[Tami]

Im new here, hi all.

I was wondering if anyone has it logged anywhere on here how to remove nail.exe and all the others that go with it.
Everytime it gets deleted it comes back and im clueless.

hope you can help.
thanks
Tami

----------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 12:33:28 PM, on 4/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
c:\windows\system32\gdrgflo.exe
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BullGuard Software\BullGuard 5.0\BullGuard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Tami\My Documents\important apps\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ventingoutgraphics.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.ne...ch?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ventingoutgraphics.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s
O4 - HKLM\..\Run: [eswjwez] c:\windows\system32\gdrgflo.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [BullGuard 5.0] "C:\Program Files\BullGuard Software\BullGuard 5.0\bullguard.exe"
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zon...ds.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguar...ion/Install.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.co...UC/MsnPUpld.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifes...ll/pinstall.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab30149.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zon...ry/ZAxRcMgr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playweb02.pog...aploader_v6.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.streamloa...oad/XUpload.ocx
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www2.incredim...p1/imloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\Tami\LOCALS~1\Temp\hpdj.exe (file missing)
O23 - Service: IomegaAccess - Unknown owner - C:\WINDOWS\System32\iomegaaccess.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

===================================================

Edited by Tami, 20 April 2005 - 10:34 AM.

[Advertisements]

This is a fairly new critter. He comes in three parts: A random named file, a service named System Startup Service and your friend nail.exe. He usually brings up Aurora popups. Sometimes there is a fourth component with TODO in the name. Each part watches out for the others so it makes them hard to kill. The only time I've seen it killed they used Microsoft AntiSpy and the Recovery Console (that you get to by booting off a Windows XP CD and then select Repair). We will try not to resort to that.

Get a copy of winsockxpfix.exe before you do anything. This is just a safety
item in case you can't get on the internet afterwards. You just run it and
things should work OK after it reboots your system.

http://www.iup.edu/h...net/winfix.shtm



Also download and install ccleaner.exe from http://www.ccleaner.com. Don't let
it clean anything yet.


Get a copy of Advanced Process Manipulator from:

http://www.diamondcs...p?page=products

Install it but don't run it yet.

From the same site get:

Advanced Process Terminator

Install it too.

Start then right click on My Computer and press Manage. In the new window Service and Applications then Services. In the right pane scroll down and find the System Startup Service. Double click on it and and then set the Start Type to Disabled. Then OK.

Now run HijackThis and do a Scan only. We are going to do this backwards since the files change their names with every reboot. Check the following and then Add to the Ignore List. DO NOT HIT FIX CHECKED!

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ventingoutgraphics.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.ne...ch?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ventingoutgraphics.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [BullGuard 5.0] "C:\Program Files\BullGuard Software\BullGuard 5.0\bullguard.exe"
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zon...ds.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguar...ion/Install.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.co...UC/MsnPUpld.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifes...ll/pinstall.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab30149.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zon...ry/ZAxRcMgr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playweb02.pog...aploader_v6.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.streamloa...oad/XUpload.ocx
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www2.incredim...p1/imloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O23 - Service: IomegaAccess - Unknown owner - C:\WINDOWS\System32\iomegaaccess.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

You can do another scan as a check and you should have:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [eswjwez] c:\windows\system32\gdrgflo.exe
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\Tami\LOCALS~1\Temp\hpdj.exe (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Tho gdrgflo.exe may have a new name. (I'm getting rid of Spyware Begone since it's garbage too. If you love your Party Poker then you can add it to the ignore list too.)

Now shutdown and reboot into Safe Mode by tapping the F8 key when you see the PC maker's logo.
Keep tapping until it tells you it is going to Safe Mode or you see the Safe
Mode menu. Select the top option.

Run HijackThis and just do a Scan only. Note the new name if any of the gdrflo.exe. IF you see it running try to stop it with APT (highlight it and press the ALL button)

Run APM. (Start, Run, C:\APM\APM.exe, OK) It will show you a list of running process in the top pane. Find the Winlogon.exe and highlight it. Then look in the bottom pane. Scroll down and see if you find nail.exe, bolger.dll, or svcproc.exe. If you find one right click on it and select Unload DLL. A little box will come up with an OK button. Press the OK until no more boxes come up. Now go back to the top pane and do the same for explorer.exe and iexplore.exe. Look back in the top pane and if you see any of the gdrflo.exe files, right click on them and Unload

Run HijackThis and just do a Scan only. Check everything that shows up and then Fix
Checked.




Now run ccleaner.exe. On the first page, uncheck everything but the two lines
that have the word Temporary in them then Run Cleaner.

Start, Run, then type:

del /q c:\windows\prefetch\*.*

and OK.

(Same as before with _ instead of space to make it easier to see. )

del _ /q _ c:\windows\prefetch\*.*

Reboot, run a new scan and post it and let's see if we had any luck.

Ron

[RKinner]

This is a fairly new critter. He comes in three parts: A random named file, a service named System Startup Service and your friend nail.exe. He usually brings up Aurora popups. Sometimes there is a fourth component with TODO in the name. Each part watches out for the others so it makes them hard to kill. The only time I've seen it killed they used Microsoft AntiSpy and the Recovery Console (that you get to by booting off a Windows XP CD and then select Repair). We will try not to resort to that.

Get a copy of winsockxpfix.exe before you do anything. This is just a safety
item in case you can't get on the internet afterwards. You just run it and
things should work OK after it reboots your system.

http://www.iup.edu/h...net/winfix.shtm



Also download and install ccleaner.exe from http://www.ccleaner.com. Don't let
it clean anything yet.


Get a copy of Advanced Process Manipulator from:

http://www.diamondcs...p?page=products

Install it but don't run it yet.

From the same site get:

Advanced Process Terminator

Install it too.

Start then right click on My Computer and press Manage. In the new window Service and Applications then Services. In the right pane scroll down and find the System Startup Service. Double click on it and and then set the Start Type to Disabled. Then OK.

Now run HijackThis and do a Scan only. We are going to do this backwards since the files change their names with every reboot. Check the following and then Add to the Ignore List. DO NOT HIT FIX CHECKED!

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ventingoutgraphics.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.ne...ch?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ventingoutgraphics.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [BullGuard 5.0] "C:\Program Files\BullGuard Software\BullGuard 5.0\bullguard.exe"
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zon...ds.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguar...ion/Install.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.co...UC/MsnPUpld.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifes...ll/pinstall.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab30149.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zon...ry/ZAxRcMgr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playweb02.pog...aploader_v6.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.streamloa...oad/XUpload.ocx
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www2.incredim...p1/imloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O23 - Service: IomegaAccess - Unknown owner - C:\WINDOWS\System32\iomegaaccess.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

You can do another scan as a check and you should have:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [eswjwez] c:\windows\system32\gdrgflo.exe
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\Tami\LOCALS~1\Temp\hpdj.exe (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Tho gdrgflo.exe may have a new name. (I'm getting rid of Spyware Begone since it's garbage too. If you love your Party Poker then you can add it to the ignore list too.)

Now shutdown and reboot into Safe Mode by tapping the F8 key when you see the PC maker's logo.
Keep tapping until it tells you it is going to Safe Mode or you see the Safe
Mode menu. Select the top option.

Run HijackThis and just do a Scan only. Note the new name if any of the gdrflo.exe. IF you see it running try to stop it with APT (highlight it and press the ALL button)

Run APM. (Start, Run, C:\APM\APM.exe, OK) It will show you a list of running process in the top pane. Find the Winlogon.exe and highlight it. Then look in the bottom pane. Scroll down and see if you find nail.exe, bolger.dll, or svcproc.exe. If you find one right click on it and select Unload DLL. A little box will come up with an OK button. Press the OK until no more boxes come up. Now go back to the top pane and do the same for explorer.exe and iexplore.exe. Look back in the top pane and if you see any of the gdrflo.exe files, right click on them and Unload

Run HijackThis and just do a Scan only. Check everything that shows up and then Fix
Checked.




Now run ccleaner.exe. On the first page, uncheck everything but the two lines
that have the word Temporary in them then Run Cleaner.

Start, Run, then type:

del /q c:\windows\prefetch\*.*

and OK.

(Same as before with _ instead of space to make it easier to see. )

del _ /q _ c:\windows\prefetch\*.*

Reboot, run a new scan and post it and let's see if we had any luck.

Ron

[Tami]

wow this place moves fast. I also noticed a lot of people are getting the same thing.
===============
First, Thank you so much for your help! You saved my pc from being tossed in the yard and me acting like a big baby jumping up and down on it.

OK, here is where I sit.

This part I found nothing, all clear.

Run APM. (Start, Run, C:\APM\APM.exe, OK) It will show you a list of running process in the top pane. Find the Winlogon.exe and highlight it. Then look in the bottom pane. Scroll down and see if you find nail.exe, bolger.dll, or svcproc.exe. If you find one right click on it and select Unload DLL. A little box will come up with an OK button. Press the OK until no more boxes come up. Now go back to the top pane and do the same for explorer.exe and iexplore.exe. Look back in the top pane and if you see any of the gdrflo.exe files, right click on them and Unload

This wouldnt work/run

Start, Run, then type:

del /q c:\windows\prefetch\*.*

and OK.

(Same as before with _ instead of space to make it easier to see. )

del _ /q _ c:\windows\prefetch\*.*

Everything seems fine so far, Nothing on the scan.
My browser shows a checkmark under view/toolbars... in a blank space that google used to be. Google is working fine on my browser though, should i worry about that?

also, I didnt find any svcproc.exe... maybe cause the system startup service is disabled? do I put the settings back to normal?

so am i clean? Do I need to do anything else?

Tami

[RKinner]

That went a lot easier than I thought it would. We certainly don't want to renable the service that we turned off. I would run adaware and spybot. They may be able to find and remove any garbage that was left on your PC. Maybe an online scan too just to be sure.

Ron

Following is just my standard boilerplate that I send to every cleaned "client"

AntiSpyware Recommendations:

AdAware SE Personal (free version) is a good program to have.
http://www.lavasoftu...ftware/adaware/
Another good one is Spybot Search & Destroy.
http://www.safer-net...g/en/index.html
I like its immunize feature. Both work best in Safe Mode since if running,
malware will often reinstall its files before you can reboot. Both of these also remove tracking cookies from ad companies which AntiSpy doesn't so don't be surprised if they come up with hundreds of tracking cookies the first time you run them. Cookies are not a big threat so you can remove them or not.

I also recommend Spyware Blaster as a preventive measure.
http://www.javacools...areblaster.html
This is another program which immunizes you against infections. Spybot puts a
long list of nasty sites in your Hosts file and tells the computer that they can
be reached at 127.0.0.1 which is itself. This effectively keeps the computer
from ever going to the sites. Blaster puts a similar list in your Restricted
Zone so that IE can't go there. It automatically updates if you tell it to.

Spybot also offers download protection similar to that of AntiSpy. I think they call it the tea timer. I have them both running on a PC I'm fixing up for a guys 11 year old son. When you download something you have to really want to run it since both programs ask you if you are sure.

One other thing you should do: Now that the HijackThis log is clean, you can
run HijackThis again and check everything then Add Checked to Ignore List.
Repeat once since some benign things seem to be hidden and may show up on the
second scan. When you do this you can do a Scan and only new stuff will show
up. You can also configure HijackThis to run at boot and to popup if it finds
anything new so you will have an early warning of an infection. You can then
decide yourself by googling for the .exe or dll file whether this is something
you want to keep or not or you can send the new log to me. I'm totally bored at
work so I welcome all questions.

For all systems: Empty the Recycle Bin. Right click on it and select Empty the Recycle Bin. You should probably also remove the files in the Recycler folder. Do this by first right clicking on the Recycle Bin and then Properties then check Do not move files to the Recycle Bin and then Apply or OK. Now right click on Start and select Explore then find c:\Recycler. You will see one or more files with names like S-1-5-21-163033........ Highlight each and press the delete key. Then close Explorer and go back to the Recycle Bin and uncheck the Do not move files to the Recycle Bin and OK.

For XP systems: Now that your computer is running well and is clean you should toggle System Restore Off and On then make a manual Restore Point and call it something like Clean. This will do two things. It will remove any old copies of the spyware saved in the System Restore and it makes sure you have a way of returning to this nice clean state. Start, Control Panel, System, System Restore then check Turn Off System Restore then Apply then when it finishes, uncheck the box and apply. To make a manual Restore Point is a bit harder to explain but usually you do Start then there is a box called Solutions or Help and Support provided by the PC maker. One of the options is System Restore. You can always do Start, All Programs, Accessories, System Tools, System Restore to get there. Then Choose Create a Restore Point, Next, then give it a name like Clean and then Create. If you download something that causes problems you can always go back to Clean or one of your automatically created Restore Points.

There are two online AntiVirus programs that are very good (and free).

http://housecall.trendmicro.com/
http://www.pandasoft.../activescan.asp?

Make sure your Microsoft Autoupdates are turned on. Start, Control Panel, Automatic Updates.

One final defense against the black arts (OK, so I'm a 58 year old Harry Potter fan) is Zone Alarm. The free version does a great job of protecting your computer from outside threats and warning you that something inside wants to go to the internet. XP has a firewall too but it does not warn you about outgoing threats. No home computer should be without it.

http://www.zonelabs....sku_list_za.jsp

Select Free Download and during the install decline the offer of a free trial. When something tries to go to the Internet, Zone Alarm will pop up and tell you that such and such a program wants to go to the Internet or worse act as a server. If it's something you don't know then you say Remember this and then NO and then start doing some antispyware scanning. You can turn off the XP Firewall if you install Zone Alarm.