Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Nail.exe [RESOLVED]


  • This topic is locked This topic is locked

#16
ENVY88

ENVY88

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Yes I did everything you told me, except for that Notepad report I still didnt get it :tazz:

Opps, it doesnt want to remove it HJT but I tried removing it 3 times now but it doesnt... ;)

Edited by ENVY88, 12 August 2005 - 05:07 PM.

  • 0

Advertisements


#17
Guse

Guse

    Visiting Staff

  • Member
  • PipPipPip
  • 624 posts
So you've run it more than once and can't get the notepad file?
  • 0

#18
ENVY88

ENVY88

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Yes, I just did it again after restarting computer, and nothing yet... nothing at all... ;)
no notepad is opening... hmm... :tazz:

Edited by ENVY88, 13 August 2005 - 08:34 AM.

  • 0

#19
ENVY88

ENVY88

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
HELLOOOOOOO! sorry, are you still gonna help me ? :tazz:
  • 0

#20
Guse

Guse

    Visiting Staff

  • Member
  • PipPipPip
  • 624 posts
Yeah, sorry.

Weekends can be sorta busy for me sometimes, what with the pregnant wife and all. Don't panic. I won't abandon you. :tazz:

The last log you posted was essentially clean, but the Find It is just to make sure that everything is gone. If we can't use that, I guess the next step would be to ask you how your computer is acting.

Are you still having the same problems (aside from FindIt)? Can you post me another log? I know it seems repetitive, but I'd like to see first hand if Nail has returned.

The most important part of your next post is your description of the problems. Are they still there? But don't forget that log as well.
  • 0

#21
Guse

Guse

    Visiting Staff

  • Member
  • PipPipPip
  • 624 posts

Have the user update their Win2K, they should be at SP4 for this....That should clear up the Findit's problem...

That's from a moderator here. Try that to see if it works.
  • 0

#22
ENVY88

ENVY88

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi, sorry about taking so long...
What log would you like to see HJT or EWIDO? :)
When the computer was infected with NAIL and AURORA I havent noticed anything going wrong untill I opened Task Manager.. Thats when I realised somethin was wrong! I so unfamilliar processes running and checked them out on the internet and nothing came up so I got the message from my head I have to check with you guys ... The computer runs normal, like before NAIL :) heres the HJT log, if this is not the one you want to see just tell me :tazz:

HJT log:


Logfile of HijackThis v1.99.1
Scan saved at 0:24:29, on 19.08.2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version! (6.0)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\explorer.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\WINNT\System32\LVCOMSX.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Bluetooth Software\BTTray.exe
C:\PROGRA~1\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\AOL 8.0\waol.exe
C:\Program Files\AOL 8.0\shellmon.exe
C:\HJT\HijackThis.exe

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINNT\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: BTTray.lnk = C:\Program Files\Bluetooth Software\BTTray.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLitenew\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLitenew\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - https://mysupport.na...pdatePortal.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CB818460-6F2E-44DD-A9BC-14F10AC229EE}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

Edited by ENVY88, 18 August 2005 - 05:24 PM.

  • 0

#23
Guse

Guse

    Visiting Staff

  • Member
  • PipPipPip
  • 624 posts
Yup, that's the one I wanted. Humor me and let's get rid of that O23 entry really quick (the one from the virus that won't go away).

Download and run Service Filter:
  • Please download ServiceFilter.
  • Unzip ServiceFilter.zip to a convenient folder like C:\ServiceFilter.
  • Navigate to where you unzipped it and double-click on ServiceFilter.vbs.
  • If you have an active anti-virus it might prevent the script from starting. Please allow the script to run.
  • It will open a text file (POST_THIS.TXT) that lists all of the irregular services.
  • Press Ctrl + A simultaneously to select all of the text.
  • Copy and paste the whole thing into your next post.
  • A copy of POST_THIS.TXT is saved to where ServiceFilter.vbs was saved just in case you accidentally close out of it.

Edited by Guse, 18 August 2005 - 06:43 PM.

  • 0

#24
ENVY88

ENVY88

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Ok, all done..

Log:

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows 2000 Professional
Version: 5.0.2195
August 19, 2005 2:24:06


---> Begin Service Listing <---

Unknown Service # 1
Service Name: AOL ACS
Display Name: AOL Connectivity Service
Start Mode: Auto
Start Name: LocalSystem
Description: AOL Connectivity ...
Service Type: Own Process
Path: "c:\program files\common files\aol\acs\aolacsd.exe"
State: Running
Process ID: 636
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 2
Service Name: AOLService
Display Name: AOL Spyware Protection Service
Start Mode: Auto
Start Name: LocalSystem
Description: AOL Spyware Protection ...
Service Type: Own Process
Path: c:\program files\common files\aol\aol spyware protection\\aolserv.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service # 3
Service Name: Ati HotKey Poller
Display Name: Ati HotKey Poller
Start Mode: Auto
Start Name: LocalSystem
Description: Ati HotKey ...
Service Type: Own Process
Path: c:\winnt\system32\ati2evxx.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service # 4
Service Name: btwdins
Display Name: Bluetooth Service
Start Mode: Auto
Start Name: LocalSystem
Description: Bluetooth ...
Service Type: Own Process
Path: c:\program files\bluetooth software\bin\btwdins.exe
State: Running
Process ID: 724
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 5
Service Name: EPSONStatusAgent2
Display Name: EPSON Printer Status Agent2
Start Mode: Auto
Start Name: LocalSystem
Description: EPSON Printer Status ...
Service Type: Own Process
Path: c:\program files\common files\epson\ebapi\sagent2.exe
State: Running
Process ID: 744
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 6
Service Name: ewido security suite control
Display Name: ewido security suite control
Start Mode: Auto
Start Name: LocalSystem
Description: ewido security suite ...
Service Type: Own Process
Path: c:\program files\ewido\security suite\ewidoctrl.exe
State: Start Pending
Process ID: 780
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service # 7
Service Name: MDM
Display Name: Machine Debug Manager
Start Mode: Auto
Start Name: LocalSystem
Description: Machine Debug ...
Service Type: Own Process
Path: "c:\program files\common files\microsoft shared\vs7debug\mdm.exe"
State: Running
Process ID: 836
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 8
Service Name: MpfService
Display Name: McAfee Personal Firewall Service
Start Mode: Auto
Start Name: LocalSystem
Description: McAfee Personal Firewall ...
Service Type: Own Process
Path: c:\progra~1\mcafee.com\person~1\mpfservice.exe
State: Running
Process ID: 916
Started: True
Exit Code: 0
Accept Pause: True
Accept Stop: True

Unknown Service #9
Service Name: navapsvc
Display Name: Norton AntiVirus Auto Protect Service
Start Mode: Auto
Start Name: LocalSystem
Description: Norton AntiVirus Auto Protect ...
Service Type: Own Process
Path: "c:\program files\norton antivirus\navapsvc.exe"
State: Running
Process ID: 908
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service #10
Service Name: NProtectService
Display Name: Norton Unerase Protection
Start Mode: Auto
Start Name: LocalSystem
Description: Norton Unerase ...
Service Type: Own Process
Path: c:\program files\norton antivirus\advtools\nprotect.exe
State: Running
Process ID: 972
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service #11
Service Name: SAVScan
Display Name: SAVScan
Start Mode: Auto
Start Name: LocalSystem
Description: SAVScan...
Service Type: Own Process
Path: c:\program files\norton antivirus\savscan.exe
State: Running
Process ID: 996
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 12
Service Name: SNDSrvc
Display Name: Symantec Network Drivers Service
Start Mode: Manual
Start Name: LocalSystem
Description: Symantec Network Drivers ...
Service Type: Own Process
Path: c:\program files\common files\symantec shared\sndsrvc.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 13
Service Name: SvcProc
Display Name: SvcProc
Start Mode: Unknown
Start Name:
Description: SvcProc...
Service Type: Unknown
Path:
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service # 14
Service Name: WANMiniportService
Display Name: WAN Miniport (ATW) Service
Start Mode: Auto
Start Name: LocalSystem
Description: WAN Miniport (ATW) ...
Service Type: Own Process
Path: "c:\winnt\wanmpsvc.exe"
State: Running
Process ID: 880
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

---> End Service Listing <---

There are 75 Win32 services on this machine.
14 were unrecognized.

Script Execution Time: 44,68457 seconds.
  • 0

#25
Guse

Guse

    Visiting Staff

  • Member
  • PipPipPip
  • 624 posts
1. I really would like to see a FindIt's log. Can you please visit this link and download/install the service pack. Without the FindIt's log, there's no way to guarantee this thing is gone.

2.
  • Open HijackThis.
  • Click the Config button.
  • Click the Misc Tools button.
  • Select Delete an NT service.
  • Copy and paste the following into the box:
    SvcProc
  • Click Ok.

  • 0

Advertisements


#26
ENVY88

ENVY88

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hmm... I'm kind of scared to install this because it says i need to back up the system files.
Should I ?

Edited by ENVY88, 19 August 2005 - 06:40 AM.

  • 0

#27
ENVY88

ENVY88

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Ok, I installed that service pack 4. Now I did what you told me to do with HJT and I got this message.
ERROR.jpg

Edited by ENVY88, 19 August 2005 - 08:22 AM.

  • 0

#28
Guse

Guse

    Visiting Staff

  • Member
  • PipPipPip
  • 624 posts
I'll look into that, but my gut tells me that it means the service is history.

Run that FindIt's and let's make sure Nail is gone.
  • 0

#29
ENVY88

ENVY88

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Ok, I have runned that application FindIt's and I didnt get any notepad document again. :tazz:
  • 0

#30
Guse

Guse

    Visiting Staff

  • Member
  • PipPipPip
  • 624 posts
That's really irritating. I'm not sure what to do next. Let me ask a moderator.

The infection appears to be gone, but...

Tell you what, just for giggles give me another HijackThis log.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP