Trend Micro\Internet Security\tmproxy.exeAny help would be appreciated <3
Post by: guestolo on May 31, 2005, 01:19:32 AM
So let's see if we can figure this thing out
Please download Nailfix from here:
http://www.noidea.us/easyfile/file.php?dow...050515010747824 (http://\"http://www.noidea.us/easyfile/file.php?download=20050515010747824\")
Unzip it to the desktop but please do NOT run it yet
Ensure you have it on your C:Drive
==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup (http://\"http://downloads.stevengould.org/cleanup/CleanUp40.exe\")
Give the link time to load or try it twice, it may be busy
Alternate Download link (http://\"http://www.spywareaid.com/index.php?file=showsoftware&action=dl&softid=1&softtype=exe\")
We'll need this later
==Download and then Install
Ewido Trojan Scanner (http://\"http://download.ewido.net/ewido-setup.exe\")
It the first link isn't working, you can try from
HERE (http://\"http://www.google.ca/url?sa=U&start=3&q=http://www.download.com/Ewido-Security-Suite/3000-8022_4-10326287.html&e=10313\")
When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We'll fix that later
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
Once in safe mode
==Double-click on nailfix.cmd that you unzipped earlier. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal
==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
DECLINE to Log off when scan is done.
==Open Ewido trojan scanner
Click on the Scanner button in the left menu, then click on the Start button. This scan can take a while, so give it time to run
If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file.
Save the report
Do another scan with Hijackthis and put a check next to these entries:
Not all may be found, but fix what exists
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [htzhlx] c:\windows\system32\jmximbo.exe
O4 - HKLM\..\Run: [mddwga] c:\windows\system32\irpesgb.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Restart back to Normal mode
NOTE: You have Spybot's Tea Timer and SpywareGuard running
They are both great tools
But if prompted about a change>>ALLOW them so neither will interfere with any fixes we are trying
Run another scan with Hijackthis and post a fresh log
Could you also supply the Report from Ewidos
Post by: kai on May 31, 2005, 05:53:43 AM
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />, heres the logsHJT:
Code: [Select]
Logfile of HijackThis v1.99.1
Scan saved at 8:49:58 PM, on 31/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
U:\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
K:\Trend Micro\Internet Security\PCClient.exe
K:\Trend Micro\Internet Security\TMOAgent.exe
K:\steam\steam.exe
K:\Programs\Spybot\TeaTimer.exe
K:\Programs\Ewido\Security Suite\ewidoctrl.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
K:\Programs\SpywareGuard\sgmain.exe
K:\Trend Micro\Internet Security\Tmntsrv.exe
K:\Trend Micro\Internet Security\tmproxy.exe
K:\Programs\SpywareGuard\sgbhp.exe
K:\Trend Micro\Internet Security\PccPfw.exe
K:\Programs\Mozilla\Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
K:\HJT\HijackThis.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE 4.x-6.x BHO for Internet Download Accelerator - {2A646672-9C3A-4C28-9A7A-1FB0F63F28B6} - K:\Programs\IDA\idaiehlp.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - K:\Programs\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - K:\Programs\Spybot\SDHelper.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PCClient.exe] "K:\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "K:\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKCU\..\Run: [Steam] "k:\steam\steam.exe" -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] K:\Programs\Spybot\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = K:\Programs\SpywareGuard\sgmain.exe
O8 - Extra context menu item: Download ALL with IDA - K:\Programs\IDA\idaieall.htm
O8 - Extra context menu item: Download with IDA - K:\Programs\IDA\idaie.htm
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - K:\Programs\IDA\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - K:\Programs\IDA\ida.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1116923669207
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq.com/cab/prod/Driver_Detective_v43_Non_Member.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D4179C6-D066-4781-94E1-10037159CEC4}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{971ACAC0-A642-49FC-88FA-635D2A3DDD18}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{0D4179C6-D066-4781-94E1-10037159CEC4}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\..\{0D4179C6-D066-4781-94E1-10037159CEC4}: Domain = vic.bigpond.net.au
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - K:\Programs\Ewido\Security Suite\ewidoctrl.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - U:\Ahead\InCD\InCDsrv.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - K:\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - K:\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - K:\Trend Micro\Internet Security\tmproxy.exeEWIDO:
Code: [Select]
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 8:40:21 PM, 31/05/2005
+ Report-Checksum: 7F8A499D
+ Date of database: 31/05/2005
+ Version of scan engine: v3.0
+ Duration: 105 min
+ Scanned Files: 153489
+ Speed: 24.28 Files/Second
+ Infected files: 7
+ Removed files: 7
+ Files put in quarantine: 7
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0
+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes
+ Scanned items:
C:\
K:\
U:\
+ Scan result:
C:\WINDOWS\system32\jrjuqj.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\system32\lmokay.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\system32\qjqdsfd.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\system32\ukhymvw.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\system32\vrsttg.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\system32\vuddgv.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\system32\wuhpkuv.exe -> Trojan.Agent.cp -> Cleaned with backup
::Report End C:\Windows\Nail.exe andC:\Windows\autoload.exe were infected as well, but first time round i didnt run nailfix first and lost the log... D:
The .exe's you asked me to fix with HJT werent found by the scan...
mbe my system is clean already... also, windows gave me an error msg about nail.exe missing, thats supposed to happen right?
/tongue.gif\' class=\'bbc_emoticon\' alt=\':P\' />
Post by: guestolo on May 31, 2005, 06:20:33 PM
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Restart the computer
Back in Windows, can you post one more fresh hijackthis log
Could you do the following also, you may have downloaded this already, but let me see the results
Download Find_It's.zip (http://\"http://forums.net-integration.net/index.php?act=Attach&type=post&id=142443\")
UNZIP the contents
Open the FindIt's folder and double click on the FindIt's.bat
Wait for the log and post it back here
Post by: kai on June 01, 2005, 02:59:49 AM
HJT
Code: [Select]
Logfile of HijackThis v1.99.1
Scan saved at 5:48:20 PM, on 1/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
U:\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
K:\Trend Micro\Internet Security\PCClient.exe
K:\Trend Micro\Internet Security\TMOAgent.exe
U:\Ahead\InCD\InCD.exe
K:\steam\steam.exe
K:\Programs\Spybot\TeaTimer.exe
K:\Programs\SpywareGuard\sgmain.exe
K:\Programs\Ewido\Security Suite\ewidoctrl.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
K:\Trend Micro\Internet Security\Tmntsrv.exe
K:\Trend Micro\Internet Security\tmproxy.exe
K:\Programs\SpywareGuard\sgbhp.exe
K:\Trend Micro\Internet Security\PccPfw.exe
K:\Programs\IDA\ida.exe
C:\WINDOWS\system32\wuauclt.exe
K:\HJT\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE 4.x-6.x BHO for Internet Download Accelerator - {2A646672-9C3A-4C28-9A7A-1FB0F63F28B6} - K:\Programs\IDA\idaiehlp.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - K:\Programs\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - K:\Programs\Spybot\SDHelper.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PCClient.exe] "K:\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "K:\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] U:\Ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [Steam] "k:\steam\steam.exe" -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] K:\Programs\Spybot\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = K:\Programs\SpywareGuard\sgmain.exe
O8 - Extra context menu item: Download ALL with IDA - K:\Programs\IDA\idaieall.htm
O8 - Extra context menu item: Download with IDA - K:\Programs\IDA\idaie.htm
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - K:\Programs\IDA\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - K:\Programs\IDA\ida.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1116923669207
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq.com/cab/prod/Driver_Detective_v43_Non_Member.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D4179C6-D066-4781-94E1-10037159CEC4}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{971ACAC0-A642-49FC-88FA-635D2A3DDD18}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{0D4179C6-D066-4781-94E1-10037159CEC4}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\..\{0D4179C6-D066-4781-94E1-10037159CEC4}: Domain = vic.bigpond.net.au
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - K:\Programs\Ewido\Security Suite\ewidoctrl.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - U:\Ahead\InCD\InCDsrv.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - K:\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - K:\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - K:\Trend Micro\Internet Security\tmproxy.exeFindIt's
Code: [Select]
Microsoft Windows XP [Version 5.1.2600]
The current date is: Wed 01/06/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first
* UPX! C:\WINDOWS\System32\VGEWFK.EXE
»»»»» lagitamate file's can/will show in this section.
* UPX! C:\WINDOWS\System32\XVID.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.
Volume in drive C has no label.
Volume Serial Number is EC83-6516
Directory of C:\WINDOWS\SYSTEM32
»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is EC83-6516
Directory of C:\WINDOWS\system32
08/02/2004 11:51 PM 318 ati_cube.ico
26/12/2003 11:43 AM 15,086 DNA_icon.ico
2 File(s) 15,404 bytes
0 Dir(s) 2,034,737,152 bytes free
»»»»»»»»»»»»»»»»»»»»»»»».
Post by: guestolo on June 01, 2005, 07:12:47 PM
This file is an unknown
Can you go to this link
Give this site time to load
Jotti's Online Malware scan (http://\"http://virusscan.jotti.org/\")
Use the browse button and navigate to this file on your hard drive
C:\WINDOWS\System32\VGEWFK.EXE <-this file
Right click on it and choose Select
Then use the Submit button
Let it finish scanning
If found bad please delete it
Could you also post the scanner results please, just the file name and scanner results box
Post by: kai on June 02, 2005, 02:36:23 AM
vgewfk.exe was infected, deleted... well heres the results
Scan results
Code: [Select]
AntiVir Found TR/Agent.CP
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Trojan.Agent.CP
ClamAV Found nothing
Dr.Web Found not a virus Adware.CallingHome
F-Prot Antivirus Found W32/Agent.NA
Fortinet Found W32/Agent.CP-tr
Kaspersky Anti-Virus Found Trojan.Win32.Agent.cp
mks_vir Found Trojan.Agent.Cp
NOD32 Found Win32/Agent.CP
Norman Virus Control Found nothing
VBA32 Found Trojan.Win32.Agent.cpand by filename i assume you mean
Code: [Select]
File: vgewfk.exe
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 0e3df308253dd58440de1a85800482d6
Packers detected:
PE_PATCH, UPX
Post by: guestolo on June 02, 2005, 08:22:13 PM
You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")
Once back in Windows and System Restore is reenabled
You should set up protection against future attacks
SpywareBlaster 3.4 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
IE-Spyad is compatible with XP SP2 as well
Stay safe
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Post by: kai on June 03, 2005, 08:54:06 AM
/wink.gif\' class=\'bbc_emoticon\' alt=\';)\' />.Thanks for all the help questolo, and good luck for whatever it is that you do aside from helping people
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Post by: guestolo on June 05, 2005, 07:32:13 AM
I'll lock this topic as your problems appear resolved
If you need it reopened
Please PM myself or the site Admin and supply a link to this thread
Take care
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />