Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Please help remove Nail.EXE [RESOLVED]

Started by reiterd , May 21 2005 11:19 AM

  • This topic is locked This topic is locked

#1
reiterd
Posted 21 May 2005 - 11:19 AM

reiterd

    Member

  • Member
  • PipPip
  • 22 posts
Logfile of HijackThis v1.99.1
Scan saved at 10:17:43 AM, on 5/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\acs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\Atievxx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\My Documents\hijackthis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [efqqk] C:\WINDOWS\System32\rqrlcn\efqqk.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitealp32.exe
O4 - HKLM\..\Run: [pgnmeq] c:\windows\system32\eilirrb.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares Lite Edition\Ares.exe" -h
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
  • 0

Advertisements

#2
greyknight17
Posted 21 May 2005 - 11:24 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please print out the instructions here (or save it in Notepad) so that you can follow along more easily.

Download Ewido Security Suite at http://www.ewido.net/en/download/ and install it. Update to the newest definitions. Do NOT run it yet.

Please download nailfix at http://users.pandora...chy/nailfix.zip (for Windows XP) or http://users.pandora...y/nailfix2k.zip (for Windows 2000) Unzip it to the desktop but do NOT run it yet.

Reboot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Download KillBox http://www.greyknigh...spy/KillBox.exe. Don't run it yet.

Download ETRemover and unzip it. Don't run it yet.

Once in Safe Mode, please double-click on nailfix.cmd (or nailfix2k.bat if you have Windows 2000). Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Next run a full scan in Ewido. Post the log from the Ewido scan here.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [efqqk] C:\WINDOWS\System32\rqrlcn\efqqk.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitealp32.exe
O4 - HKLM\..\Run: [pgnmeq] c:\windows\system32\eilirrb.exe

Close all open windows except for HijackThis and click Fix Checked.

Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

C:\WINDOWS\Nail.exe
C:\WINDOWS\System32\rqrlcn\
C:\windows\system32\elitealp32.exe
c:\windows\system32\eilirrb.exe

Run ETRemover.exe now.

Restart your computer in normal mode and post a new HijackThis log, as well as the log from the Ewido scan.
  • 0

#3
reiterd
Posted 21 May 2005 - 01:51 PM

reiterd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
It's still here there...

Logfile of HijackThis v1.99.1
Scan saved at 12:46:43 PM, on 5/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\acs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Atievxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\user\My Documents\hijackthis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [efqqk] C:\WINDOWS\System32\rqrlcn\efqqk.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitealp32.exe
O4 - HKLM\..\Run: [pgnmeq] c:\windows\system32\eilirrb.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares Lite Edition\Ares.exe" -h
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
  • 0

#4
reiterd
Posted 21 May 2005 - 01:54 PM

reiterd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:30:27 PM, 5/21/2005
+ Report-Checksum: 59EDF4ED

+ Date of database: 5/21/2005
+ Version of scan engine: v3.0

+ Duration: 79 min
+ Scanned Files: 39638
+ Speed: 8.34 Files/Second
+ Infected files: 26
+ Removed files: 13
+ Files put in quarantine: 13
+ Files that could not be opened: 0
+ Files that could not be cleaned: 13

+ Binder: Yes
+ Crypter: Yes
+ Archives: No

+ Scanned items:
C:\
C:\

+ Scan result:
C:\WINDOWS\system32\admxaic\fnfpu.exe -> TrojanDownloader.Agent.nw -> Cleaned with backup
C:\WINDOWS\system32\aynik\liyaw.exe -> TrojanDownloader.Agent.nw -> Cleaned with backup
C:\WINDOWS\system32\heaha\muuhppa.exe -> TrojanDownloader.Agent.nw -> Cleaned with backup
C:\WINDOWS\system32\icuan\pgnui.exe -> TrojanDownloader.Agent.nw -> Cleaned with backup
C:\WINDOWS\system32\juqxswo\qcueuty.exe -> TrojanDownloader.Agent.nw -> Cleaned with backup
C:\WINDOWS\system32\nihha\qyekkrmb.exe -> TrojanDownloader.Agent.nw -> Cleaned with backup
C:\WINDOWS\system32\nlwywc\bcswmm.exe -> TrojanDownloader.Agent.nw -> Cleaned with backup
C:\WINDOWS\system32\rqrlcn\efqqk.exe -> TrojanDownloader.Agent.nw -> Cleaned with backup
C:\WINDOWS\system32\ugxuy\bvqdi.exe -> TrojanDownloader.Agent.nw -> Cleaned with backup
C:\WINDOWS\system32\uxfp\cemwrfdh.exe -> TrojanDownloader.Agent.nw -> Cleaned with backup
C:\WINDOWS\system32\wcbgxi\vkkbmgri.exe -> TrojanDownloader.Agent.nw -> Cleaned with backup
C:\WINDOWS\system32\wlux\xdqbxgv.exe -> TrojanDownloader.Agent.nw -> Cleaned with backup
C:\WINDOWS\system32\yxvrl\rscqmy.exe -> TrojanDownloader.Agent.nw -> Cleaned with backup
C:\WINDOWS\system32\admxaic\fnfpu.exe -> TrojanDownloader.Agent.nw -> Error during cleaning
C:\WINDOWS\system32\aynik\liyaw.exe -> TrojanDownloader.Agent.nw -> Error during cleaning
C:\WINDOWS\system32\heaha\muuhppa.exe -> TrojanDownloader.Agent.nw -> Error during cleaning
C:\WINDOWS\system32\icuan\pgnui.exe -> TrojanDownloader.Agent.nw -> Error during cleaning
C:\WINDOWS\system32\juqxswo\qcueuty.exe -> TrojanDownloader.Agent.nw -> Error during cleaning
C:\WINDOWS\system32\nihha\qyekkrmb.exe -> TrojanDownloader.Agent.nw -> Error during cleaning
C:\WINDOWS\system32\nlwywc\bcswmm.exe -> TrojanDownloader.Agent.nw -> Error during cleaning
C:\WINDOWS\system32\rqrlcn\efqqk.exe -> TrojanDownloader.Agent.nw -> Error during cleaning
C:\WINDOWS\system32\ugxuy\bvqdi.exe -> TrojanDownloader.Agent.nw -> Error during cleaning
C:\WINDOWS\system32\uxfp\cemwrfdh.exe -> TrojanDownloader.Agent.nw -> Error during cleaning
C:\WINDOWS\system32\wcbgxi\vkkbmgri.exe -> TrojanDownloader.Agent.nw -> Error during cleaning
C:\WINDOWS\system32\wlux\xdqbxgv.exe -> TrojanDownloader.Agent.nw -> Error during cleaning
C:\WINDOWS\system32\yxvrl\rscqmy.exe -> TrojanDownloader.Agent.nw -> Error during cleaning


::Report End
  • 0

#5
greyknight17
Posted 21 May 2005 - 02:38 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Hmm. Did you do the HijackThis fixes at all? It's the same exact result here.

I want you to redo all those again (including running Ewido) and then make sure you do the fixes and deletions for HijackThis.
  • 0

#6
reiterd
Posted 21 May 2005 - 06:08 PM

reiterd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
yes i did it all again!!! It looks like it's deleted in SAFE MODE but when i reboot back to Windows, it came back again. Its been like this for the past mth & i haf tried all possible ways from mny mny websites. Please advise!!
  • 0

#7
reiterd
Posted 22 May 2005 - 12:05 AM

reiterd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Logfile of HijackThis v1.99.1
Scan saved at 10:47:34 PM, on 5/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\Documents and Settings\user\My Documents\hijackthis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [efqqk] C:\WINDOWS\System32\rqrlcn\efqqk.exe
O4 - HKLM\..\Run: [pgnmeq] c:\windows\system32\eilirrb.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitealp32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares Lite Edition\Ares.exe" -h
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
  • 0

#8
reiterd
Posted 22 May 2005 - 12:06 AM

reiterd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:46:13 PM, 5/21/2005
+ Report-Checksum: E55270B2

+ Date of database: 5/21/2005
+ Version of scan engine: v3.0

+ Duration: 91 min
+ Scanned Files: 59739
+ Speed: 10.85 Files/Second
+ Infected files: 0
+ Removed files: 0
+ Files put in quarantine: 0
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: No

+ Scanned items:
C:\
C:\
C:\

+ Scan result:
No infected files found!


::Report End
  • 0

#9
greyknight17
Posted 22 May 2005 - 07:51 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, you still have the EliteBar problem there, but let's see if we can get rid of nail/aurora first.

**Note** DO NOT REBOOT the computer during the removal process. If you do the filenames will change. If you can't leave the computer on now, I suggest not running the logs below yet. Wait until you can leave it on.

Download FindIt's.zip to your desktop: http://forums.net-in...=post&id=142443

1. Unzip/extract the files inside to a folder on your desktop.
2. Open the folder. Double click on FindIt's.bat and wait for Notepad to open a text file. It will take a while so please be patient ...
3. Then post the results here along with the new HijackThis log.

Just to let you know, I probably won't be back until late tomorrow evening. I will try to check back here this evening, but I have a final exam to study for, so if you don't hear from me today or tomorrow morning, wait until the evening. :tazz:
  • 0

#10
reiterd
Posted 22 May 2005 - 08:17 PM

reiterd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Ok i'll wait for ya ... this is the log.

Microsoft Windows XP [Version 5.1.2600]
The current date is: Sun 05/22/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first


»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is B03A-7D9D

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is B03A-7D9D

Directory of C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»».
  • 0

Advertisements

#11
reiterd
Posted 22 May 2005 - 08:19 PM

reiterd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Logfile of HijackThis v1.99.1
Scan saved at 7:19:11 PM, on 5/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\acs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\Atievxx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\FSI\F-Prot\F-StopW.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\My Documents\hijackthis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [efqqk] C:\WINDOWS\System32\rqrlcn\efqqk.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitealp32.exe
O4 - HKLM\..\Run: [pgnmeq] c:\windows\system32\eilirrb.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares Lite Edition\Ares.exe" -h
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
  • 0

#12
greyknight17
Posted 23 May 2005 - 03:23 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Reboot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Once in Safe Mode, please double-click on nailfix.cmd (or nailfix2k.bat if you have Windows 2000). Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Next run a full scan in Ewido. Post the log from the Ewido scan here.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [efqqk] C:\WINDOWS\System32\rqrlcn\efqqk.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitealp32.exe
O4 - HKLM\..\Run: [pgnmeq] c:\windows\system32\eilirrb.exe

Close all open windows except for HijackThis and click Fix Checked.

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

C:\WINDOWS\Nail.exe
C:\WINDOWS\System32\rqrlcn\efqqk.exe
C:\WINDOWS\System32\rqrlcn\
C:\windows\system32\elitealp32.exe
c:\windows\system32\eilirrb.exe

Run ETRemover.exe now.

Restart your computer in normal mode and post a new HijackThis log, as well as the log from the Ewido scan.

If they still come back, do this also:

Download and install CleanUp http://cleanup.stevengould.org/
Download KillBox http://www.atribune....ads/KillBox.exe
Download rkfiles http://skads.org/special/rkfiles.zip and unzip the contents to a new folder on your desktop.

Download the remv3.zip at http://forums.skads....hp?showtopic=80 (look for the attachment posted in that second reply). Make a new folder on the root drive C:\ and unzip remv3.zip files into it.

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also.

Run CleanUp program now and logoff.

REBOOT TO SAFE MODE. These tools MUST be run in safe mode!
Once in safe mode, double click rkfiles.bat file to run it. It will scan for a while, so please be patient. Wait until the DOS window closes. Open the C:\log.txt it created and rename it log1.txt.

Now open the folder where you saved remv3.zip files and double click the rem.bat file and let it run. It will delete the files and remove the infection and then make a log of the files it finds. The log file will be C:\log.txt and bad1.txt

**Note** Each tool uses log.txt as it’s output file so make sure you save the entries from one tools log before running the other as it will overwrite the file if you don’t.

Reboot back to normal mode and post the contents of both the log.txt and log1.txt in your next post.
  • 0

#13
reiterd
Posted 26 May 2005 - 08:08 PM

reiterd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
My HJL during Safe Mode:
Logfile of HijackThis v1.99.1
Scan saved at 6:55:01 PM, on 5/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\user\My Documents\hijackthis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [efqqk] C:\WINDOWS\System32\rqrlcn\efqqk.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitealp32.exe
O4 - HKLM\..\Run: [pgnmeq] c:\windows\system32\eilirrb.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares Lite Edition\Ares.exe" -h
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
  • 0

#14
reiterd
Posted 26 May 2005 - 08:10 PM

reiterd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
In Normal Mode:

Logfile of HijackThis v1.99.1
Scan saved at 7:09:36 PM, on 5/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\acs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Atievxx.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Ares Lite Edition\Ares.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\user\My Documents\hijackthis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [efqqk] C:\WINDOWS\System32\rqrlcn\efqqk.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitealp32.exe
O4 - HKLM\..\Run: [pgnmeq] c:\windows\system32\eilirrb.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares Lite Edition\Ares.exe" -h
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
  • 0

#15
greyknight17
Posted 26 May 2005 - 08:40 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Just post the log from Normal Mode.

OK, let's try this again:

Please print out the instructions here (or save it in Notepad) so that you can follow along more easily.

Download Ewido Security Suite at http://www.ewido.net/en/download/ and install it. Update to the newest definitions. Do NOT run it yet.

Please download nailfix at http://users.pandora...chy/nailfix.zip (for Windows XP) or http://users.pandora...y/nailfix2k.zip (for Windows 2000) Unzip it to the desktop but do NOT run it yet.

Reboot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Once in Safe Mode, please double-click on nailfix.cmd (or nailfix2k.bat if you have Windows 2000). Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Next run a full scan in Ewido. Post the log from the Ewido scan here.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [efqqk] C:\WINDOWS\System32\rqrlcn\efqqk.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitealp32.exe
O4 - HKLM\..\Run: [pgnmeq] c:\windows\system32\eilirrb.exe

Close all open windows except for HijackThis and click Fix Checked.

Run ETRemover.exe now.

Delete these if found:

C:\WINDOWS\Nail.exe
C:\WINDOWS\System32\rqrlcn\
C:\windows\system32\elitealp32.exe
c:\windows\system32\eilirrb.exe

Restart your computer in normal mode and post a new HijackThis log, as well as the log from the Ewido scan.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP