Any help would be greatly appreciated!
Nail.exe Aurora Pop Ups! Help Needed!
Started by
JohnNada
, May 02 2005 09:09 AM
#1
Posted 02 May 2005 - 09:09 AM
JohnNada
-
- Member
-
- 12 posts
Member
Any help would be greatly appreciated!
#2
Posted 02 May 2005 - 09:20 AM
Metallica
-
- GeekU Moderator
-
- 33,101 posts
Spyware Veteran
Download FindIt's.zip to your desktop: http://forums.net-in...=post&id=142443
1. Unzip/extract the files inside to a folder on your desktop.
2. Open the folder and run FindIt's.bat and wait for notepad to open a text file. It will take awhile so please be patient ...
3. Then post the results here along with a HijackThis log
Regards,
1. Unzip/extract the files inside to a folder on your desktop.
2. Open the folder and run FindIt's.bat and wait for notepad to open a text file. It will take awhile so please be patient ...
3. Then post the results here along with a HijackThis log
Regards,
#3
Posted 02 May 2005 - 09:52 AM
JohnNada
- Topic Starter
-
- Member
-
- 12 posts
Member
Strangely I keep getting error messages everytime I run Find-It's. I'll keep trying, in the mean time my HJT log is:
Logfile of HijackThis v1.99.1
Scan saved at 16:51:48, on 02/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
c:\windows\system32\parzcig.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Documents and Settings\Gary Ellison\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.c...rch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [qjymrhp] c:\windows\system32\parzcig.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1113068285875
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
Thank you.
Logfile of HijackThis v1.99.1
Scan saved at 16:51:48, on 02/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
c:\windows\system32\parzcig.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Documents and Settings\Gary Ellison\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.c...rch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [qjymrhp] c:\windows\system32\parzcig.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1113068285875
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
Thank you.
#4
Posted 02 May 2005 - 11:20 AM
JohnNada
- Topic Starter
-
- Member
-
- 12 posts
Member
Sorry I got Find-It's to run. Here you go, thank you:
Microsoft Windows XP [Version 5.1.2600]
The current date is: 02/05/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first
* UPX! C:\WINDOWS\System32\GGIOOJH.EXE
* UPX! C:\WINDOWS\NAIL.EXE
* UPX! C:\WINDOWS\SVCPROC.EXE
* UPX! C:\WINDOWS\YLGSPX~1.EXE
* Sniffed C:\WINDOWS\System32\DRPMON.DLL
»»»»» lagitamate file's can/will show in this section.
* UPX! C:\WINDOWS\System32\XVID.DLL
* UPX! C:\WINDOWS\DAEMON.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* buddy C:\WINDOWS\YLGSPX~1.EXE
»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»» Checking Windir\svcproc.exe and nail.exe.
svcproc.exe
Nail.exe
»»»»» Checking for System32\DrPMon.dll.
DrPMon.dll
»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.
Volume in drive C has no label.
Volume Serial Number is 58C4-236D
Directory of C:\WINDOWS\SYSTEM32
»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 58C4-236D
Directory of C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»».
! REG.EXE VERSION 3.0
HKEY_CURRENT_USER\Software\aurora
! REG.EXE VERSION 3.0
HKEY_CURRENT_USER\Software\Bolger
! REG.EXE VERSION 3.0
HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj
<NO NAME> REG_SZ Bolger Functional Class
! REG.EXE VERSION 3.0
HKEY_CLASSES_ROOT\CLSID\{302A3240-4805-4a34-97D7-1645A0B08410}
<NO NAME> REG_SZ BolgerObj Class
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll
Microsoft Windows XP [Version 5.1.2600]
The current date is: 02/05/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first
* UPX! C:\WINDOWS\System32\GGIOOJH.EXE
* UPX! C:\WINDOWS\NAIL.EXE
* UPX! C:\WINDOWS\SVCPROC.EXE
* UPX! C:\WINDOWS\YLGSPX~1.EXE
* Sniffed C:\WINDOWS\System32\DRPMON.DLL
»»»»» lagitamate file's can/will show in this section.
* UPX! C:\WINDOWS\System32\XVID.DLL
* UPX! C:\WINDOWS\DAEMON.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* buddy C:\WINDOWS\YLGSPX~1.EXE
»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»» Checking Windir\svcproc.exe and nail.exe.
svcproc.exe
Nail.exe
»»»»» Checking for System32\DrPMon.dll.
DrPMon.dll
»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.
Volume in drive C has no label.
Volume Serial Number is 58C4-236D
Directory of C:\WINDOWS\SYSTEM32
»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 58C4-236D
Directory of C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»».
! REG.EXE VERSION 3.0
HKEY_CURRENT_USER\Software\aurora
! REG.EXE VERSION 3.0
HKEY_CURRENT_USER\Software\Bolger
! REG.EXE VERSION 3.0
HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj
<NO NAME> REG_SZ Bolger Functional Class
! REG.EXE VERSION 3.0
HKEY_CLASSES_ROOT\CLSID\{302A3240-4805-4a34-97D7-1645A0B08410}
<NO NAME> REG_SZ BolgerObj Class
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll
#5
Posted 02 May 2005 - 12:35 PM
Metallica
-
- GeekU Moderator
-
- 33,101 posts
Spyware Veteran
Click Start > Run > type cmd > OK
The command prompt will open.
Usually it does this in C:\Documents and settings\{username}
Type the command cd\ until only the C:\> is left
then type the following commands:
cd Windows
Nail.exe /Fullremove
1) Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.
2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.
3) Once in Safe Mode, please run Killbox.
4) Select "Delete on Reboot".
5) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:
7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..
Let the system reboot and post a new HijackThis log
Regards,
The command prompt will open.
Usually it does this in C:\Documents and settings\{username}
Type the command cd\ until only the C:\> is left
then type the following commands:
cd Windows
Nail.exe /Fullremove
1) Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.
2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.
3) Once in Safe Mode, please run Killbox.
4) Select "Delete on Reboot".
5) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\Nail.exe C:\WINDOWS\Bolger.dll C:\WINDOWS\svcproc.exe C:\WINDOWS\System32\DrPMon.dll C:\WINDOWS\System32\GGIOOJH.EXE c:\windows\system32\parzcig.exe C:\WINDOWS\YLGSPX~1.EXE6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..
Let the system reboot and post a new HijackThis log
Regards,
#6
Posted 02 May 2005 - 04:09 PM
JohnNada
- Topic Starter
-
- Member
-
- 12 posts
Member
Upon restarting I got a Windows Alert saying Nail.exe could not be found which happened to me the last time I tried that, yet it just comes back. Here's my new HJT log, I see it's still there :
Logfile of HijackThis v1.99.1
Scan saved at 23:07:44, on 02/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
c:\windows\system32\ciysfc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Gary Ellison\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.c...rch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ifkmfv] c:\windows\system32\ciysfc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1113068285875
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
:Logfile of HijackThis v1.99.1
Scan saved at 23:07:44, on 02/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
c:\windows\system32\ciysfc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Gary Ellison\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.c...rch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ifkmfv] c:\windows\system32\ciysfc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1113068285875
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
#7
Posted 02 May 2005 - 04:29 PM
JohnNada
- Topic Starter
-
- Member
-
- 12 posts
Member
Also, I did a search and found 3 instances of Nail.exe on my c drive. I removed them but they're back, although one was in a folder that began with "!" but it is now just back in the Windows folder. The other 2 are in the Temporary Internet Files and windows\prefetch folder.
Here's another HJT log just in case anything's changed. Thank you for your help:
Logfile of HijackThis v1.99.1
Scan saved at 23:28:23, on 02/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
c:\windows\system32\umgdivo.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Gary Ellison\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.c...rch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [envkhl] c:\windows\system32\umgdivo.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1113068285875
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
Here's another HJT log just in case anything's changed. Thank you for your help:
Logfile of HijackThis v1.99.1
Scan saved at 23:28:23, on 02/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
c:\windows\system32\umgdivo.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Gary Ellison\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.c...rch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [envkhl] c:\windows\system32\umgdivo.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1113068285875
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
#8
Posted 03 May 2005 - 02:21 AM
Metallica
-
- GeekU Moderator
-
- 33,101 posts
Spyware Veteran
I think you forgot the space in
Nail.exe /Fullremove
Can you try that procedure again?
We can't really start cleaning if it is still running.
Regards,
Nail.exe /Fullremove
Can you try that procedure again?
We can't really start cleaning if it is still running.
Regards,
#9
Posted 04 May 2005 - 01:40 PM
JohnNada
- Topic Starter
-
- Member
-
- 12 posts
Member
I didn't forget the space, I've tried this before and the same thing happened.
However I will go through all the processes again and make a log. Again thank you for help and sorry for the late reply, I've been run off my feet...
However I will go through all the processes again and make a log. Again thank you for help and sorry for the late reply, I've been run off my feet...
#10
Posted 04 May 2005 - 02:02 PM
Metallica
-
- GeekU Moderator
-
- 33,101 posts
Spyware Veteran
Try this method.
Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.
Please run Notepad and copy the following text into a new file:
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml
Once in Safe Mode, please double-click on remove.bat. A window should open and close very quickly --- this is normal.
Then please run Ewido, and run a full scan. Post the log from the scan here for me.
Then please run HijackThis, click Scan, and check:
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
Close all open windows except for HijackThis and click Fix Checked.
Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
Regards,
Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.
Please run Notepad and copy the following text into a new file:
Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files".@ECHO OFF
cd %windir%
Nail.exe /FULLREMOVE
sc config SvcProc start= disabled
sc stop SvcProc
sc delete SvcProc
attrib -s -r -h nail.exe
attrib -s -r -h svcproc.exe
del nail.exe
del svcproc.exe
cd %windir%\system32
attrib -s -r -h DrPMon.dll
del DrPMon.dll
exit
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml
Once in Safe Mode, please double-click on remove.bat. A window should open and close very quickly --- this is normal.
Then please run Ewido, and run a full scan. Post the log from the scan here for me.
Then please run HijackThis, click Scan, and check:
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
Close all open windows except for HijackThis and click Fix Checked.
Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
Regards,
#11
Posted 15 May 2005 - 11:26 AM
JohnNada
- Topic Starter
-
- Member
-
- 12 posts
Member
Sorry for the long reply, work's been murder.
Anyway, here's the ewida scan log:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 18:20:32, 15/05/2005
+ Report-Checksum: 6F5F5752
+ Date of database: 14/05/2005
+ Version of scan engine: v3.0
+ Duration: 1606 min
+ Scanned Files: 313850
+ Speed: 3.26 Files/Second
+ Infected files: 82
+ Removed files: 41
+ Files put in quarantine: 41
+ Files that could not be opened: 0
+ Files that could not be cleaned: 41
+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes
+ Scanned items:
C:\
F:\
C:\
F:\
+ Scan result:
C:\Documents and Settings\Gary Ellison\Cookies\gary ellison@advertising[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Cookies\gary ellison@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Cookies\gary ellison@a[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Cookies\gary ellison@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Cookies\gary ellison@fastclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Cookies\gary ellison@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Cookies\gary ellison@myway[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Cookies\gary [email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Cookies\gary ellison@targetnet[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Cookies\gary [email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Cookies\gary [email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Desktop\hijackthis\backups\backup-20050430-175110-623.dll -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\ANO\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\DJL\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\FRM\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\HBX\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\KNU\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\KYH\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\LIO\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\LRK\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\RVP\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\TJN\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\VRO\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\WMZ\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\XDD\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\YDD\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\YQG\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\ZLR\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temporary Internet Files\Content.IE5\C7210NWZ\aurora[1].exe -> Spyware.BetterInternet.c -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temporary Internet Files\Content.IE5\C7210NWZ\istdownload[1].exe -> TrojanDownloader.IstBar.ir -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temporary Internet Files\Content.IE5\IBSNK5AP\bb[1].exe -> TrojanDownloader.Adload.a -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temporary Internet Files\Content.IE5\IBSNK5AP\cmctl[1].dll -> Spyware.AdMir.a -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temporary Internet Files\Content.IE5\IBSNK5AP\powerscan[1].exe -> Spyware.PowerScan.d -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temporary Internet Files\Content.IE5\IBSNK5AP\svcproc[1].exe -> Trojan.Stervis.c -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temporary Internet Files\Content.IE5\MXI30LCV\Bolger[1].dll -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temporary Internet Files\Content.IE5\MXI30LCV\DrPMon[2].dll -> Trojan.Agent.db -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temporary Internet Files\Content.IE5\U7OBU3EB\Nail[1].exe -> Trojan.Nail -> Cleaned with backup
C:\Program Files\Kazaa Lite\TopSearch.dll -> Spyware.Altnet.e -> Cleaned with backup
C:\WINDOWS\Nail.exe -> Trojan.Nail -> Cleaned with backup
C:\WINDOWS\system32\uihrae.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\ylgspxfasre.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Cookies\gary ellison@advertising[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Cookies\gary ellison@atdmt[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Cookies\gary ellison@a[3].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Cookies\gary ellison@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Cookies\gary ellison@fastclick[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Cookies\gary ellison@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Cookies\gary ellison@myway[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Cookies\gary [email protected][2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Cookies\gary ellison@targetnet[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Cookies\gary [email protected][1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Cookies\gary [email protected][1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Desktop\hijackthis\backups\backup-20050430-175110-623.dll -> Spyware.BetterInternet -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\ANO\aurareco.exe -> Spyware.BetterInternet -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\DJL\aurareco.exe -> Spyware.BetterInternet -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\FRM\aurareco.exe -> Spyware.BetterInternet -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\HBX\aurareco.exe -> Spyware.BetterInternet -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\KNU\aurareco.exe -> Spyware.BetterInternet -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\KYH\aurareco.exe -> Spyware.BetterInternet -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\LIO\aurareco.exe -> Spyware.BetterInternet -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\LRK\aurareco.exe -> Spyware.BetterInternet -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\RVP\aurareco.exe -> Spyware.BetterInternet -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\TJN\aurareco.exe -> Spyware.BetterInternet -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\VRO\aurareco.exe -> Spyware.BetterInternet -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\WMZ\aurareco.exe -> Spyware.BetterInternet -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\XDD\aurareco.exe -> Spyware.BetterInternet -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\YDD\aurareco.exe -> Spyware.BetterInternet -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\YQG\aurareco.exe -> Spyware.BetterInternet -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\ZLR\aurareco.exe -> Spyware.BetterInternet -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temporary Internet Files\Content.IE5\C7210NWZ\aurora[1].exe -> Spyware.BetterInternet.c -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temporary Internet Files\Content.IE5\C7210NWZ\istdownload[1].exe -> TrojanDownloader.IstBar.ir -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temporary Internet Files\Content.IE5\IBSNK5AP\bb[1].exe -> TrojanDownloader.Adload.a -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temporary Internet Files\Content.IE5\IBSNK5AP\cmctl[1].dll -> Spyware.AdMir.a -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temporary Internet Files\Content.IE5\IBSNK5AP\powerscan[1].exe -> Spyware.PowerScan.d -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temporary Internet Files\Content.IE5\IBSNK5AP\svcproc[1].exe -> Trojan.Stervis.c -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temporary Internet Files\Content.IE5\MXI30LCV\Bolger[1].dll -> Spyware.BetterInternet -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temporary Internet Files\Content.IE5\MXI30LCV\DrPMon[2].dll -> Trojan.Agent.db -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temporary Internet Files\Content.IE5\U7OBU3EB\Nail[1].exe -> Trojan.Nail -> Error during cleaning
C:\Program Files\Kazaa Lite\TopSearch.dll -> Spyware.Altnet.e -> Error during cleaning
C:\WINDOWS\Nail.exe -> Trojan.Nail -> Error during cleaning
C:\WINDOWS\system32\uihrae.exe -> Trojan.Agent.cp -> Error during cleaning
C:\WINDOWS\ylgspxfasre.exe -> Spyware.BetterInternet -> Error during cleaning
::Report End
and here's the Hijack This log I just did, unfortunately nail.exe is still there. I think it's time to cry...:
Logfile of HijackThis v1.99.1
Scan saved at 18:24:53, on 15/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Gary Ellison\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.c...rch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1113068285875
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
Thank you.
Anyway, here's the ewida scan log:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 18:20:32, 15/05/2005
+ Report-Checksum: 6F5F5752
+ Date of database: 14/05/2005
+ Version of scan engine: v3.0
+ Duration: 1606 min
+ Scanned Files: 313850
+ Speed: 3.26 Files/Second
+ Infected files: 82
+ Removed files: 41
+ Files put in quarantine: 41
+ Files that could not be opened: 0
+ Files that could not be cleaned: 41
+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes
+ Scanned items:
C:\
F:\
C:\
F:\
+ Scan result:
C:\Documents and Settings\Gary Ellison\Cookies\gary ellison@advertising[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Cookies\gary ellison@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Cookies\gary ellison@a[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Cookies\gary ellison@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Cookies\gary ellison@fastclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Cookies\gary ellison@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Cookies\gary ellison@myway[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Cookies\gary [email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Cookies\gary ellison@targetnet[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Cookies\gary [email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Cookies\gary [email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Desktop\hijackthis\backups\backup-20050430-175110-623.dll -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\ANO\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\DJL\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\FRM\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\HBX\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\KNU\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\KYH\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\LIO\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\LRK\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\RVP\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\TJN\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\VRO\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\WMZ\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\XDD\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\YDD\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\YQG\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\ZLR\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temporary Internet Files\Content.IE5\C7210NWZ\aurora[1].exe -> Spyware.BetterInternet.c -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temporary Internet Files\Content.IE5\C7210NWZ\istdownload[1].exe -> TrojanDownloader.IstBar.ir -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temporary Internet Files\Content.IE5\IBSNK5AP\bb[1].exe -> TrojanDownloader.Adload.a -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temporary Internet Files\Content.IE5\IBSNK5AP\cmctl[1].dll -> Spyware.AdMir.a -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temporary Internet Files\Content.IE5\IBSNK5AP\powerscan[1].exe -> Spyware.PowerScan.d -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temporary Internet Files\Content.IE5\IBSNK5AP\svcproc[1].exe -> Trojan.Stervis.c -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temporary Internet Files\Content.IE5\MXI30LCV\Bolger[1].dll -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temporary Internet Files\Content.IE5\MXI30LCV\DrPMon[2].dll -> Trojan.Agent.db -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Local Settings\Temporary Internet Files\Content.IE5\U7OBU3EB\Nail[1].exe -> Trojan.Nail -> Cleaned with backup
C:\Program Files\Kazaa Lite\TopSearch.dll -> Spyware.Altnet.e -> Cleaned with backup
C:\WINDOWS\Nail.exe -> Trojan.Nail -> Cleaned with backup
C:\WINDOWS\system32\uihrae.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\ylgspxfasre.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Gary Ellison\Cookies\gary ellison@advertising[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Cookies\gary ellison@atdmt[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Cookies\gary ellison@a[3].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Cookies\gary ellison@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Cookies\gary ellison@fastclick[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Cookies\gary ellison@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Cookies\gary ellison@myway[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Cookies\gary [email protected][2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Cookies\gary ellison@targetnet[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Cookies\gary [email protected][1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Cookies\gary [email protected][1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Desktop\hijackthis\backups\backup-20050430-175110-623.dll -> Spyware.BetterInternet -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\ANO\aurareco.exe -> Spyware.BetterInternet -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\DJL\aurareco.exe -> Spyware.BetterInternet -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\FRM\aurareco.exe -> Spyware.BetterInternet -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\HBX\aurareco.exe -> Spyware.BetterInternet -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\KNU\aurareco.exe -> Spyware.BetterInternet -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\KYH\aurareco.exe -> Spyware.BetterInternet -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\LIO\aurareco.exe -> Spyware.BetterInternet -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\LRK\aurareco.exe -> Spyware.BetterInternet -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\RVP\aurareco.exe -> Spyware.BetterInternet -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\TJN\aurareco.exe -> Spyware.BetterInternet -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\VRO\aurareco.exe -> Spyware.BetterInternet -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\WMZ\aurareco.exe -> Spyware.BetterInternet -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\XDD\aurareco.exe -> Spyware.BetterInternet -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\YDD\aurareco.exe -> Spyware.BetterInternet -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\YQG\aurareco.exe -> Spyware.BetterInternet -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temp\ZLR\aurareco.exe -> Spyware.BetterInternet -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temporary Internet Files\Content.IE5\C7210NWZ\aurora[1].exe -> Spyware.BetterInternet.c -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temporary Internet Files\Content.IE5\C7210NWZ\istdownload[1].exe -> TrojanDownloader.IstBar.ir -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temporary Internet Files\Content.IE5\IBSNK5AP\bb[1].exe -> TrojanDownloader.Adload.a -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temporary Internet Files\Content.IE5\IBSNK5AP\cmctl[1].dll -> Spyware.AdMir.a -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temporary Internet Files\Content.IE5\IBSNK5AP\powerscan[1].exe -> Spyware.PowerScan.d -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temporary Internet Files\Content.IE5\IBSNK5AP\svcproc[1].exe -> Trojan.Stervis.c -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temporary Internet Files\Content.IE5\MXI30LCV\Bolger[1].dll -> Spyware.BetterInternet -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temporary Internet Files\Content.IE5\MXI30LCV\DrPMon[2].dll -> Trojan.Agent.db -> Error during cleaning
C:\Documents and Settings\Gary Ellison\Local Settings\Temporary Internet Files\Content.IE5\U7OBU3EB\Nail[1].exe -> Trojan.Nail -> Error during cleaning
C:\Program Files\Kazaa Lite\TopSearch.dll -> Spyware.Altnet.e -> Error during cleaning
C:\WINDOWS\Nail.exe -> Trojan.Nail -> Error during cleaning
C:\WINDOWS\system32\uihrae.exe -> Trojan.Agent.cp -> Error during cleaning
C:\WINDOWS\ylgspxfasre.exe -> Spyware.BetterInternet -> Error during cleaning
::Report End
and here's the Hijack This log I just did, unfortunately nail.exe is still there. I think it's time to cry...:
Logfile of HijackThis v1.99.1
Scan saved at 18:24:53, on 15/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Gary Ellison\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.c...rch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1113068285875
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
Thank you.
#12
Posted 15 May 2005 - 11:28 AM
JohnNada
- Topic Starter
-
- Member
-
- 12 posts
Member
As a side note Ewida keeps detecting new virus's/trojans popping up, it's quite depressing.
#13
Posted 15 May 2005 - 12:37 PM
Metallica
-
- GeekU Moderator
-
- 33,101 posts
Spyware Veteran
Download FindIt's.zip to your desktop: http://forums.net-in...=post&id=142443
1. Unzip/extract the files inside to a folder on your desktop.
2. Open the folder and run FindIt's.bat and wait for notepad to open a text file. It will take awhile so please be patient ...
3. Then post the results here please.
Regards,
1. Unzip/extract the files inside to a folder on your desktop.
2. Open the folder and run FindIt's.bat and wait for notepad to open a text file. It will take awhile so please be patient ...
3. Then post the results here please.
Regards,
#14
Posted 15 May 2005 - 07:45 PM
JohnNada
- Topic Starter
-
- Member
-
- 12 posts
Member
Microsoft Windows XP [Version 5.1.2600]
The current date is: 16/05/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first
* UPX! C:\WINDOWS\NAIL.EXE
»»»»» lagitamate file's can/will show in this section.
* UPX! C:\WINDOWS\System32\XVID.DLL
* UPX! C:\WINDOWS\DAEMON.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»» Checking Windir\svcproc.exe and nail.exe.
Nail.exe
»»»»» Checking for System32\DrPMon.dll.
»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.
Volume in drive C has no label.
Volume Serial Number is 58C4-236D
Directory of C:\WINDOWS\SYSTEM32
»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 58C4-236D
Directory of C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»».
! REG.EXE VERSION 3.0
HKEY_CURRENT_USER\Software\aurora
! REG.EXE VERSION 3.0
HKEY_CURRENT_USER\Software\Bolger
! REG.EXE VERSION 3.0
HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj
<NO NAME> REG_SZ Bolger Functional Class
! REG.EXE VERSION 3.0
HKEY_CLASSES_ROOT\CLSID\{302A3240-4805-4a34-97D7-1645A0B08410}
<NO NAME> REG_SZ BolgerObj Class
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll
The current date is: 16/05/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first
* UPX! C:\WINDOWS\NAIL.EXE
»»»»» lagitamate file's can/will show in this section.
* UPX! C:\WINDOWS\System32\XVID.DLL
* UPX! C:\WINDOWS\DAEMON.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»» Checking Windir\svcproc.exe and nail.exe.
Nail.exe
»»»»» Checking for System32\DrPMon.dll.
»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.
Volume in drive C has no label.
Volume Serial Number is 58C4-236D
Directory of C:\WINDOWS\SYSTEM32
»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 58C4-236D
Directory of C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»».
! REG.EXE VERSION 3.0
HKEY_CURRENT_USER\Software\aurora
! REG.EXE VERSION 3.0
HKEY_CURRENT_USER\Software\Bolger
! REG.EXE VERSION 3.0
HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj
<NO NAME> REG_SZ Bolger Functional Class
! REG.EXE VERSION 3.0
HKEY_CLASSES_ROOT\CLSID\{302A3240-4805-4a34-97D7-1645A0B08410}
<NO NAME> REG_SZ BolgerObj Class
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll
#15
Posted 16 May 2005 - 05:28 AM
Metallica
-
- GeekU Moderator
-
- 33,101 posts
Spyware Veteran
Click Start > Run > type cmd > OK
The command prompt will open.
Usually it does this in C:\Documents and settings\{username}
Type the command cd\ until only the C:\> is left
then type the following commands:
cd Windows
Nail.exe /Fullremove <= Note there is a space before /Fullremove
1) Please download the Killbox.
2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.
3) Once in Safe Mode, please run Killbox.
4) Select "Delete on Reboot".
5) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:
6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..
After the reboot run HijackThis.
Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
Then in IE click Tools > Internet Options > on the General tab click Delete files and put a checkmark to include offline content.
Regards,
The command prompt will open.
Usually it does this in C:\Documents and settings\{username}
Type the command cd\ until only the C:\> is left
then type the following commands:
cd Windows
Nail.exe /Fullremove <= Note there is a space before /Fullremove
1) Please download the Killbox.
2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.
3) Once in Safe Mode, please run Killbox.
4) Select "Delete on Reboot".
5) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\Nail.exe C:\WINDOWS\Bolger.dll C:\WINDOWS\svcproc.exe
6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..
After the reboot run HijackThis.
Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
Then in IE click Tools > Internet Options > on the General tab click Delete files and put a checkmark to include offline content.
Regards,
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
