Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

nail.exe, slipit.exe, dreese.exe & msdirectx.sys [CLOSED]


  • This topic is locked This topic is locked

#1
yarivk

yarivk

    New Member

  • Member
  • Pip
  • 1 posts
:tazz:
Hi,

Iím connecting my PC to Internet for the first time and almost immediately he starts to work slowly.
Iíve an AVG anti virus software and Microsoft anti spy ware installed on my PC.
After running the AVG, its find the Nail.exe, Slipit.exe, Dreese.exe and msdirectx.sys.
I was delete them and after restarting the PC they coming back again (and again Ö).
Iím using the Windows XP as operating system.
After reading a little in this site, I install and running Ewido Security Suite and Hijack This.

See below the log files form both the Ewido and form the Hijack This softwares.
Ewido Log:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:43:51 PM, 7/18/2005
+ Report-Checksum: 118671BD

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{39DA2444-065F-47CB-B27C-CCB1A39C06B7} -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{4FE82BA0-9335-4D4E-8E98-76409A88F2C1} -> Spyware.TopConverting : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{ACE5B10B-92A3-4103-8583-3684BB09409F} -> Spyware.TopConverting : Cleaned with backup
HKLM\SOFTWARE\Classes\IObjSafety.DemoCtl -> Spyware.MediaMotor : Cleaned with backup
HKLM\SOFTWARE\Classes\IObjSafety.DemoCtl\Clsid -> Spyware.MediaMotor : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{487E7682-B976-41FB-A944-E8B83689A454} -> Spyware.TopConverting : Cleaned with backup
HKLM\SOFTWARE\ClickSpring -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon -> Spyware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\20PSJADA\slipit[1].exe/dreese.exe -> TrojanDropper.Agent.kd : Cleaned with backup
C:\Documents and Settings\Keren\Cookies\keren@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Keren\Local Settings\Temporary Internet Files\Content.IE5\O3U5SPCX\defrag[1].exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Documents and Settings\Keren\Local Settings\Temporary Internet Files\Content.IE5\O3U5SPCX\slipit[1].exe/dreese.exe -> TrojanDropper.Agent.kd : Cleaned with backup
C:\Documents and Settings\Keren\msdirectx.sys -> Trojan.Rootkit.h : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0X2HMN6L\ra[1].exe/raddrv.dll -> Not-A-Virus.RiskWare.RemoteAdmin.RAdmin.20 : Cleaned with backup
C:\Documents and Settings\Sheer & Noam\Desktop\temp532.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Sheer & Noam\Local Settings\Temporary Internet Files\Content.IE5\IH8XMNY3\Israel[1].exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Sheer & Noam\Local Settings\Temporary Internet Files\Content.IE5\S3ULY7W9\defrag[1].exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Documents and Settings\Sheer & Noam\Local Settings\Temporary Internet Files\Content.IE5\S3ULY7W9\ra[1].exe/raddrv.dll -> Not-A-Virus.RiskWare.RemoteAdmin.RAdmin.20 : Cleaned with backup
C:\Documents and Settings\Sheer & Noam\Local Settings\Temporary Internet Files\Content.IE5\S3ULY7W9\slipit[1].exe/dreese.exe -> TrojanDropper.Agent.kd : Cleaned with backup
C:\Documents and Settings\Yariv Keidar\Cookies\yariv keidar@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Yariv Keidar\Local Settings\Temp\180sainstaller.exe/clientax.dll -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Yariv Keidar\Local Settings\Temp\180sainstallersilsais1.exe/clientax.dll -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Yariv Keidar\Local Settings\Temp\ICD1.tmp\MediaTicketsInstaller.ocx -> Spyware.MediaTickets : Cleaned with backup
C:\Documents and Settings\Yariv Keidar\Local Settings\Temp\iinstall.exe -> TrojanDownloader.IstBar.kn : Cleaned with backup
C:\Documents and Settings\Yariv Keidar\Local Settings\Temp\nst16.EXE -> Spyware.SmartPops : Cleaned with backup
C:\Documents and Settings\Yariv Keidar\Local Settings\Temp\Temporary Internet Files\Content.IE5\0T2BK9MF\defrag[1].exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Documents and Settings\Yariv Keidar\Local Settings\Temp\Temporary Internet Files\Content.IE5\JKPT9VJR\slipit[1].exe/dreese.exe -> TrojanDropper.Agent.kd : Cleaned with backup
C:\msset32.exe -> TrojanDownloader.WinAD.h : Cleaned with backup
C:\Program Files\Media Gateway\MediaGateway.exe -> Spyware.WinAD : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\03DC3868-9ACA-4F0D-AF2C-BAC6FC\4A851089-F414-49B0-B449-98C7AC -> TrojanDownloader.IstBar.jm : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\03DC3868-9ACA-4F0D-AF2C-BAC6FC\5F8D80E8-FDD7-4576-B08E-7D58D6 -> TrojanDownloader.IstBar.jm : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\03DC3868-9ACA-4F0D-AF2C-BAC6FC\61121C09-794B-4911-B0EB-065453 -> Spyware.SideFind : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\03DC3868-9ACA-4F0D-AF2C-BAC6FC\E8A5D83F-85E8-40C7-8288-6F62CF -> Spyware.SideFind : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\043C8777-34FB-4601-BCA8-D6DABE\B9AF5B2E-1C00-4208-B645-88414C -> Adware.SAHA : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\05D919F9-7A8B-4E6D-98EB-3245FD\122DA281-76C2-422B-835F-F95603 -> Spyware.180Solutions : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\05D919F9-7A8B-4E6D-98EB-3245FD\AC5F363D-27EE-4C77-B08A-2EAEE6 -> Spyware.180Solutions : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\09A845E7-3243-4D3B-8255-DCFEA5\B33BF596-E526-46D9-832B-3A66FB -> Spyware.WinAD : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\2FDEA0B2-728E-405F-8771-85AAC1\08CB125A-CE8C-4DB2-B019-662A12 -> Spyware.MediaTickets : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\82B4595F-00A2-417A-850B-3D9846\22E07230-3DE2-4ED3-BD8D-56E883 -> Spyware.EliteBar : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\96B280C3-9FA8-4DA8-A7A5-1FA605\7A3FC801-1042-4E31-A3DC-A5C8D2 -> Spyware.WeirWeb : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\A8E76609-33CE-4C66-83CE-6FD3D8\3ED42A33-42E4-4633-87C8-6919CE -> Spyware.WeirWeb : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\C95771D3-A40D-4233-A014-C6988F\43ACCACA-B1CF-4577-BE3D-62EF75 -> Spyware.EliteBar : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\D5F4A4D1-A1C3-47DF-A5CD-901584\51AA6F32-22B2-4BD4-8923-4929A1 -> Spyware.180Solutions : Cleaned with backup
C:\setfrd32.exe -> TrojanDownloader.WinAD.h : Cleaned with backup
C:\WINDOWS\addins\raddrv.dll -> Not-A-Virus.RiskWare.RemoteAdmin.RAdmin.20 : Cleaned with backup
C:\WINDOWS\AuroraHandler.dll -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\defrag.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\m67m.ocx -> Spyware.MediaMotor : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx -> Spyware.MediaTickets : Cleaned with backup
C:\WINDOWS\dreese.exe -> TrojanDropper.Agent.kd : Cleaned with backup
C:\WINDOWS\kiudiyd.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\ktk8hj7f.exe -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\nurlikmgic.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\slipit.exe/dreese.exe -> TrojanDropper.Agent.kd : Cleaned with backup
C:\WINDOWS\system32\212g33et.exe -> Adware.Saha : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O3U5SPCX\defrag[1].exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O3U5SPCX\Israel[1].exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\S3ULY7W9\bridge-c18[1].cab/MediaAccX.dll -> Spyware.WinAD : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\S3ULY7W9\Israel[1].exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\system32\gtl1gsun.dll -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\system32\li32.exe -> Trojan.Crypt.d : Cleaned with backup
C:\WINDOWS\system32\msn8m.exe -> Backdoor.Rbot : Cleaned with backup
C:\WINDOWS\system32\mspool.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup
C:\WINDOWS\system32\rt9u18ks.exe -> Adware.Saha : Cleaned with backup
C:\WINDOWS\system32\svghosts.exe -> Backdoor.Rbot : Cleaned with backup
C:\WINDOWS\system32\temp532.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\system32\winssh.exe -> Trojan.Crypt.d : Cleaned with backup
C:\WINDOWS\system32\xlvksolr.exe -> Backdoor.Rbot : Cleaned with backup
C:\WINDOWS\system65.exe/raddrv.dll -> Not-A-Virus.RiskWare.RemoteAdmin.RAdmin.20 : Cleaned with backup
C:\WINDOWS\Temp\Cookies\plug1ng\island.exe -> Backdoor.Cl4 : Cleaned with backup
C:\WINDOWS\Temp\Cookies\plug1ng\v1r3 -> Backdoor.IRC.Mox.a : Cleaned with backup
D:\From Orbotech\My Pictures\TEMP\Perfect Keylogger Lite.exe/Setup.exe -> TrojanSpy.Perfectkeylogger.10 : Cleaned with backup
D:\Old4\Old_HD\C\Yariv\programs\Perfect Keylogger Lite.exe/Setup.exe -> TrojanSpy.Perfectkeylogger.10 : Cleaned with backup
D:\Old4\Old_HD\C\Yariv\programs\serials2000\handyfun.exe -> Heuristic.Win32.Dialer : Cleaned with backup
D:\Old4\Program Files\Perfect Keylogger Lite\bpk.exe -> TrojanSpy.Perfectkeylogger.10 : Cleaned with backup
D:\Old4\Program Files\Perfect Keylogger Lite\bsdhooks.dll -> TrojanSpy.Perfectkeylogger.10 : Cleaned with backup
D:\Old4\Program Files\Perfect Keylogger Lite\lview.exe -> TrojanSpy.Perfectkeylogger.10 : Cleaned with backup
D:\Old4\Program Files\Perfect Keylogger Lite\uninstall.exe -> TrojanSpy.Perfectkeylogger.10 : Cleaned with backup


::Report End

Hijack This log:
Logfile of HijackThis v1.99.1
Scan saved at 9:04:11 PM, on 7/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
D:\PC cleaners\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.mypctuneup.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MediaXPServicePack] mxpsp.exe
O4 - HKLM\..\Run: [Microsoft Security Panagers] xlvksolr.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\msconfig.exe /auto
O4 - HKLM\..\Run: [MSN8m Startup] msn8m.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [rt9u18ks] C:\WINDOWS\System32\rt9u18ks.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Network Access] winssh.exe
O4 - HKLM\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
O4 - HKLM\..\Run: [System Service] mspool.exe
O4 - HKLM\..\Run: [li start up] li32.exe
O4 - HKLM\..\RunServices: [MSN8m Startup] msn8m.exe
O4 - HKLM\..\RunServices: [MS Auto-IPSec Protection] MSASP32.exe
O4 - HKLM\..\RunServices: [MediaXPServicePack] mxpsp.exe
O4 - HKLM\..\RunServices: [Microsoft Security Panagers] xlvksolr.exe
O4 - HKLM\..\RunServices: [Microsoftf DDEs Control] FEnR.exe
O4 - HKLM\..\RunServices: [SERV PacK2] vcmcg.exe
O4 - HKLM\..\RunServices: [Network Access] winssh.exe
O4 - HKLM\..\RunServices: [System Service] mspool.exe
O4 - HKLM\..\RunServices: [li start up] li32.exe
O4 - HKCU\..\Run: [MediaXPServicePack] mxpsp.exe
O4 - HKCU\..\Run: [MSN8m Startup] msn8m.exe
O4 - HKCU\..\Run: [li start up] li32.exe
O4 - HKCU\..\RunServices: [MediaXPServicePack] mxpsp.exe
O4 - HKCU\..\RunServices: [li start up] li32.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarest...es2/Install.cab
O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.nana.co.i.../launcher39.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - D:\PC cleaners\ewido\security suite\ewidoctrl.exe
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)
O23 - Service: Net Functions Library (Netlib) - Unknown owner - C:\WINDOWS\system32\mspool.exe (file missing)
O23 - Service: Universal Serial Bus Control Protocol (pnpext) - Unknown owner - C:\WINDOWS\addins\svchost.exe
O23 - Service: Srv32 - Unknown owner - C:\WINDOWS\system32\srv32.exe (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)



I would appreciate your help.

Thank ahead
Yariv
;)
  • 0

Advertisements


#2
Kristy

Kristy

    Visiting Consultant

  • Member
  • PipPipPipPip
  • 1,099 posts
Hello and welcome to Geeks to Go!

+++++ Step 1 +++++

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

+++++ Step 2 +++++

Update HiJackThis
  • Open HiJackThis
  • Click Open the Misc Tools Section
  • Click Check for update online
+++++ Step 3 +++++

After that, I will need to see two different logs from HiJackThis. The first is the normal log like you posted here. To get the other one, follow these directions.

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Post back with those logs and we can continue from there.

If you have received help elsewhere or no longer need our assistance, please let us know.
  • 0

#3
Kristy

Kristy

    Visiting Consultant

  • Member
  • PipPipPipPip
  • 1,099 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP