Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Aurora is killing my computer! please help

Started by blibblub , May 08 2005 07:34 AM

  • Please log in to reply

#1
blibblub
Posted 08 May 2005 - 07:34 AM

blibblub

    New Member

  • Member
  • Pip
  • 3 posts
Like many other people, I am having a lot of trouble with this Aurora popup.
I have tried using ad-aware, Spybod S&D and neither seems to work.

Here is a print out summary of my hijackthis scan.
Any help would be greatly appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 9:25:03 AM, on 5/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\OpenOffice.org 1.9.100\program\soffice.exe
C:\Program Files\OpenOffice.org 1.9.100\program\soffice.BIN
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\ehome\ehshell.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BitComet\BitComet.exe
D:\torrents\Trillian Pro 3.1.121 Final incl Crack\Trillian Pro 3.1.121 Final.exe
C:\DOCUME~1\blub\LOCALS~1\Temp\nsh7.tmp\ns8.tmp
C:\DOCUME~1\blub\LOCALS~1\Temp\nskB.tmp\nsC.tmp
c:\windows\system32\mfpgim.exe
C:\WINDOWS\explorer.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\ensfjiv.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\blub\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimt.../aimtoolbar.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimt.../aimtoolbar.jsp
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [dmvhaoa] c:\windows\system32\mfpgim.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [SydgNwH] C:\WINDOWS\ensfjiv.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - Startup: OpenOffice.org 1.9.100.lnk = C:\Program Files\OpenOffice.org 1.9.100\program\quickstart.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1108527612237
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe


thank you

blub
  • 0

Advertisements

#2
pomp
Posted 08 May 2005 - 09:26 AM

pomp

    the man

  • Member
  • PipPipPipPip
  • 1,366 posts
Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please run Notepad and copy the following text into a new file:

@ECHO OFF
cd %windir%
Nail.exe /FULLREMOVE
sc config SvcProc start= disabled
sc stop SvcProc
sc delete SvcProc
attrib -s -r -h nail.exe
attrib -s -r -h svcproc.exe
del nail.exe
del svcproc.exe
cd %windir%\system32
attrib -s -r -h DrPMon.dll
del DrPMon.dll
exit

Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files".

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml


Once in Safe Mode, please double-click on remove.bat. A window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Post the log from the scan here for me.

Then please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [dmvhaoa] c:\windows\system32\mfpgim.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [SydgNwH] C:\WINDOWS\ensfjiv.exe
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
  • 0

#3
blibblub
Posted 08 May 2005 - 11:19 AM

blibblub

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Hi,
thank you for your help.
I followed all your instructions.

The following things I could not find upon running Hijackthis

O4 - HKLM\..\Run: [dmvhaoa] c:\windows\system32\mfpgim.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [SydgNwH] C:\WINDOWS\ensfjiv.exe


Aside from the above 3 files, Everything else was done according to your instructions.
As per your request, I am posting the log from my ewido complete scan and from the hijackthis that I ran after rebooting into normal mode.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:06:17 PM, 5/8/2005
+ Report-Checksum: 18762B5E

+ Date of database: 5/8/2005
+ Version of scan engine: v3.0

+ Duration: 68 min
+ Scanned Files: 86206
+ Speed: 21.07 Files/Second
+ Infected files: 80
+ Removed files: 80
+ Files put in quarantine: 80
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\
F:\
G:\

+ Scan result:
C:\WINDOWS\system32\pualrd.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\Nail.exe -> Trojan.Nail -> Cleaned with backup
C:\WINDOWS\nem220.dll -> TrojanDownloader.Dyfuca -> Cleaned with backup
C:\WINDOWS\xaqpqzfiynz.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\blub\Local Settings\Temp\optimize.exe -> TrojanDownloader.Dyfuca.dx -> Cleaned with backup
C:\Documents and Settings\blub\Local Settings\Temp\fFGFHQp.exe -> TrojanDownloader.IstBar.ir -> Cleaned with backup
C:\Documents and Settings\blub\Local Settings\Temporary Internet Files\Content.IE5\OYHU8SBZ\svcproc[1].exe -> Trojan.Stervis.c -> Cleaned with backup
C:\Documents and Settings\blub\Local Settings\Temporary Internet Files\Content.IE5\OYHU8SBZ\istsvc[1].exe -> TrojanDownloader.IstBar -> Cleaned with backup
C:\Documents and Settings\blub\Local Settings\Temporary Internet Files\Content.IE5\L9LQ8S0Y\Poller[1].exe -> Trojan.Agent.cp -> Cleaned with backup
C:\Documents and Settings\blub\Local Settings\Temporary Internet Files\Content.IE5\L9LQ8S0Y\aurora[1].exe -> Spyware.BetterInternet.c -> Cleaned with backup
C:\Documents and Settings\blub\Local Settings\Temporary Internet Files\Content.IE5\L9LQ8S0Y\istdownload[1].exe -> TrojanDownloader.IstBar.ir -> Cleaned with backup
C:\Documents and Settings\blub\Local Settings\Temporary Internet Files\Content.IE5\C260OFHV\Nail[1].exe -> Trojan.Nail -> Cleaned with backup
C:\Documents and Settings\blub\Local Settings\Temporary Internet Files\Content.IE5\C260OFHV\ysb[1].dll -> Spyware.YourSiteBar.c -> Cleaned with backup
C:\Documents and Settings\blub\Local Settings\Temporary Internet Files\Content.IE5\C260OFHV\optimize[1].exe -> TrojanDownloader.Dyfuca.dx -> Cleaned with backup
C:\Documents and Settings\blub\Local Settings\Temporary Internet Files\Content.IE5\C260OFHV\nem220[1].dll -> TrojanDownloader.Dyfuca -> Cleaned with backup
C:\Documents and Settings\blub\Local Settings\Temporary Internet Files\Content.IE5\OQM33SI1\DrPMon[1].dll -> Trojan.Agent.db -> Cleaned with backup
C:\Documents and Settings\blub\Local Settings\Temporary Internet Files\Content.IE5\OQM33SI1\istrecover[1].exe -> TrojanDownloader.IstBar.ij -> Cleaned with backup
C:\Documents and Settings\blub\Cookies\blub@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\blub\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\blub\Cookies\blub@doubleclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\blub\Cookies\blub@adknowledge[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\blub\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\blub\Cookies\blub@fastclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\blub\Cookies\blub@zedo[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\blub\Cookies\blub@myway[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\blub\Cookies\blub@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\blub\Cookies\blub@advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\blub\Cookies\blub@realmedia[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\blub\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\blub\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\blub\Cookies\blub@advertising[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\blub\Cookies\blub@targetnet[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\blub\Cookies\blub@p[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\blub\Cookies\blub@cgi-bin[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\blub\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\blub\Cookies\blub@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\blub\Cookies\blub@fastclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\blub\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\blub\Cookies\[email protected][3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\blub\Cookies\blub@exitexchange[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\blub\Cookies\blub@clickagents[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\blub\Cookies\blub@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\blub\Cookies\[email protected][3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\YourSiteBar\ysb.dll -> Spyware.YourSiteBar.c -> Cleaned with backup
C:\System Volume Information\_restore{8E3DA479-6AE8-4B2A-A1BF-F007E094647E}\RP69\A0012830.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{8E3DA479-6AE8-4B2A-A1BF-F007E094647E}\RP69\A0012831.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{8E3DA479-6AE8-4B2A-A1BF-F007E094647E}\RP69\A0012832.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{8E3DA479-6AE8-4B2A-A1BF-F007E094647E}\RP69\A0012834.exe -> TrojanDownloader.IstBar.ij -> Cleaned with backup
C:\System Volume Information\_restore{8E3DA479-6AE8-4B2A-A1BF-F007E094647E}\RP69\A0012835.exe -> TrojanDownloader.Dyfuca.dx -> Cleaned with backup
C:\System Volume Information\_restore{8E3DA479-6AE8-4B2A-A1BF-F007E094647E}\RP69\A0012836.exe -> TrojanDownloader.IstBar -> Cleaned with backup
C:\System Volume Information\_restore{8E3DA479-6AE8-4B2A-A1BF-F007E094647E}\RP69\A0012840.dll -> Trojan.Agent.db -> Cleaned with backup
C:\System Volume Information\_restore{8E3DA479-6AE8-4B2A-A1BF-F007E094647E}\RP69\A0012844.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{8E3DA479-6AE8-4B2A-A1BF-F007E094647E}\RP69\A0012845.exe -> Trojan.Stervis.c -> Cleaned with backup
F:\Documents and Settings\blub\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Documents and Settings\blub\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Documents and Settings\blub\Cookies\blub@advertising[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Documents and Settings\blub\Cookies\blub@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Documents and Settings\blub\Cookies\blub@burstnet[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Documents and Settings\blub\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Documents and Settings\blub\Cookies\blub@cgi-bin[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Documents and Settings\blub\Cookies\blub@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Documents and Settings\blub\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Documents and Settings\blub\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Documents and Settings\blub\Cookies\blub@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Documents and Settings\blub\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Documents and Settings\blub\Cookies\blub@fastclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Documents and Settings\blub\Cookies\blub@gator[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Documents and Settings\blub\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Documents and Settings\blub\Cookies\blub@hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Documents and Settings\blub\Cookies\blub@list[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Documents and Settings\blub\Cookies\blub@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Documents and Settings\blub\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Documents and Settings\blub\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Documents and Settings\blub\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Documents and Settings\blub\Cookies\blub@sextracker[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Documents and Settings\blub\Cookies\blub@targetnet[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Documents and Settings\blub\Cookies\blub@tribalfusion[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Documents and Settings\blub\Cookies\blub@xiti[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Documents and Settings\blub\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Documents and Settings\blub\Cookies\blub@zedo[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup


::Report End



and here is the hijackthis report


Logfile of HijackThis v1.99.1
Scan saved at 1:16:08 PM, on 5/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\OpenOffice.org 1.9.100\program\soffice.exe
C:\Program Files\OpenOffice.org 1.9.100\program\soffice.BIN
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\blub\Desktop\hijackthis\HijackThis.exe
C:\Documents and Settings\blub\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimt.../aimtoolbar.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimt.../aimtoolbar.jsp
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - Startup: OpenOffice.org 1.9.100.lnk = C:\Program Files\OpenOffice.org 1.9.100\program\quickstart.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1108527612237
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe



what do i do next?
thank you much.

blub
  • 0

#4
pomp
Posted 08 May 2005 - 12:33 PM

pomp

    the man

  • Member
  • PipPipPipPip
  • 1,366 posts
It seems like it was killed but this line won't go away. Please do this, reboot your computer into safe mode.

Run hijackthis and fix the following line:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

When you fixed that, restart your computer in normal mode. Then run hijackthis a post a new log. Thanks
  • 0

#5
blibblub
Posted 08 May 2005 - 01:30 PM

blibblub

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
I tried it twice in safe mode.
Hijackthis cannot remove the nail.exe file. It keeps reappearing.

here is my hijackthis report

Logfile of HijackThis v1.99.1
Scan saved at 3:27:27 PM, on 5/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\OpenOffice.org 1.9.100\program\soffice.exe
C:\Program Files\OpenOffice.org 1.9.100\program\soffice.BIN
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\blub\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimt.../aimtoolbar.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimt.../aimtoolbar.jsp
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - Startup: OpenOffice.org 1.9.100.lnk = C:\Program Files\OpenOffice.org 1.9.100\program\quickstart.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1108527612237
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
  • 0

#6
pomp
Posted 08 May 2005 - 04:57 PM

pomp

    the man

  • Member
  • PipPipPipPip
  • 1,366 posts
have hijackthis fix this one line:

O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll (file missing)

Then...

Click http://www.atribune....ads/KillBox.exe to download Pocket Killbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox.

C:\WINDOWS\Nail.exe

Put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again.

After that, then post a new log.

Edited by pomp86, 08 May 2005 - 04:57 PM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP