Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Aurora popups, help! Can't remove


  • This topic is locked This topic is locked

#1
chinadoll

chinadoll

    Member

  • Member
  • PipPip
  • 18 posts
Ok. Hi all, I am new to this site. I am having trouble with the Aurora popup ads as well as some others here it looks like. I have followed all of the steps listed in the new user forum. Still have trouble. I have also followed some of the other steps posted on other threads. Still trouble. I am so hoping that someone can help me out. I would appreciate it very much. Here is my hijack log. I also posted my ad aware log in the lavasoft forum. Thanks again.



Logfile of HijackThis v1.99.1
Scan saved at 3:05:08 AM, on 4/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CheckIt\86\CheckIt86.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmjb.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\windows\system32\fytxqdj.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://southeastkansas.cox.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://southeastkansas.cox.net
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: CheckIt 86 - {82DF1118-9B92-45d8-B78F-1737A69A06E1} - C:\Program Files\CheckIt\86\CheckIt86.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [hvjrix] c:\windows\system32\fytxqdj.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: CheckIt 86.lnk = C:\Program Files\CheckIt\86\CheckIt86.exe
O9 - Extra button: (no name) - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra 'Tools' menuitem: CheckIt &86 - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.../US/install.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.napster.c...lient/setup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093404753906
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {78960E0E-0B0C-11D4-8997-00104BD12D94} (AV Class) - http://www.pcpitstop...virus/PCPAV.CAB
O16 - DPF: {ABD45F35-2E4C-44C0-A075-6EF1DE75398E} - http://www.riversoftware.net/x0ff.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O21 - SSODL: Network.ConnectionCache - {1F2FCD80-D058-4215-BB71-90A439DE90D9} - C:\WINDOWS\System32\winograf.nls (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
  • 0

Advertisements


#2
equazcion

equazcion

    New Member

  • Member
  • Pip
  • 3 posts
*this post has been edited by a GeekstoGo Staff Member

Please do not post help in this forum unless you are a member of our Staff!

Edited by ~Kat~, 25 April 2005 - 02:46 AM.

  • 0

#3
equazcion

equazcion

    New Member

  • Member
  • Pip
  • 3 posts
*again, edited to remove 'advice' posted by a non Staff Member

Edited by ~Kat~, 25 April 2005 - 02:50 AM.

  • 0

#4
njustice

njustice

    Member

  • Member
  • PipPipPip
  • 521 posts
Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Please do NOT run a scan yet.

==============

Download Hoster from here Unzip, install the program, but don't run it yet.

==============

Please run Notepad and copy the following text into a new file:

@ECHO OFF
cd %windir%
Nail.exe /FULLREMOVE
sc config SvcProc start= disabled
sc stop SvcProc
sc delete SvcProc
attrib -s -r -h nail.exe
attrib -s -r -h svcproc.exe
del nail.exe
del svcproc.exe
cd %windir%\system32
attrib -s -r -h DrPMon.dll
del DrPMon.dll
exit


Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files".

==============

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml


Once in Safe Mode, please double-click on remove.bat. A window should open and close very quickly --- this is normal.

==============

Then please run Ewido security suite, and perform a full scan. Remove anything found, and please save the logfile from the scan, because I will ask you to post it here for me later.

==============

Run HiJackThis and click "Scan", then check(tick) the following, if present:


F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com

O4 - HKLM\..\Run: [hvjrix] c:\windows\system32\fytxqdj.exe

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {ABD45F35-2E4C-44C0-A075-6EF1DE75398E} - http://www.riversoftware.net/x0ff.cab

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe


Now, with all windows closed except HiJackThis, click "Fix checked".

Locate and delete the following item(s), if present.

files...

c:\windows\system32\fytxqdj.exe
C:\WINDOWS\Nail.exe
C:\WINDOWS\svcproc.exe

==============

Run Hoster that you downloaded earlier. Choose the 'Restore Original Hosts' button and press OK.

==============

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

Edited by njustice, 25 April 2005 - 05:29 AM.

  • 0

#5
chinadoll

chinadoll

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Hello njustice,
I have done exactly as you have instructed. Here are the logs you requested. I notice that the nail.exe file is still showing in hijackthis. Thank you for all your help

Logfile of HijackThis v1.99.1
Scan saved at 5:43:59 PM, on 4/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CheckIt\86\CheckIt86.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://southeastkansas.cox.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://southeastkansas.cox.net
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: CheckIt 86 - {82DF1118-9B92-45d8-B78F-1737A69A06E1} - C:\Program Files\CheckIt\86\CheckIt86.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: CheckIt 86.lnk = C:\Program Files\CheckIt\86\CheckIt86.exe
O9 - Extra button: (no name) - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra 'Tools' menuitem: CheckIt &86 - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.../US/install.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.napster.c...lient/setup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093404753906
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {78960E0E-0B0C-11D4-8997-00104BD12D94} (AV Class) - http://www.pcpitstop...virus/PCPAV.CAB
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O21 - SSODL: Network.ConnectionCache - {1F2FCD80-D058-4215-BB71-90A439DE90D9} - C:\WINDOWS\System32\winograf.nls (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:18:24 PM, 4/26/2005
+ Report-Checksum: 579402E3

+ Date of database: 4/26/2005
+ Version of scan engine: v3.0

+ Duration: 68 min
+ Scanned Files: 91824
+ Speed: 22.36 Files/Second
+ Infected files: 60
+ Removed files: 60
+ Files put in quarantine: 60
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\!Submit\Nail.exe -> Trojan.Nail -> Cleaned with backup
C:\Documents and Settings\Angela\Cookies\angela@ads.monster[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Angela\Cookies\angela@advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Angela\Cookies\angela@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Angela\Cookies\angela@bluestreak[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Angela\Cookies\angela@burstnet[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Angela\Cookies\angela@cookie.monster[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Angela\Cookies\angela@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Angela\Cookies\angela@fastclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Angela\Cookies\angela@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Angela\Cookies\angela@realmedia[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Angela\Cookies\angela@S126079[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Angela\Cookies\angela@servedby.advertising[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Angela\Cookies\angela@tribalfusion[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Angela\Cookies\angela@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Angela\Local Settings\Temp\randreco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Angela\Local Settings\Temp\THI1AA2.tmp\farmmext.exe -> Spyware.ConsCorr -> Cleaned with backup
C:\Documents and Settings\Angela\Local Settings\Temp\THI4DA3.tmp\polall2c.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Angela\Local Settings\Temp\THI59A7.tmp\wupdt.exe -> TrojanDownloader.OneClickNetSearch.h -> Cleaned with backup
C:\Documents and Settings\Angela\Local Settings\Temp\THI5AB7.tmp\farmmext.exe -> Spyware.ConsCorr -> Cleaned with backup
C:\Documents and Settings\Tyler\Cookies\tyler@ads.specificclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Tyler\Cookies\tyler@banner1.inet-traffic[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Tyler\Cookies\tyler@geocities[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Tyler\Cookies\tyler@looksmart[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Tyler\Cookies\tyler@media[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Tyler\Cookies\tyler@p.wtlive[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Tyler\Cookies\tyler@real[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Tyler\Cookies\tyler@rr.looksmart[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Tyler\Cookies\tyler@S005-01-9-19-133741-104533[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Tyler\Cookies\tyler@scripts[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Tyler\Cookies\tyler@www.looksmart[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Tyler\Cookies\tyler@www.xzoomy[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1\A0000009.exe -> Spyware.WebRebates.c -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1\A0000033.dll -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP3\A0000078.dll -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP3\A0000085.dll -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP3\A0000129.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP5\A0000606.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP5\A0000607.dll -> Dialer.Generic -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP5\A0000617.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP6\A0000624.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP7\A0000634.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP7\A0000635.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP7\A0000650.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP7\A0000652.dll -> Trojan.Agent.db -> Cleaned with backup
C:\unzipped\hijackthis\backups\backup-20050420-033034-537.dll -> Spyware.BetterInternet -> Cleaned with backup
C:\unzipped\hijackthis\backups\backup-20050421-011845-914.dll -> Spyware.BetterInternet -> Cleaned with backup
C:\unzipped\hijackthis\backups\backup-20050423-001439-125.dll -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\Buddy.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\farmmext.exe -> Spyware.ConsCorr -> Cleaned with backup
C:\WINDOWS\Nail.exe -> Trojan.Nail -> Cleaned with backup
C:\WINDOWS\qzitik.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\sabctiglkrw.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\sasent.dll -> Dialer.Generic -> Cleaned with backup
C:\WINDOWS\STWSI\optimize.exe -> TrojanDownloader.Dyfuca.i -> Cleaned with backup
C:\WINDOWS\SYSTEM32\in4bdlA.dll -> Trojan.Revop.c -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ipysqf.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\SYSTEM32\yqaxmhr.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\WINDOWS\wupdsnff.exe -> Spyware.BetterInternet -> Cleaned with backup


::Report End
  • 0

#6
njustice

njustice

    Member

  • Member
  • PipPipPip
  • 521 posts
Hello chinadoll,

===============

Download Killbox, unzip it to your desktop, then run it. Now:

1. Select "Delete on reboot".
2. Copy/paste the following file name, in the "Full Path of File to Delete" field:

C:\WINDOWS\Nail.exe

3. Click "Delete File"(button with the white cross in a red circle).
4. When prompted to "Reboot Now" select "Yes".

===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:


F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O21 - SSODL: Network.ConnectionCache - {1F2FCD80-D058-4215-BB71-90A439DE90D9} - C:\WINDOWS\System32\winograf.nls (file missing)


Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to"view system and hidden files/folders":

files...

C:\WINDOWS\Nail.exe

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from "Safe Mode".

===============

Reboot your computer.

Post back a new log, report any problems and let me know how everything goes.

[b]IMPORTANT! PLEASE do not restart your computer unless asked, restarting can reinfect your computer resulting in us starting the cleaning up process all over!


-

~Njustice~
  • 0

#7
chinadoll

chinadoll

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
:tazz:

Edited by chinadoll, 27 April 2005 - 01:42 AM.

  • 0

#8
chinadoll

chinadoll

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Ok, I have done as you instructed. Here is a new log and the nail.exe file appears to be gone!!! I don't beleive it. How can I save a copy of this post so that I have it in the future? Also, what programs would you recommend to protect my PC from these things coming back? I have Norton but would like to try something else. Let me know if you see any other problems with my new log.
I can't thank you enough for your help!!!
  • 0

#9
chinadoll

chinadoll

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Ok, I have done as you instructed. Here is a new log and the nail.exe file appears to be gone!!! I don't beleive it. How can I save a copy of this post so that I have it in the future? Also, what programs would you recommend to protect my PC from these things coming back? I have Norton but would like to try something else. Let me know if you see any other problems with my new log.
I can't thank you enough for your help!!!

Logfile of HijackThis v1.99.1
Scan saved at 2:34:29 AM, on 4/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CheckIt\86\CheckIt86.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://southeastkansas.cox.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://southeastkansas.cox.net
O2 - BHO: CheckIt 86 - {82DF1118-9B92-45d8-B78F-1737A69A06E1} - C:\Program Files\CheckIt\86\CheckIt86.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: CheckIt 86.lnk = C:\Program Files\CheckIt\86\CheckIt86.exe
O9 - Extra button: (no name) - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra 'Tools' menuitem: CheckIt &86 - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.../US/install.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.napster.c...lient/setup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093404753906
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {78960E0E-0B0C-11D4-8997-00104BD12D94} (AV Class) - http://www.pcpitstop...virus/PCPAV.CAB
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
  • 0

#10
njustice

njustice

    Member

  • Member
  • PipPipPip
  • 521 posts
Chinadoll,

Congratulations at last, your system is clean and free of spyware! Want to keep it that way?

Here are some simple steps you can take to reduce the chance of infection in the future.

1. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
a. Windows Update: http://v5.windowsupd.../en/default.asp

2. Adjust your security settings for ActiveX:
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first option, 'Download signed controls', to 'Prompt; set the
second option, 'Download unsigned controls', to 'Disable'; and finally, set 'Initialize and Script ActiveX controls not marked as safe" to 'Disable'.

3. Download and install the following free programs
a. SpywareBlaster: http://www.javacools...areblaster.html
b. SpywareGuard: http://www.wildersse...ywareguard.html
c. IE/Spyad: https://netfiles.uiu...ww/resource.htm
d. Bugoff: http://www.majorgeek...wnload4308.html

4. Install Spyware Detection and Removal Programs:
You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.
a. AdAware: http://www.lavasoft.de/
b. Spybot S&D: http://security.koll...n&page=download

Before adding any other Spyware Detection and Removal programs always check the Rogue Anti-Spyware List for programs known to be misleading, mistaken, or just outright "Foistware". You will find the list here: http://www.spywarewa...nti-spyware,htm

5. Install 'Spoofstick"
Spoofstick is a simple browser extension that helps users detect spoofed (fake) websites. This extension is free and installs in Internet Explorer and Mozilla Firefox.
a. http://www.corestreet.com/spoofstick

6. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. See the links below:
a. ZoneAlarm
b. Kerio

7. Reset System Restore
If you are using Windows ME or Windows XP, please reset your System Restore.
a. Turn off system restore by right clicking on "My Computer" and go to "Properties"->"System Restore" and check the box for "Turn off System Restore". Click "Apply" and then "OK". Restart your computer. Reverse these steps and turn "System Restore" back on and create a new restore point.

8. Use GoogleToolbar - It's free, blocks popups and takes seconds to install. Use the toolbar without the advanced features enabled(check this during install), the toolbar is completely inert--it doesn't send any information to Google whatsoever as you surf.
a. GoogleToolbar

9. RegScrubXP 3.25 - Safely cleans junk out of the Windows. 2000/XP system registry. All changes made to the registry are fully restorable to it's original condition.
a. RegScrubXP 3.25

10. Online Virus Scans - Run these on a regular basis(I usually do about once a month or suspect a problem):
a. http://www.pandasoft...n_principal.htm
b. http://www.windowsec...com/trojanscan/
c. http://housecall.trendmicro.com/
d. http://www.bitdefend...can/licence.php


Good luck, and thanks for coming to our forums for help with your security and malware issues.
  • 0

#11
chinadoll

chinadoll

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
:tazz: Just wanted to thank you for your help!!!! With your help and the help of Rawe, I have managed to remove all spy and ad ware!!! I can't thank you enough, I can't imagine what I would have done without you. I will follow your advice given to keep PC clean. I do have a question... what about using firefox? Are you familiar with it?
Thank you again,
Angela
  • 0

#12
njustice

njustice

    Member

  • Member
  • PipPipPip
  • 521 posts
Hello chinadoll, yes by all means use Firefox. :tazz:

I'm closing this topic, if you need help in the future please feel free to open a new topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP