Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Aurora Pop ups (resolved)


  • This topic is locked This topic is locked

#1
shannongray

shannongray

    New Member

  • Member
  • Pip
  • 6 posts
Hi. I found your site by googling "Aurora help." I installed and used Ad-Aware and Spyware Doctor and I started using Firefox instead of Internet Explorer, but I was still having problems with these "Aurora" pop ups.

I followed all your directions in the "Click Here" link about what to do before posting my log (Ad-aware, CWShredder, Spybot, Windows Update, Virus Scans...) I rebooted when prompted, and at the end after I had done everything. The only problem I still know of is with Aurora. (I am still getting Aurora Pop ups.) My Hijack This log is pasted below.

Thanks for having this site you guys. It's fantastic not to have to keep begging my ex-boyfriend (programmer) for help. I hope you can help me out a bit.

Please let met know if you need more information or if I did something wrong. I don't really understand much of this, so I don't know if I've done everything I should do before this step.


Logfile of HijackThis v1.99.1
Scan saved at 5:12:02 AM, on 5/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\PROGRA~1\COMMON~1\AOL\110852~1\EE\AOLHOS~1.EXE
c:\windows\system32\mckubyf.exe
C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\PROGRA~1\COMMON~1\AOL\110852~1\EE\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\PROGRA~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr51.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1108520415\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitenuk32.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [Uninstall_TBPS] C:\WINDOWS\Temp\TBuninst.exe /remove
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\Shannon\LOCALS~1\Temp\bundle.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [kcrfmd] c:\windows\system32\mckubyf.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe





Thanks Again,

Shannon
  • 0

Advertisements


#2
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi Shannon,

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please run Notepad and copy the following text into a new file:

@ECHO OFF
cd %windir%
Nail.exe /FULLREMOVE
sc config SvcProc start= disabled
sc stop SvcProc
sc delete SvcProc
attrib -s -r -h nail.exe
attrib -s -r -h svcproc.exe
del nail.exe
del svcproc.exe
cd %windir%\system32
attrib -s -r -h DrPMon.dll
del DrPMon.dll
exit

Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files".

Download this tool: LQfix.zip
Unzip it to your Desktop.
Don't use it yet!

IMPORTANT! Reboot the computer into Safe Mode (tap F8 during bootup, use arrow keys to select Safe Mode, then hit 'enter').

Doubleclick LQfix.bat that you saved on your desktop before.
A doswindow will open and close again, that is normal.

Next, please double-click on remove.bat. A window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Post the log from the scan here for me.

Then please run HijackThis, click Scan, and check thefollowing if present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr51.dll
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitenuk32.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [Uninstall_TBPS] C:\WINDOWS\Temp\TBuninst.exe /remove
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\Shannon\LOCALS~1\Temp\bundle.exe
O4 - HKLM\..\Run: [kcrfmd] c:\windows\system32\mckubyf.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe


Close all open windows except for HijackThis and click Fix Checked.

Set up PC to show hidden files (click link below if you do not know how.

Show hidden files

Using windows explorer locate and delete the following if present.

[b]C:\WINDOWS\about.htm
C:\WINDOWS\Nail.exe
C:\WINDOWS\cfgmgr51.dll
C:\windows\system32\elitenuk32.exe
C:\WINDOWS\cfgmgr51.dll,DllRun
C:\WINDOWS\Temp\TBuninst.exe /remove
C:\DOCUME~1\Shannon\LOCALS~1\Temp\bundle.exe
c:\windows\system32\mckubyf.exe
c:\windows\SvcProc.exe

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
  • 0

#3
shannongray

shannongray

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Thanks for the quick response!!!

Here's my new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 7:25:01 AM, on 5/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr51.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1108520415\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Uninstall_TBPS] C:\WINDOWS\Temp\TBuninst.exe /remove
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


Okay, now the more difficult part. I messed up and I don't think I followed your directions exactly. I ran two Ewido scans. With the first one I put everything it found in quarantine. Then I read your instructions and realized that maybe I made a mistake. I ran a second scan, and didn't take any action with the files. I don't know if I did something wrong or not. But here are the scan results:

Scan Number One (All of these files are quaratined):

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:58:27 PM, 5/10/2005
+ Report-Checksum: 852D5E39

+ Date of database: 5/10/2005
+ Version of scan engine: v3.0

+ Duration: 60 min
+ Scanned Files: 77890
+ Speed: 21.43 Files/Second
+ Infected files: 76
+ Removed files: 76
+ Files put in quarantine: 76
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Shannon\Cookies\shannon@a.websponsors[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Shannon\Cookies\shannon@exitexchange[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Shannon\Cookies\shannon@indiads[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Shannon\Cookies\shannon@link[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Shannon\Cookies\shannon@p[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Shannon\Cookies\shannon@realmedia[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Shannon\Cookies\shannon@tradedoubler[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Shannon\Cookies\shannon@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Shannon\Local Settings\Temp\bundle.exe -> Spyware.Sahat.h -> Cleaned with backup
C:\Documents and Settings\Shannon\Local Settings\Temp\Cookies\shannon@3422958[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Shannon\Local Settings\Temp\Cookies\shannon@36831569[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Shannon\Local Settings\Temp\Cookies\shannon@ads.specificclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Shannon\Local Settings\Temp\Cookies\shannon@geocities[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Shannon\Local Settings\Temp\Cookies\shannon@search.msn[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Shannon\Local Settings\Temp\DelB7D.tmp -> Spyware.180Solutions -> Cleaned with backup
C:\Documents and Settings\Shannon\Local Settings\Temp\uninstall.exe -> Spyware.EliteBar.q -> Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\13777971.asw -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\13778352.asw -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\13778752.asw -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\13778953.asw -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\13780224.asw -> Spyware.VirtualBouncer.i -> Cleaned with backup
C:\Program Files\Common Files\Verizon Online\SFP\vzbb.dll -> Spyware.MegaSearch.b -> Cleaned with backup
C:\Program Files\FwBarTemp\searchbar.exe -> TrojanDownloader.VB.eu -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP387\A0088579.dll -> Spyware.Toolbar -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP387\A0088580.exe -> Spyware.WebSearch.af -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP387\A0088599.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP387\A0088604.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP387\A0088612.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP387\A0088613.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP387\A0088614.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP387\A0088615.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP387\A0088617.exe -> Spyware.VirtualBouncer.i -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP387\A0088629.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP387\A0088631.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP387\A0088837.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP387\A0088841.exe -> TrojanDownloader.Small.akz -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP387\A0088846.dll -> Spyware.Toolbar -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP387\A0088847.exe -> Spyware.WebSearch.af -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP387\A0088855.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP387\A0088880.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP387\A0088883.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP387\A0088891.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP387\A0088909.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP387\A0088910.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP387\A0088944.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP388\A0088948.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP388\A0088977.dll -> Spyware.Small.ez -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP388\A0088996.dll -> Spyware.Delf.r -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP388\A0088999.exe -> Spyware.Searcher.h -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP388\A0089001.exe -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP388\A0089003.exe -> TrojanDownloader.Apropo.ab -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP388\A0089010.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP388\A0089011.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP388\A0089016.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP388\A0089023.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP388\A0089030.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP388\A0089147.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP389\A0089153.exe -> Spyware.Sahat.f -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP389\A0089154.exe -> Spyware.Sahat.f -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP389\A0089155.dll -> Spyware.Sahat.f -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP389\A0089156.exe -> Spyware.Sahat.f -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP390\A0089165.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP391\A0089173.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP392\A0089241.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP392\A0089250.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP392\A0089251.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP392\A0089254.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP392\A0089255.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP392\A0089256.exe -> Trojan.Nail -> Cleaned with backup
C:\WINDOWS\bsx32\EECH1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\cfgmgr51.dll -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\Nail.exe -> Trojan.Nail -> Cleaned with backup
C:\WINDOWS\svcproc.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ymvkgv.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\SYSTEM32\__delete_on_reboot__DrPMon.dll -> Trojan.Agent.db -> Cleaned with backup
C:\WINDOWS\uaqoybpyu.exe -> Spyware.BetterInternet -> Cleaned with backup


::Report End


Scan Number Two (I didn't do anything to these files)

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:20:15 AM, 5/11/2005
+ Report-Checksum: 7ACFFE72

+ Date of database: 5/11/2005
+ Version of scan engine: v3.0

+ Duration: 331 min
+ Scanned Files: 78000
+ Speed: 3.93 Files/Second
+ Infected files: 16
+ Removed files: 0
+ Files put in quarantine: 0
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP392\A0089264.dll -> Spyware.MegaSearch.b -> Ignored
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP392\A0089265.exe -> TrojanDownloader.VB.eu -> Ignored
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP392\A0089266.dll -> Spyware.BookedSpace -> Ignored
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP392\A0089269.dll -> Trojan.Agent.db -> Ignored
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP392\A0089296.exe -> Spyware.BetterInternet -> Ignored
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP392\A0089300.exe -> Spyware.Hijacker.Generic -> Ignored
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP392\A0089301.exe -> Spyware.Hijacker.Generic -> Ignored
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP392\A0089302.exe -> Spyware.Hijacker.Generic -> Ignored
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP392\A0089303.exe -> Spyware.Hijacker.Generic -> Ignored
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP392\A0089304.dll -> Spyware.EliteBar.af -> Ignored
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP392\A0089305.dll -> Spyware.EliteBar.z -> Ignored
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP392\A0089306.exe -> Trojan.Nail -> Ignored
C:\WINDOWS\Nail.exe -> Trojan.Nail -> Ignored
C:\WINDOWS\SYSTEM32\qqgwaz.exe -> Trojan.Agent.cp -> Ignored
C:\WINDOWS\SYSTEM32\tkvrch.exe -> Trojan.Agent.cp -> Ignored
C:\WINDOWS\uaqoybpyu.exe -> Spyware.BetterInternet -> Ignored


::Report End


Thanks so much for your help so far. I hope I didn't mess things up. Sorry for not following your directions!
  • 0

#4
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi Shannon,

Download the following program. Install it but do not run it yet.

Cleanup

Reboot your PC into SAFE MODE again (tap F8 key)

Rescan with HJT and check the following.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr51.dll (file missing)
O4 - HKLM\..\Run: [Uninstall_TBPS] C:\WINDOWS\Temp\TBuninst.exe /remove


You also have the following optional

F) O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE <<---- this is a know resource hog. All componants of Office are available via start/programs so this is not required.

Once you have decided on the optional, ensure no windows open except HJT asnd click FIX CHECKED.

Make sure PC is set to show hidden files again and using windows explorer locate and delete the following files/folders if present.

C:\WINDOWS\about.htm
C:\WINDOWS\Nail.exe
C:\WINDOWS\cfgmgr51.dll
C:\WINDOWS\Temp\TBuninst.exe /remove


Now run the cleanup program you downloaded earlie to clear out temp files, junk etc.

Now rescan with ewido and allow it to fix anything it finds. COPY THE REPORT TO POST BACK.

Reboot PC normally, rescan with HJT and post the log back together with the HJT report.

Regards,

Usetobe
  • 0

#5
shannongray

shannongray

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hey Usetobe,

Here's my new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 6:48:35 PM, on 5/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\COMMON~1\AOL\110852~1\EE\AOLHOS~1.EXE
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\PROGRA~1\COMMON~1\AOL\110852~1\EE\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\PROGRA~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1108520415\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

And my new ewido scan results:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:42:59 PM, 5/11/2005
+ Report-Checksum: 759BAA4

+ Date of database: 5/11/2005
+ Version of scan engine: v3.0

+ Duration: 67 min
+ Scanned Files: 69341
+ Speed: 17.18 Files/Second
+ Infected files: 32
+ Removed files: 32
+ Files put in quarantine: 32
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP392\A0089264.dll -> Spyware.MegaSearch.b -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP392\A0089265.exe -> TrojanDownloader.VB.eu -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP392\A0089266.dll -> Spyware.BookedSpace -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP392\A0089269.dll -> Trojan.Agent.db -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP392\A0089296.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP392\A0089300.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP392\A0089301.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP392\A0089302.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP392\A0089303.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP392\A0089304.dll -> Spyware.EliteBar.af -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP392\A0089305.dll -> Spyware.EliteBar.z -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP392\A0089306.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP392\A0089308.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP392\A0089310.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP392\A0089311.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP392\A0089312.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP392\A0089321.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP392\A0089344.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP393\A0089346.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP393\A0089347.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP393\A0089348.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP393\A0089349.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP393\A0089350.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP393\A0089356.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP393\A0089376.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP393\A0089377.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP393\A0089378.exe -> Trojan.Nail -> Cleaned with backup
C:\WINDOWS\Nail.exe -> Trojan.Nail -> Cleaned with backup
C:\WINDOWS\svcproc.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\WINDOWS\SYSTEM32\atrxngq.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\SYSTEM32\DrPMon.dll -> Trojan.Agent.db -> Cleaned with backup
C:\WINDOWS\uaqoybpyu.exe -> Spyware.BetterInternet -> Cleaned with backup


::Report End



Also, when I use windows explorer to find and then delete the Nail.exe file, it pops back up a few seconds later in the same search results window. I imagine this is just part of the problem/virus, but I wanted to let you know in case there is something else I should be doing. Thank you so much for helping me deal with all this! You're becoming one of my favorite people. Seriously.

Thanks,
Shannon
  • 0

#6
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi Shannon,

As you can see nail is pretty persistant :tazz: so i'm going to use a bigger hammer ;)

Click Start > Run > and type in:

services.msc

Click OK.

In the services window find System Startup Service.
Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

Download Pocket killbox

*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop but do not run it yet.

carry out this procedure again.

Please run Notepad and copy the following text into a new file:

@ECHO OFF
cd %windir%
Nail.exe /FULLREMOVE
sc config SvcProc start= disabled
sc stop SvcProc
sc delete SvcProc
attrib -s -r -h nail.exe
attrib -s -r -h svcproc.exe
del nail.exe
del svcproc.exe
cd %windir%\system32
attrib -s -r -h DrPMon.dll
del DrPMon.dll
exit

Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files".

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, please double-click on remove.bat. A window should open and close very quickly --- this is normal.

Now rescan with HJT and check the following if still present.

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)


Ensure no windows open except HJT and click FIX CHECKED.

Ensure PC set up to show hidden files and using windows explorer to locate the following and delete it

C:\WINDOWS\Nail.exe


Now double-click on the KILLBOX folder on desktop, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure!):

C:\WINDOWS\Nail.exe
C:\WINDOWS\svcproc.exe


Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the LAST file path I have listed above. After that LAST file path has been entered, press the YES button at both prompts so that your computer restarts. If you receive a message and your computer does not restart automatically, please restart it manually.

Rescan with HJT and post the log back
  • 0

#7
shannongray

shannongray

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hey Usetobe,

Okay I followed your directions, and when I rebooted I got a message saying Windows couldn't find C:\WINDOWS\Nail.exe


Here's my Hijack This log from after I did everything:

Logfile of HijackThis v1.99.1
Scan saved at 1:11:28 PM, on 5/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\PROGRA~1\COMMON~1\AOL\110852~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\110852~1\EE\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\PROGRA~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HijackThis\HijackThis.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1108520415\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe



Thanks,

Shannon
  • 0

#8
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi Shannon,

Reboot into SAFE MODE again,

Rescan with HJT and check the following

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Ensure no windows open and click FIX CHECKED.

Make sure PC set to show hidden files again and using windows explorer locate the following and delete it.

C:\WINDOWS\Nail.exe

Now double-click on the KILLBOX folder on desktop, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the file paths listed below (EXACTLY as it appears, please double check to make sure!):

C:\WINDOWS\Nail.exe


Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the YES button at both prompts so that your computer restarts. If you receive a message and your computer does not restart automatically, please restart it manually.

Rescan with HJT and post the log back
  • 0

#9
shannongray

shannongray

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hey Usetobe,

Okay, I followed your directions and when I searched to find C:\WINDOWS\Nail.exe in explorer, it didn't come up in the results. Another file came up, though, C:\WINDOWS\Prefetch\Nail.exe-00088443.pf

Also, when I clicked yes to reboot when prompted by Killbox, I got this message:

PendingFileRenameOperations Registry Data has been Removed by External Process!


Here's my Hijack This log from after I Rebooted manually:

Logfile of HijackThis v1.99.1
Scan saved at 8:00:05 AM, on 5/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\PROGRA~1\COMMON~1\AOL\110852~1\EE\AOLHOS~1.EXE
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\PROGRA~1\COMMON~1\AOL\110852~1\EE\AOLServiceHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\PROGRA~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1108520415\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe



I forgot to say last time that I liked your pun. Very clever :tazz: Also, I really appreciate all this help and how fast you keep responding!

Thanks So Much,

Shannon
  • 0

#10
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi Shannon,

The bad news is our relationship will have to come to an end. oh :)

The good news is you should be dancing ;)

From your log, I see nothing in the ways of trojans, nor any evil entities attempting to possess your computer, except for Windows but it's too late for that one. ;)

Congratulations your log now appears to be clean. :tazz:

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
  • Firewall<= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.
And also see TonyKlein's good advice
So how did I get infected in the first place? and AntiSpyware Net's spyware article: Spyware, Adware, Malware: What it is, how it got on my computer, how to get rid of it, and how to prevent it.
  • 0

#11
shannongray

shannongray

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Sweet!!

Although I will miss our interactions, I must admit I am indeed dancing ;)

Thanks Again UseToBe!! You're my hero. :tazz:


Shannon
  • 0

#12
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi Shannon,

Thanks for your very kind donation.

As this matter has now been resolved this topic will be closed, however if you need it to be reopened, just PM a moderator.

If i can be of assistance to you in the future just send me a PM. It would be a pleasure to speak to you again.:tazz:

Regards,


Usetobe
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP