Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Geez, I got pwned.


  • Please log in to reply

#1
akashhhhhh

akashhhhhh

    New Member

  • Member
  • Pip
  • 2 posts
...

Edited by akashhhhhh, 07 November 2005 - 11:07 PM.

  • 0

Advertisements


#2
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Yep you did get pwned :tazz: We'll fix you up though.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please run Notepad and copy the following text into a new file:

@ECHO OFF
cd %windir%
Nail.exe /FULLREMOVE
sc config SvcProc start= disabled
sc stop SvcProc
sc delete SvcProc
attrib -s -r -h nail.exe
attrib -s -r -h svcproc.exe
del nail.exe
del svcproc.exe
cd %windir%\system32
attrib -s -r -h DrPMon.dll
del DrPMon.dll
exit

Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files".

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml


Once in Safe Mode, please double-click on remove.bat. A window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Post the log from the scan here for me.

Then please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

-=jonnyrotten=- ;)
  • 0

#3
akashhhhhh

akashhhhhh

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
...

Edited by akashhhhhh, 09 March 2006 - 04:11 AM.

  • 0

#4
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Open up Hijack This and place a check in the box next to this entry:

O4 - HKLM\..\Run: [qmodozk] c:\windows\system32\mmdikg.exe

Now click the "Fix Checked" button.

Did you run the .bat file I showed you how to make in my earlier post? More importantly did you run it in "Safe Mode"? That file is what removes this entry:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Now we can try to remove it with hijack this all day long, but it will not work. Try copying the text again from the quote box in my earlier post and creating the remove.bat file again. Then reboot into Safe Mode and double click it. When finished reboot normally and post a new Hijack This log. You may want to just go through with all of the previous instructions again in the same order, but this time remove the 04 entry mentioned above with Hijack This first. Let me know how this goes :tazz:

-=jonnyrotten=- ;)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP