Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Very bad Spyware Problem


  • This topic is locked This topic is locked

#1
magicman_007

magicman_007

    Member

  • Member
  • PipPip
  • 12 posts
I havre tried alot so far to solved this and it will not go away.

I have used in all combination, in and out of safe mode, Spybot S&D, Adaware, Spyware Doctor, SpySubtract and CwShredder, but to no avail

I am getting browser window opening at random. One is titled Auora another is Inqwire and a poker site, are just a few.

I can not get some of the items in hijack this ti delete.

here is my hijack this file:


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\America Online 9.0\shellmon.exe
c:\windows\system32\jlvacll.exe
C:\DOCUME~1\Scott\LOCALS~1\Temp\Temporary Directory 13 for hijackthis.zip\HijackThis.exe
C:\DOCUME~1\Scott\LOCALS~1\Temp\Temporary Directory 14 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myway.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myway.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ulaooqu] c:\windows\system32\jlvacll.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\dlskperf.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

I am on the verge of reformatting.

Thanks in advance!

Edited by magicman_007, 24 April 2005 - 11:14 PM.

  • 0

Advertisements


#2
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Hi there! Please don't give in and reformat! The first thing we need to do is restore ALL of the backups from HJT. I need to see everything that was there BEFORE you tried to fix it. Please do not remove anything else from HJT until I ask you to!

1. Before we restore backups, you need to move HJT to a permanent directory, such as C:\HJT. After you have done this, restore by:

2. To restore the backups:
  • Open HiJackThis
  • Click Open the Misc Tools section
  • Click the Backups button
  • Place a check mark next to everything in that window
  • Click Restore
  • Click Yes
  • Reboot your computer
3. You have viruses and/or Trojans on your system.
Please run at least 2 of these online virus scans:

Housecall<<<Put on 'Autoclean' and delete what it can't clean.
Panda ActiveScan<<<Accept default settings, save and post the log
RAV online scan<<<Add a check by 'Autoclean', leave everything else as is.
eTrust Antivirus Web Scan<<<'Cure' whatever is found, then delete if unsuccessful
Bitdefender ScanOnline<<<Place a check by everything under 'Scan Options'.
Command on Demand

4. Also run an online trojan scan here: http://www.trojanscan.com/
Reboot when finished

5. After you have done the above, please post a fresh HJT log here in a reply, and I"ll help you get cleaned back up!!
  • 0

#3
magicman_007

magicman_007

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hi Kat,

Thanks for the encouragement. HJT did not have any backups saved.

I am at work, but before I left, I did start running one of the scans. I will complete the other tasks and report back to you.

Thanks and all the very best,

Scott

btw fwiw - My dad is a Kidney Cancer survivor of two years now.

Edited by magicman_007, 25 April 2005 - 10:51 AM.

  • 0

#4
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
hello again! I will keep an eye out for your scan results and the new log. Also in your reply, let me know if any of the scans find anything that cannot be cleaned/fixed/deleted and note the full file path of each.

:tazz: to your dad!
  • 0

#5
magicman_007

magicman_007

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Ok Kat:

Here is the Housecall File:

TROJ_BUDDY.F C:\windows\umdvmdswy.exe - I deleted it!


Here is the Rav Online Scan

Scan started at 4/25/2005 7:30:37 PM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\Documents and Settings\Scott\Local Settings\Temporary Internet Files\Content.IE5\KRVNICXH\appsetup[1].exe - TrojanDownloader:Win32/Small.ACO.dam#2 -> Infected
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\8FQ18VY3\homepage.precision[2].htm->(OBJECT0007) - HTML/CodeBaseExec* -> Infected
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\OBM74LK1\homepage.precision[1].htm->(OBJECT0007) - HTML/CodeBaseExec* -> Infected
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\U1QZU50F\download[1].htm->(OBJECT0000) - HTML/CodeBaseExec* -> Infected
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\U1QZU50F\homepage.precision[1].htm->(OBJECT0007) - HTML/CodeBaseExec* -> Infected
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\U1QZU50F\inqwire[1].htm->(OBJECT0005) - HTML/CodeBaseExec* -> Infected

Scanned
============================
Objects: 147396
Directories: 2130
Archives: 1047
Size(Kb): 821474
Infected files: 6

Found
============================
Viruses found: 2
Suspicious files: 0
Disinfected files: 0
Mail files: 369

After a reboot, here is the HJT File:

Logfile of HijackThis v1.99.1
Scan saved at 9:16:20 PM, on 4/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\America Online 9.0\waol.exe
c:\windows\system32\ugjruh.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Scott\Desktop\Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myway.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myway.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [jwsuay] c:\windows\system32\ugjruh.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.commandon...cabs/cssweb.cab
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\q268lcju1fo8.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Let me know what you think I need to do.

All the best and thanks,

Scott

PS It would not let me run the trojin scan. It kept crashing the browser.

Edited by magicman_007, 25 April 2005 - 07:26 PM.

  • 0

#6
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
ok here we go! First we need to tackle the Nail.exe infection. once this is cleared up, we'll clean the rest of your log up!!


Please run Notepad and copy the following text into a new file:

@ECHO OFF
cd %windir%
Nail.exe /FULLREMOVE
sc config SvcProc start= disabled
sc stop SvcProc
sc delete SvcProc
attrib -s -r -h nail.exe
attrib -s -r -h svcproc.exe
del nail.exe
del svcproc.exe
cd %windir%\system32
attrib -s -r -h DrPMon.dll
del DrPMon.dll
exit


Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files".

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml


Once in Safe Mode, please double-click on remove.bat. A window should open and close very quickly --- this is normal.

Then please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

There will also be an item towards the bottom of the O4 section in HijackThis (it should be the last O4 item marked "HKLM", and it should be between the entries for ATIPTA] and Yahoo Pager). This item will be marked with "garbage" random characters. However, it seems to be renaming itself so the name will most likely be different by the time you follow these directions. In your previous log it was:

O4 - HKLM\..\Run: [jwsuay] c:\windows\system32\ugjruh.exe

Whatever the name of the item is, check it. Then close all open windows except for HijackThis and click Fix Checked.

Then delete the file listed in the random O4 entry. In the above example you would delete c:\windows\system32\ugjruh.exe

Reboot your system normally, and run an online scan from Ewido.

After you have done the above, post a fresh HJT log here in a reply, as well as the report/log you receive from Ewido..and we'll finish you up from there!
  • 0

#7
magicman_007

magicman_007

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
ok Kat here is the latest HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 12:12:35 AM, on 4/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Scott\Desktop\Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myway.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myway.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsec...an/TDECntrl.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.commandon...cabs/cssweb.cab
O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\o2ns0c57ef.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

I could not get the ewido log, but it did delete 58 items.
  • 0

#8
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
ok, we're going to get aggressive now! Bear with me, and follow these steps in order. If at any time you have trouble or questions during the process, feel free to post any questions, ok?? You may want to print these instructions, or save them to a Notepad file on your desktop to refer to until we are finished!

1. Download the latest version of Ad-Aware from here (if you already have Ad-Aware installed, make sure that it is the latest version and always go online and update it before you run it).

Download Lavasoft's VX2 Cleaner plug-in here
http://updates.ls-se...lvx2cleaner.exe

How to use Lavasoft's VX2 Cleaner plug-in

- Close Ad-Aware 6 build 181 and Ad-Watch (if running)
- Download the free VX2 Cleaner at http://updates.ls-se...lvx2cleaner.exe
- Install the VX2 Cleaner
- Start Ad-Aware 6 build 181
- Go to "Plug-ins"
- Select the VX2 Cleaner plug-in and click "Run Plugin"
- If your computer isn't infected, click "Close".
If your computer is infected

- Select "Clean system"
- Reboot your computer
- Scan your computer with Ad-Aware
- Remove any VX2 objects detected
- Reboot your computer again
- Run a second scan to make sure the files have been removed from your computer

Reboot your PC.

2. Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

Once in Safe Mode, please run Killbox.

Select "Delete on Reboot".

Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\Nail.exe
C:\WINDOWS\system32\o2ns0c57ef.dll

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot.

3. Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
  • R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myway.com/
  • R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myway.com/
  • F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
  • O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.commandon...cabs/cssweb.cab
  • O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\o2ns0c57ef.dll
Now close all windows other than HiJackThis, then click Fix Checked. Then reboot your computer.

4. Please download CleanUp! and run it to remove any leftover remnants of infection. Click the CleanUp button, and let it scan and select any files it needs to remove. Once it is done, exit the program.

5. Reboot once more, and scan for a new HJT log and paste it here in a reply so I can make sure we've got this beaten this time!
  • 0

#9
magicman_007

magicman_007

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Ok Kat here you go...I think I am going to cry..lol. The only thing differet I did was that I have Adaware SE not Adaware 6 Buld 181. I even uninstalled the Adaware SE and tried to find a different version, I could not.

This is becomming particularly frustrating.

Not sure what to say. I am willing to try the same thing if you think it would help.

BTW on reboot from I did get a windwow message saying it could not delete the C:\WINDOWS\Nail.exe

Logfile of HijackThis v1.99.1
Scan saved at 11:37:38 PM, on 4/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Scott\Desktop\Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myway.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsec...an/TDECntrl.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\fp6003jme.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
  • 0

#10
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Don't get discouraged on me! We are gonna get this!!! The good news is we DID get part of it.

Did you download the VX2 plugin for AdAware? Try doing so with AAW SE. I believe the canned speech I used for the VX2 was an old one, so let's just worry about following that step using your current AAW. Let me know if you have or have not done this part, before we move on. If you haven't, please do so!

Edited by ~Kat~, 26 April 2005 - 10:43 PM.

  • 0

Advertisements


#11
magicman_007

magicman_007

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Kat,

I did download the cleaner for the SE version and run it. It said system clean.
  • 0

#12
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
ok good!! The only thing that is still bothering me about your log is the 020 line. It morphed itself and came back with another new name. The "F2" part of the nail.exe infection is gone now, which is GOOD. I am asking for help on how to kill off the 020 line, ok? Please be patient while I find out! :tazz:
  • 0

#13
magicman_007

magicman_007

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Kat,

I am still getting browser launches to strange places like inqwire.



What about this Line:

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

Is it supposed to be there?
  • 0

#14
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
no, it's not. We are going to remove that again, too. I am waiting on a reply about killing off that 020, or if they think we need to run another log of a different type to find something 'hidden'.
  • 0

#15
magicman_007

magicman_007

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Ok..I am leaving town in the morning and will not be back until Sat night. If we do not get it resolved tonight, we will have to pick it up then.

Thanks,

Scott
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP