Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

nail.exe/AURORA popup problems


  • This topic is locked This topic is locked

#1
earl parameter

earl parameter

    Member

  • Member
  • PipPip
  • 15 posts
im having trouble removing the nail.exe/AURORA popup hijack.

ive tried ad-aware, sd spybot, hijack this, ms antispyware, ms malicious soft remover, killbox and maybe others. with no luck. though i could be using them wrong.

upon a suggestion i saw online i rebooted in safemode and just deleted nail.exe and bolger.dll and then i was greeted with a "this file is missing or corrupt c: windows\system32\config\system" message. using http:support.microsoft.com/?kbid=307545 i was able to restore my system but not able to restore to an older restore point as i do not actually have any that i personally created. its a brand new install. hopefully none of this matters but i thought you might like to know.



hijack installed in folder C:\junk\maint that i use for maintenance progs.

with sd spybot and antispyware assumingly shut off this is my log from hijack this.

please inform if there is anything i have done incorrectly, so i can remedy it.


thank you.

```````````````````````````````````````````````````````````````


Logfile of HijackThis v1.99.1
Scan saved at 4:29:03 AM, on 5/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\junk\maint\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.geekstogo...o_Here-f37.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitednl32.exe
O4 - HKLM\..\Run: [dkgugn] c:\windows\system32\zasvisd.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\atlll.exe (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Unknown owner - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Edited by earl parameter, 07 May 2005 - 03:53 AM.

  • 0

Advertisements


#2
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Looks like you got rid of Aurora/Nail, but Elitebar is being a stubborn pest.

*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\windows\system32\elitednl32.exe
c:\windows\system32\zasvisd.exe

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Run HijackThis and put checkmarks in front of he following items.
Close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE

O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitednl32.exe
O4 - HKLM\..\Run: [dkgugn] c:\windows\system32\zasvisd.exe

Click Start > Run type services.msc > OK
In the list of services find:
System Startup Service (SvcProc)
Rightclick that line and choose Properties.
On the General tab Stop and set the service to disabled.
In HijackThis click Config > Misc Tools > Delete an NT service
In the dialog box paste: SvcProc

Boot back to normal and post a new HiackThis log.

Regards,
  • 0

#3
earl parameter

earl parameter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
upon reboot i get a " windows could not start because the following file is missing or corrupt: <windows root> \system32\hal.dll. please re-install a copy of the above file.

any idea's?

steve
  • 0

#4
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Can you check your boot.ini file as described here:
http://www.kellys-ko...dll_missing.htm

Regards,
  • 0

#5
earl parameter

earl parameter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
do you mean "Go to Start/Run and type in: msconfig. Then go to the Boot.ini Tab. Or...Right click the My Computer icon/Properties/
Advanced/Startup and Recovery/Settings/System Startup/Edit."

no it will not boot to windows. i get that message. ill keep reading though


im using my laptop for this


i may be up for this "Option 2:

Boot from your CD and follow the directions below to start Recovery Console.

Insert the Setup compact disc (CD) and restart the computer. If prompted, select any options required to boot from the CD.
When the text-based part of Setup begins, follow the prompts; choose the repair or recover option by pressing R.

If you have a dual-boot or multiple-boot system, choose the installation that you need to access from the Recovery Console.
When prompted, type the Administrator password. (if you didn't create one try pressing enter).

At the system prompt, type Recovery Console commands; type help for a list of commands, or help commandname for help on a specific command.

Most likely you will need to expand the file from the CD. The command would be expand d:\i386\hal.dl_ c:\windows\system32\hal.dll. Substitute d: for the drive letter of your CD. Once you have expanded the file type "exit" to exit the Recovery Console and restart the computer.
"



what do you think?

Edited by earl parameter, 07 May 2005 - 05:13 AM.

  • 0

#6
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Can you start it in safe mode?

Keep tapping F8 during boot? Form there enter msconfig and check the boot.ini tab if you can.

Regards,
  • 0

#7
earl parameter

earl parameter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
no boot to safe mode, did you read my edit just above your last reply
  • 0

#8
earl parameter

earl parameter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
or this

Option 1:

Boot from your CD and follow the directions to start Recovery Console. Then:

Attrib -H -R -S C:\Boot.ini
DEL C:\Boot.ini
BootCfg /Rebuild
Fixboot



do i just type those commands in recovery console?
  • 0

#9
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
I agree that BootCfg /Rebuild would be the best option in this case.

The Recovery Console is very much like a Command Prompt/Dos Window
Those command are typed behing the prompt and ENTERed

Regards,
  • 0

#10
earl parameter

earl parameter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
give me a minute
  • 0

Advertisements


#11
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Take your time. No need to rush & crash. :tazz:

Regards,
  • 0

#12
earl parameter

earl parameter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
i have to be doing something wrong. i type "Attrib -H -R -S C:\Boot.ini"

exactly and it states " the parameter is not valid
  • 0

#13
earl parameter

earl parameter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
so i did the rest of the commands

DEL C:\Boot.ini
BootCfg /Rebuild
Fixboot

and i get this error:

failed to successfully scan disks for windows install this error may be caused by a corrupt file system, which whould prevent bootcfg from scanning. use chkdsk to detect errors

note this op must complete successfully in order for the /add or /rebuild commands to be utilized


so should i try option 2


At the system prompt, type Recovery Console commands; type help for a list of commands, or help commandname for help on a specific command.

Most likely you will need to expand the file from the CD. The command would be expand d:\i386\hal.dl_ c:\windows\system32\hal.dll. Substitute d: for the drive letter of your CD. Once you have expanded the file type "exit" to exit the Recovery Console and restart the computer.




this is looking rather bad
  • 0

#14
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Can you try attrib C:\boot.ini

(that should give you the atributes of the file if it exists)

Regards,
  • 0

#15
earl parameter

earl parameter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
parameter is not valid
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP