Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Nail.exe infection

Started by tacoeater , Apr 30 2005 11:25 PM

  • Please log in to reply

#1
tacoeater
Posted 30 April 2005 - 11:25 PM

tacoeater

    Member

  • Member
  • PipPip
  • 13 posts
I have been working with a customer's computer for a week trying to get this nail.exe cleaned out. I have used HijackThis and checked it as well as many of the other things that Ewido cleaned. They always came back. Then I stumbled upon your forum! I saw yujibee's post of 04-18-2005 and followed your advice and downloaded and ran the ewido software. I had to do all this in safe mode. Here is the log Ewido generated. Thank you in advance for your help.
Should I now try running Ewido in Normal Mode?
I turned the computer off and moved it out of the way.
I noticed that many log entries say error during clean and thought that might have something to do with safe mode.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:18:57 AM, 5/1/2005
+ Report-Checksum: 843573B7

+ Date of database: 5/1/2005
+ Version of scan engine: v3.0

+ Duration: 45 min
+ Scanned Files: 73478
+ Speed: 26.63 Files/Second
+ Infected files: 52
+ Removed files: 32
+ Files put in quarantine: 32
+ Files that could not be opened: 0
+ Files that could not be cleaned: 20

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
C:\

+ Scan result:
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C7WRGHOJ\Bolger[1].dll -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\RENT-A-CENTER\Desktop\mirc.ini -> Backdoor.Fylex -> Cleaned with backup
C:\Program Files\Common Files\Java\bpt.cfg -> Spyware.Broadcap.a -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\1BCD6ECA-899A-481E-A5D9-428939\F85C6889-5002-402F-A43F-9D4C42 -> Spyware.BetterInternet -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\C342F079-7B7C-4877-98E8-CE906E\5D8E32C1-D885-4267-B169-ABC363 -> Spyware.BetterInternet -> Cleaned with backup
C:\RECYCLER\S-1-5-21-4227100762-1496390054-2561149147-1007\Dc1\RP220\A0052069.vxd/C:/WINDOWS/System32/exul.exe -> Spyware.BargainBuddy.q -> Cleaned with backup
C:\RECYCLER\S-1-5-21-4227100762-1496390054-2561149147-1007\Dc1\RP220\A0052069.vxd/C:/WINDOWS/System32/javexulm.vxd -> Spyware.BargainBuddy.q -> Cleaned with backup
C:\RECYCLER\S-1-5-21-4227100762-1496390054-2561149147-1007\Dc1\RP220\A0052069.vxd/C:/WINDOWS/System32/bbchk.exe -> Spyware.Bargainbuddy -> Cleaned with backup
C:\RECYCLER\S-1-5-21-4227100762-1496390054-2561149147-1007\Dc1\RP220\A0052069.vxd/C:/WINDOWS/System32/msexreg.exe -> Spyware.Bargainbuddy -> Cleaned with backup
C:\RECYCLER\S-1-5-21-4227100762-1496390054-2561149147-1007\Dc1\RP220\A0052069.vxd/C:/WINDOWS/System32/instsrv.exe -> Spyware.BargainBuddy -> Cleaned with backup
C:\RECYCLER\S-1-5-21-4227100762-1496390054-2561149147-1007\Dc1\RP220\A0052069.vxd/C:/WINDOWS/System32/exclean.exe -> Spyware.BargainBuddy -> Cleaned with backup
C:\RECYCLER\S-1-5-21-4227100762-1496390054-2561149147-1007\Dc1\RP220\A0052070.dll -> Spyware.HotSearchBar.d -> Cleaned with backup
C:\WINDOWS\Bolger.dll -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\fglijzkbvdr.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\Nail.exe -> Trojan.Nail -> Cleaned with backup
C:\WINDOWS\oybedn.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\SYSTEM32\agaowr.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\SYSTEM32\desktoptraffic.exe -> Spyware.HotSearchBar.d -> Cleaned with backup
C:\WINDOWS\SYSTEM32\DrPMon.dll -> Trojan.Agent.db -> Cleaned with backup
C:\WINDOWS\SYSTEM32\exact.exe -> TrojanDownloader.Adload.a -> Cleaned with backup
C:\WINDOWS\SYSTEM32\gljnj\yolmtamc.exe -> Trojan.Elzio -> Cleaned with backup
C:\WINDOWS\SYSTEM32\madvsm\jvrv.exe -> Trojan.Elzio -> Cleaned with backup
C:\WINDOWS\SYSTEM32\Uninstaller.exe -> Spyware.DealHelper.u -> Cleaned with backup
C:\WINDOWS\SYSTEM32\VCMnet10.exe -> Trojan.Registrator.b -> Cleaned with backup
C:\WINDOWS\SYSTEM32\wυauboot.exe -> Spyware.PurityScan.at -> Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C7WRGHOJ\Bolger[1].dll -> Spyware.BetterInternet -> Error during cleaning
C:\Documents and Settings\RENT-A-CENTER\Desktop\mirc.ini -> Backdoor.Fylex -> Error during cleaning
C:\Program Files\Common Files\Java\bpt.cfg -> Spyware.Broadcap.a -> Error during cleaning
C:\Program Files\Microsoft AntiSpyware\Quarantine\1BCD6ECA-899A-481E-A5D9-428939\F85C6889-5002-402F-A43F-9D4C42 -> Spyware.BetterInternet -> Error during cleaning
C:\Program Files\Microsoft AntiSpyware\Quarantine\C342F079-7B7C-4877-98E8-CE906E\5D8E32C1-D885-4267-B169-ABC363 -> Spyware.BetterInternet -> Error during cleaning
C:\RECYCLER\S-1-5-21-4227100762-1496390054-2561149147-1007\Dc1\RP220\A0052069.vxd/C:/WINDOWS/System32/exul.exe -> Spyware.BargainBuddy.q -> Cleaned with backup
C:\RECYCLER\S-1-5-21-4227100762-1496390054-2561149147-1007\Dc1\RP220\A0052069.vxd/C:/WINDOWS/System32/javexulm.vxd -> Spyware.BargainBuddy.q -> Cleaned with backup
C:\RECYCLER\S-1-5-21-4227100762-1496390054-2561149147-1007\Dc1\RP220\A0052069.vxd/C:/WINDOWS/System32/bbchk.exe -> Spyware.Bargainbuddy -> Cleaned with backup
C:\RECYCLER\S-1-5-21-4227100762-1496390054-2561149147-1007\Dc1\RP220\A0052069.vxd/C:/WINDOWS/System32/msexreg.exe -> Spyware.Bargainbuddy -> Cleaned with backup
C:\RECYCLER\S-1-5-21-4227100762-1496390054-2561149147-1007\Dc1\RP220\A0052069.vxd/C:/WINDOWS/System32/instsrv.exe -> Spyware.BargainBuddy -> Cleaned with backup
C:\RECYCLER\S-1-5-21-4227100762-1496390054-2561149147-1007\Dc1\RP220\A0052069.vxd/C:/WINDOWS/System32/exclean.exe -> Spyware.BargainBuddy -> Cleaned with backup
C:\RECYCLER\S-1-5-21-4227100762-1496390054-2561149147-1007\Dc1\RP220\A0052070.dll -> Spyware.HotSearchBar.d -> Error during cleaning
C:\WINDOWS\Bolger.dll -> Spyware.BetterInternet -> Error during cleaning
C:\WINDOWS\fglijzkbvdr.exe -> Spyware.BetterInternet -> Error during cleaning
C:\WINDOWS\Nail.exe -> Trojan.Nail -> Error during cleaning
C:\WINDOWS\oybedn.exe -> Spyware.BetterInternet -> Error during cleaning
C:\WINDOWS\SYSTEM32\agaowr.exe -> Trojan.Agent.cp -> Error during cleaning
C:\WINDOWS\SYSTEM32\desktoptraffic.exe -> Spyware.HotSearchBar.d -> Error during cleaning
C:\WINDOWS\SYSTEM32\DrPMon.dll -> Trojan.Agent.db -> Error during cleaning
C:\WINDOWS\SYSTEM32\exact.exe -> TrojanDownloader.Adload.a -> Error during cleaning
C:\WINDOWS\SYSTEM32\gljnj\yolmtamc.exe -> Trojan.Elzio -> Error during cleaning
C:\WINDOWS\SYSTEM32\madvsm\jvrv.exe -> Trojan.Elzio -> Error during cleaning
C:\WINDOWS\SYSTEM32\Uninstaller.exe -> Spyware.DealHelper.u -> Error during cleaning
C:\WINDOWS\SYSTEM32\VCMnet10.exe -> Trojan.Registrator.b -> Error during cleaning
C:\WINDOWS\SYSTEM32\wυauboot.exe -> Spyware.PurityScan.at -> Error during cleaning


::Report End

Edited by tacoeater, 30 April 2005 - 11:47 PM.

  • 0

Advertisements

#2
Metallica
Posted 01 May 2005 - 12:01 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Can you post your HijackThis log please?

Regards,
  • 0

#3
tacoeater
Posted 01 May 2005 - 01:36 PM

tacoeater

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
i was afraid you would ask me to go back and do the hjt step.
connected the computer. did not connect lan. computer came up with transponder.bolger announced by microsoft antispy. i had it remove it. then the accepting of the entries for startup of ewido.
ran hijack this and here is the log:
Logfile of HijackThis v1.99.1
Scan saved at 2:32:32 PM, on 05/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\baeirdlo\henyl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Utilities\Hijack\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PBlockadeHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\Oemji\Toolbar\PopupBlocker\PBHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [henyl] C:\WINDOWS\System32\baeirdlo\henyl.exe
O4 - HKLM\..\Run: [fupfkp] c:\windows\system32\nuhxfjx.exe
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Vxiffo] C:\WINDOWS\System32\w?auboot.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1109726806406
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: henylbaeirdlo - Unknown owner - C:\WINDOWS\System32\baeirdlo\henyl.exe
O23 - Service: jvrvmadvsm - Unknown owner - C:\WINDOWS\System32\madvsm\jvrv.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#4
Metallica
Posted 01 May 2005 - 01:56 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Click Start > Run > type cmd > OK

The command prompt will open.
Usually it does this in C:\Documents and settings\{username}
Type the command cd\ so only the C:\> is left

then type the following commands:
cd Windows
Nail.exe /Fullremove


Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O4 - HKLM\..\Run: [henyl] C:\WINDOWS\System32\baeirdlo\henyl.exe
O4 - HKLM\..\Run: [fupfkp] c:\windows\system32\nuhxfjx.exe

O4 - HKCU\..\Run: [Vxiffo] C:\WINDOWS\System32\w?auboot.exe

O23 - Service: henylbaeirdlo - Unknown owner - C:\WINDOWS\System32\baeirdlo\henyl.exe
O23 - Service: jvrvmadvsm - Unknown owner - C:\WINDOWS\System32\madvsm\jvrv.exe (file missing)

Reboot into safe mode and delete:
C:\WINDOWS\System32\baeirdlo <= entire folder
C:\WINDOWS\System32\madvsm <= entire folder

Boot back to normal and download FindIt's.zip to your desktop: http://forums.net-in...=post&id=142443

1. Unzip/extract the files inside to a folder on your desktop.
2. Open the folder and run FindIt's.bat and wait for notepad to open a text file. It will take awhile so please be patient ...
3. Then post the results here please, along with the new HijackThis log.

Regards,
  • 0

#5
tacoeater
Posted 01 May 2005 - 02:32 PM

tacoeater

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Microsoft Windows XP [Version 5.1.2600]
The current date is: 05/01/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first


»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Checking Windir\svcproc.exe and nail.exe.

svcproc.exe
Nail.exe
»»»»» Checking for System32\DrPMon.dll.

»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C is Local Disk
Volume Serial Number is 20A9-BF96

Directory of C:\WINDOWS\SYSTEM32

04/26/2005 05:46 AM <DIR> cache32_rtneg
0 File(s) 0 bytes
1 Dir(s) 28,018,286,592 bytes free
»»»»» Checking for SAHAgent ico files.
Volume in drive C is Local Disk
Volume Serial Number is 20A9-BF96

Directory of C:\WINDOWS\system32

04/22/2005 04:33 PM 3,262 bingo_big2.ico
04/23/2005 05:57 PM 3,262 creditcard32123123123asdsa.ico
04/23/2005 05:57 PM 4,286 greenmovie2313asaadsasfad112341231adsfa.ico
04/10/2005 09:02 PM 3,262 kas pink1233aadsfa12.ico
04/23/2005 05:57 PM 3,262 kill popups.ico
04/23/2005 05:57 PM 3,262 kill spyware12.ico
12/07/2001 02:40 PM 22,486 LRNXP.ICO
04/23/2005 05:57 PM 4,286 mp3red51aads.ico
04/10/2005 09:02 PM 3,262 popupkiller2asdf1.ico
9 File(s) 50,630 bytes
0 Dir(s) 28,018,286,592 bytes free

»»»»»»»»»»»»»»»»»»»»»»»».


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\aurora


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Bolger


! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj
<NO NAME> REG_SZ Bolger Functional Class


! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\CLSID\{302A3240-4805-4a34-97D7-1645A0B08410}
<NO NAME> REG_SZ BolgerObj Class


! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}
<NO NAME> REG_SZ IBolgerDllObj


! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll

AND THEN THE HIJACK THIS LOG

Logfile of HijackThis v1.99.1
Scan saved at 3:27:19 PM, on 05/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Utilities\Hijack\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PBlockadeHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\Oemji\Toolbar\PopupBlocker\PBHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [henyl] C:\WINDOWS\System32\baeirdlo\henyl.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1109726806406
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#6
Metallica
Posted 02 May 2005 - 12:38 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Good job. :tazz:

Download the Killbox.
Unzip it to the desktop but do NOT run it yet.

Reboot into safe mode and run Killbox.

Select "Delete on Reboot".
Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\bingo_big2.ico
C:\WINDOWS\system32\creditcard32123123123asdsa.ico
C:\WINDOWS\system32\greenmovie2313asaadsasfad112341231adsfa.ico
C:\WINDOWS\system32\kas pink1233aadsfa12.ico
C:\WINDOWS\system32\kill popups.ico
C:\WINDOWS\system32\kill spyware12.ico
C:\WINDOWS\system32\LRNXP.ICO
C:\WINDOWS\system32\mp3red51aads.ico
C:\WINDOWS\system32\popupkiller2asdf1.ico
C:\Windows\svcproc.exe
C:\Windows\Nail.exe
C:\WINDOWS\Bolger.dll

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot.

Run HijackThis again.
Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O4 - HKLM\..\Run: [henyl] C:\WINDOWS\System32\baeirdlo\henyl.exe

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Then reboot once more and post a new log.

Regards,
  • 0

#7
tacoeater
Posted 02 May 2005 - 01:39 AM

tacoeater

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Thanks so much for your help.
There was no prompt in Killbox for Pending Operations.
I love your forum. I have been an avid reader of the PCMech forums for several years but I really like your concept of only letting knowledgable people respond to these sticky problems.

Logfile of HijackThis v1.99.1
Scan saved at 2:29:23 AM, on 05/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Utilities\Hijack\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PBlockadeHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\Oemji\Toolbar\PopupBlocker\PBHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1109726806406
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#8
Metallica
Posted 02 May 2005 - 04:05 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Looks like you beat it. Way to go. :tazz:

This one needs one more kick:
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

And you should be good to go.

Please have a look at my site for some tips on how to remove and prevent spyware.

Regards,
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP