Need help with suspected aurora virus

[kai]

hey, new here http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'\' /> tbh i only signed up to get some help with this damned virus. I've downloaded and run all your suggested programs and fixed anything I found not quite right; even manually tried to delete the TODO associated files that were running on my pc.

another problem are recurring virus', my av prog keeps detecting two different trojans,

TROJ_BUDDY affecting c:\windows\ddjsvheji.exe
TROJ_STERVIS.C affecting c:\windows\svcproc.exe

Anyway, heres the HJT Logfile

Code: [Select]

Logfile of HijackThis v1.99.1
Scan saved at 7:02:22 PM, on 30/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
U:\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
K:\Trend Micro\Internet Security\PCClient.exe
K:\Trend Micro\Internet Security\TMOAgent.exe
c:\windows\system32\jmximbo.exe
K:\steam\steam.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
K:\Trend Micro\Internet Security\Tmntsrv.exe
K:\Trend Micro\Internet Security\tmproxy.exe
K:\Programs\Spybot\TeaTimer.exe
K:\Programs\SpywareGuard\sgmain.exe
K:\Programs\SpywareGuard\sgbhp.exe
K:\Trend Micro\Internet Security\PccPfw.exe
C:\WINDOWS\system32\wuauclt.exe
K:\HJT\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE 4.x-6.x BHO for Internet Download Accelerator - {2A646672-9C3A-4C28-9A7A-1FB0F63F28B6} - C:\PROGRA~1\IDA\idaiehlp.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - K:\Programs\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - K:\Programs\Spybot\SDHelper.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PCClient.exe] "K:\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "K:\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [htzhlx] c:\windows\system32\jmximbo.exe
O4 - HKLM\..\Run: [mddwga] c:\windows\system32\irpesgb.exe
O4 - HKCU\..\Run: [Steam] "k:\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] K:\Programs\Spybot\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = K:\Programs\SpywareGuard\sgmain.exe
O8 - Extra context menu item: Download ALL with IDA - C:\Program Files\IDA\idaieall.htm
O8 - Extra context menu item: Download with IDA - C:\Program Files\IDA\idaie.htm
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\IDA\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\IDA\ida.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1116923669207
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq.com/cab/prod/Driver_Detective_v43_Non_Member.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D4179C6-D066-4781-94E1-10037159CEC4}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{19C9AC89-A9C2-4216-A253-955278B1CEF2}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{971ACAC0-A642-49FC-88FA-635D2A3DDD18}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{0D4179C6-D066-4781-94E1-10037159CEC4}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\..\{0D4179C6-D066-4781-94E1-10037159CEC4}: Domain = vic.bigpond.net.au
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - U:\Ahead\InCD\InCDsrv.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - K:\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - K:\Programs\SiSoftware Sandra Professional 2005\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - K:\Programs\SiSoftware Sandra Professional 2005\RpcSandraSrv.exe
O23 - Service: System Startup Service  (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - K:\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - K:\Trend Micro\Internet Security\tmproxy.exe
Any help would be appreciated <3

[guestolo]

Can you try the following please, I'm not sure what steps you've tried so far
So let's see if we can figure this thing out

Please download Nailfix from here:
http://www.noidea.us/easyfile/file.php?dow...050515010747824
Unzip it to the desktop but please do NOT run it yet
Ensure you have it on your C:Drive

==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup
Give the link time to load or try it twice, it may be busy
Alternate Download link
We'll need this later

==Download and then Install
Ewido Trojan Scanner
It the first link isn't working, you can try from
HERE

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We'll fix that later
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later

Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE

Once in safe mode
==Double-click on nailfix.cmd that you unzipped earlier. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal

==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
DECLINE to Log off when scan is done.

==Open Ewido trojan scanner
Click on the Scanner button in the left menu, then click on the Start button. This scan can take a while, so give it time to run
If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file.
Save the report

Do another scan with Hijackthis and put a check next to these entries:
Not all may be found, but fix what exists

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O4 - HKLM\..\Run: [htzhlx] c:\windows\system32\jmximbo.exe
O4 - HKLM\..\Run: [mddwga] c:\windows\system32\irpesgb.exe

O23 - Service: System Startup Service  (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart back to Normal mode

NOTE: You have Spybot's Tea Timer and SpywareGuard running
They are both great tools
But if prompted about a change>>ALLOW them so neither will interfere with any fixes we are trying

Run another scan with Hijackthis and post a fresh log
Could you also supply the Report from Ewidos

[kai]

Thanks for the help so far http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' />, heres the logs

HJT:

Code: [Select]

Logfile of HijackThis v1.99.1
Scan saved at 8:49:58 PM, on 31/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
U:\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
K:\Trend Micro\Internet Security\PCClient.exe
K:\Trend Micro\Internet Security\TMOAgent.exe
K:\steam\steam.exe
K:\Programs\Spybot\TeaTimer.exe
K:\Programs\Ewido\Security Suite\ewidoctrl.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
K:\Programs\SpywareGuard\sgmain.exe
K:\Trend Micro\Internet Security\Tmntsrv.exe
K:\Trend Micro\Internet Security\tmproxy.exe
K:\Programs\SpywareGuard\sgbhp.exe
K:\Trend Micro\Internet Security\PccPfw.exe
K:\Programs\Mozilla\Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
K:\HJT\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE 4.x-6.x BHO for Internet Download Accelerator - {2A646672-9C3A-4C28-9A7A-1FB0F63F28B6} - K:\Programs\IDA\idaiehlp.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - K:\Programs\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - K:\Programs\Spybot\SDHelper.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PCClient.exe] "K:\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "K:\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKCU\..\Run: [Steam] "k:\steam\steam.exe" -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] K:\Programs\Spybot\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = K:\Programs\SpywareGuard\sgmain.exe
O8 - Extra context menu item: Download ALL with IDA - K:\Programs\IDA\idaieall.htm
O8 - Extra context menu item: Download with IDA - K:\Programs\IDA\idaie.htm
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - K:\Programs\IDA\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - K:\Programs\IDA\ida.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1116923669207
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq.com/cab/prod/Driver_Detective_v43_Non_Member.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D4179C6-D066-4781-94E1-10037159CEC4}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{971ACAC0-A642-49FC-88FA-635D2A3DDD18}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{0D4179C6-D066-4781-94E1-10037159CEC4}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\..\{0D4179C6-D066-4781-94E1-10037159CEC4}: Domain = vic.bigpond.net.au
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - K:\Programs\Ewido\Security Suite\ewidoctrl.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - U:\Ahead\InCD\InCDsrv.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - K:\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - K:\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - K:\Trend Micro\Internet Security\tmproxy.exe
EWIDO:

Code: [Select]

---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:  8:40:21 PM, 31/05/2005
 + Report-Checksum:  7F8A499D

 + Date of database:  31/05/2005
 + Version of scan engine: v3.0

 + Duration:    105 min
 + Scanned Files:  153489
 + Speed:    24.28 Files/Second
 + Infected files:  7
 + Removed files:  7
 + Files put in quarantine:  7
 + Files that could not be opened: 0
 + Files that could not be cleaned: 0

 + Binder:  Yes
 + Crypter:  Yes
 + Archives:  Yes

 + Scanned items:
C:\
K:\
U:\

 + Scan result:
C:\WINDOWS\system32\jrjuqj.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\system32\lmokay.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\system32\qjqdsfd.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\system32\ukhymvw.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\system32\vrsttg.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\system32\vuddgv.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\system32\wuhpkuv.exe -> Trojan.Agent.cp -> Cleaned with backup


::Report End   C:\Windows\Nail.exe and
   C:\Windows\autoload.exe were infected as well, but first time round i didnt run nailfix first and lost the log... D:

The .exe's you asked me to fix with HJT werent found by the scan...
mbe my system is clean already... also, windows gave me an error msg about nail.exe missing, thats supposed to happen right? http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/tongue.gif\' class=\'bbc_emoticon\' alt=\'\' />

[guestolo]

Do another scan with Hijackthis and put a check next to these entries:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart the computer

Back in Windows, can you post one more fresh hijackthis log

Could you do the following also, you may have downloaded this already, but let me see the results
Download Find_It's.zip
UNZIP the contents
Open the FindIt's folder and double click on the FindIt's.bat
Wait for the log and post it back here

[kai]

done

HJT

Code: [Select]

Logfile of HijackThis v1.99.1
Scan saved at 5:48:20 PM, on 1/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
U:\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
K:\Trend Micro\Internet Security\PCClient.exe
K:\Trend Micro\Internet Security\TMOAgent.exe
U:\Ahead\InCD\InCD.exe
K:\steam\steam.exe
K:\Programs\Spybot\TeaTimer.exe
K:\Programs\SpywareGuard\sgmain.exe
K:\Programs\Ewido\Security Suite\ewidoctrl.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
K:\Trend Micro\Internet Security\Tmntsrv.exe
K:\Trend Micro\Internet Security\tmproxy.exe
K:\Programs\SpywareGuard\sgbhp.exe
K:\Trend Micro\Internet Security\PccPfw.exe
K:\Programs\IDA\ida.exe
C:\WINDOWS\system32\wuauclt.exe
K:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE 4.x-6.x BHO for Internet Download Accelerator - {2A646672-9C3A-4C28-9A7A-1FB0F63F28B6} - K:\Programs\IDA\idaiehlp.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - K:\Programs\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - K:\Programs\Spybot\SDHelper.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PCClient.exe] "K:\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "K:\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] U:\Ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [Steam] "k:\steam\steam.exe" -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] K:\Programs\Spybot\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = K:\Programs\SpywareGuard\sgmain.exe
O8 - Extra context menu item: Download ALL with IDA - K:\Programs\IDA\idaieall.htm
O8 - Extra context menu item: Download with IDA - K:\Programs\IDA\idaie.htm
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - K:\Programs\IDA\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - K:\Programs\IDA\ida.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1116923669207
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq.com/cab/prod/Driver_Detective_v43_Non_Member.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D4179C6-D066-4781-94E1-10037159CEC4}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{971ACAC0-A642-49FC-88FA-635D2A3DDD18}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{0D4179C6-D066-4781-94E1-10037159CEC4}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\..\{0D4179C6-D066-4781-94E1-10037159CEC4}: Domain = vic.bigpond.net.au
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - K:\Programs\Ewido\Security Suite\ewidoctrl.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - U:\Ahead\InCD\InCDsrv.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - K:\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - K:\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - K:\Trend Micro\Internet Security\tmproxy.exe
FindIt's

Code: [Select]

Microsoft Windows XP [Version 5.1.2600]
The current date is: Wed 01/06/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»
 
 
»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»
 
 
»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first
 
* UPX!  C:\WINDOWS\System32\VGEWFK.EXE
 
»»»»» lagitamate file's can/will show in this section.
 
* UPX!  C:\WINDOWS\System32\XVID.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
 
»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»
 
»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
 
 
»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.
 
 Volume in drive C has no label.
 Volume Serial Number is EC83-6516

 Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
 Volume in drive C has no label.
 Volume Serial Number is EC83-6516

 Directory of C:\WINDOWS\system32

08/02/2004  11:51 PM               318 ati_cube.ico
26/12/2003  11:43 AM            15,086 DNA_icon.ico
               2 File(s)         15,404 bytes
               0 Dir(s)   2,034,737,152 bytes free
 
»»»»»»»»»»»»»»»»»»»»»»»».

[guestolo]

Can you do the following please

This file is an unknown
Can you go to this link
Give this site time to load
Jotti's Online Malware scan

Use the browse button and navigate to this file on your hard drive
C:\WINDOWS\System32\VGEWFK.EXE <-this file
Right click on it  and choose Select
Then use the Submit button
Let it finish scanning
If found bad please delete it
Could you also post the scanner results please, just the file name and scanner results box

[kai]

hmmm unknown eh? D:

vgewfk.exe was infected, deleted... well heres the results

Scan results

Code: [Select]

AntiVir  Found TR/Agent.CP
Avast  Found nothing
AVG Antivirus  Found nothing
BitDefender  Found Trojan.Agent.CP
ClamAV  Found nothing
Dr.Web  Found not a virus Adware.CallingHome
F-Prot Antivirus  Found W32/Agent.NA
Fortinet  Found W32/Agent.CP-tr
Kaspersky Anti-Virus  Found Trojan.Win32.Agent.cp
mks_vir  Found Trojan.Agent.Cp
NOD32  Found Win32/Agent.CP
Norman Virus Control  Found nothing
VBA32  Found Trojan.Win32.Agent.cp
and by filename i assume you mean

Code: [Select]

File:    vgewfk.exe
Status:  
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5  0e3df308253dd58440de1a85800482d6
Packers detected:  
PE_PATCH, UPX

[guestolo]

If everything is running better

You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster 3.4 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer


IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
IE-Spyad is compatible with XP SP2 as well

Stay safe  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' />

[kai]

Everything seems to running about the same, but ad-aware/spybot arent picking up anything new so must mean im all good http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/wink.gif\' class=\'bbc_emoticon\' alt=\'\' />.

Thanks for all the help questolo, and good luck for whatever it is that you do aside from helping people http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'\' />

[guestolo]

Thanks for posting back kai
I'll lock this topic as your problems appear resolved
If you need it reopened
Please PM myself or the site Admin and supply a link to this thread

Take care  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' />