To Buckeye_Sam
skywalker45
Bloomington, IN. USA
I have not attached a hijack this log, but I would like some direction. I've never had a problem with spyware, trojans, etc. until yesterday. I was just peacefully surfing the net and lo and behold Norton real time popped up and said something about "trojan.adlines". I'm pretty sure it was adlines and it was found in a temporary internet file. I thought that was the end of it. All of a sudden all these strange programs installed and began running. Bargain Buddy, Virtual Bouncer, Aurora and several others. I did an intense spyware scan with Ad-Aware SE, Spy-Bot, and the beta version of Microsoft Anti-Spyware. All found problems and supposedly fixed them, but everytime I restart (except in safe mode) the problems come back. I should also mention that I'm running XP SP2 and I have 4 user profiles. All user profiles seem to be affected differently. I believe I've almost got mine clean but my wife and kids accounts are horrendous. Needless to say many programs are being installed in their profiles. How can I scan and remove spyware and trojans that also infect them (my other users) from my profile?? Also when I did Spy-Bot the scan could not complete and I got the following in the alert box:
Xuron55 C:\windows\win.ini kann nicht......some other german gibberish.
In short I believe I have a trojan that loads at windows startup and just continues to download and activate these crappy ad and spyware. I just can't seem to get them off my PC and I believe I won't be able to until I find the trofan causing it. I believe that Xuron55 is a trojan but you can't find any info on it. Also this happened just as Norton caught the one trojan in the beginning. I believe that this trojan somehow executed, at least partially, before the quarantine succeeded because if I look in my quarantine folder the virus name is no longer listed. It is just a long list of windows [1].exe and windows-dt.exe or some other stuff like that. I can't remember exactly because I deleted them. I believe it executed even though Norton said it was caught and now my PC is about 1/3 slower and does very strange stuff when IE is opened. It does work, but I believe it is seriously compromised. Please help!!
Xuron55 C:\windows\win.ini kann nicht......some other german gibberish.
In short I believe I have a trojan that loads at windows startup and just continues to download and activate these crappy ad and spyware. I just can't seem to get them off my PC and I believe I won't be able to until I find the trofan causing it. I believe that Xuron55 is a trojan but you can't find any info on it. Also this happened just as Norton caught the one trojan in the beginning. I believe that this trojan somehow executed, at least partially, before the quarantine succeeded because if I look in my quarantine folder the virus name is no longer listed. It is just a long list of windows [1].exe and windows-dt.exe or some other stuff like that. I can't remember exactly because I deleted them. I believe it executed even though Norton said it was caught and now my PC is about 1/3 slower and does very strange stuff when IE is opened. It does work, but I believe it is seriously compromised. Please help!!
0
This discussion has been closed.
Comments
Logfile of HijackThis v1.99.1
Scan saved at 5:52:57 PM, on 4/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\LiveUpdate.exe
C:\WINDOWS\system32\ekleibb\qnaycuw.exe
C:\WINDOWS\system32\xlkt\xuqqbnm.exe
C:\WINDOWS\system32\pqjqgobc\kwcbw.exe
C:\WINDOWS\system32\sidcyaop\mlifa.exe
C:\WINDOWS\system32\qnjrjo\yuyxam.exe
C:\WINDOWS\system32\qfarbdw\hdnolmni.exe
C:\WINDOWS\system32\gryb\mnea.exe
C:\WINDOWS\system32\Rsoqaf.exe
C:\WINDOWS\system32\exp.exe
C:\WINDOWS\system32\wintask.exe
E:\Program Files\aceagent.exe
C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
C:\WINDOWS\system32\vb4trol.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Documents and Settings\Jody and Robin\Desktop\Hijack this\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by InsightBB.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r31.insightbb.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r31.insightbb.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.foxnews.com"); (C:\Documents and Settings\Jody and Robin\Application Data\Mozilla\Profiles\default\z2jt5qqy.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Jody and Robin\Application Data\Mozilla\Profiles\default\z2jt5qqy.slt\prefs.js)
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr51.dll
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Kazaa Lite] KAZAALITE.EXE
O4 - HKLM\..\Run: [Rosary Reminder] E:\PROGRA~1\VIRTUA~1\reminder.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AceGain LiveUpdate] E:\Program Files\LiveUpdate.exe
O4 - HKLM\..\Run: [PSoft1] C:\WINDOWS\system32\psoft1.exe
O4 - HKLM\..\Run: [rheyoko] C:\WINDOWS\system32\amdldf\rheyoko.exe
O4 - HKLM\..\Run: [qnaycuw] C:\WINDOWS\system32\ekleibb\qnaycuw.exe
O4 - HKLM\..\Run: [xuqqbnm] C:\WINDOWS\system32\xlkt\xuqqbnm.exe
O4 - HKLM\..\Run: [kwcbw] C:\WINDOWS\system32\pqjqgobc\kwcbw.exe
O4 - HKLM\..\Run: [mlifa] C:\WINDOWS\system32\sidcyaop\mlifa.exe
O4 - HKLM\..\Run: [yuyxam] C:\WINDOWS\system32\qnjrjo\yuyxam.exe
O4 - HKLM\..\Run: [hdnolmni] C:\WINDOWS\system32\qfarbdw\hdnolmni.exe
O4 - HKLM\..\Run: [mnea] C:\WINDOWS\system32\gryb\mnea.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Rsoqaf.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitebgc32.exe
O4 - HKLM\..\Run: [fqjkcez] c:\windows\system32\ulkxcll.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\Run: [qm9P37O] vb4trol.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .ipp: C:\PROGRA~1\INTERN~1\Plugins\npimth32.dll
O12 - Plugin for .ipt: C:\PROGRA~1\INTERN~1\Plugins\npimth32.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab?affiliate=WISH
O16 - DPF: {2F5B39C5-C6F5-447A-A946-48B382C53985} - http://www.pacimedia.com/install/pcs_0006.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {908F3C82-B57E-11D4-BF33-00A0CCE8754B} (TInterActXInstallObject) - http://www.mathxl.com/wizmodules/interact/installers/InterActXInstall.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://134.68.137.201/activex/AxisCamControl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C228AEDD-FC47-11D3-AF87-D128A9381404} (LSICapture Control) - http://www.link-systems.com/~sdk/SDK/paste/lsiw9x.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
I'll wait for your response. Please let me know that if I make any changes will I have to make them for all users. Remember that I have 4 different user profiles on my PC. Once it seems I have mine working OK all the others are still screwed. Thanks for your help.
Please remove these entries from Add/Remove Programs in the Control Panel(if present):
Navisearch
Bullseye
Cashback
Virtual Bouncer
Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and download all updates. Then exit Ewido once all updates are installed.
Please run Notepad and copy the following text into a new file:
Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files".
Reboot your computer into Safe Mode
Once in Safe Mode, please double-click on remove.bat. A window should open and close very quickly --- this is normal.
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows
Run a full scan with Ewido, remove anything found, and then restart into normal mode and post the logfile from the scan for me.
Now open up Hijackthis. Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr51.dll
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O4 - HKLM\..\Run: [PSoft1] C:\WINDOWS\system32\psoft1.exe
O4 - HKLM\..\Run: [rheyoko] C:\WINDOWS\system32\amdldf\rheyoko.exe
O4 - HKLM\..\Run: [qnaycuw] C:\WINDOWS\system32\ekleibb\qnaycuw.exe
O4 - HKLM\..\Run: [xuqqbnm] C:\WINDOWS\system32\xlkt\xuqqbnm.exe
O4 - HKLM\..\Run: [kwcbw] C:\WINDOWS\system32\pqjqgobc\kwcbw.exe
O4 - HKLM\..\Run: [mlifa] C:\WINDOWS\system32\sidcyaop\mlifa.exe
O4 - HKLM\..\Run: [yuyxam] C:\WINDOWS\system32\qnjrjo\yuyxam.exe
O4 - HKLM\..\Run: [hdnolmni] C:\WINDOWS\system32\qfarbdw\hdnolmni.exe
O4 - HKLM\..\Run: [mnea] C:\WINDOWS\system32\gryb\mnea.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Rsoqaf.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitebgc32.exe
O4 - HKLM\..\Run: [fqjkcez] c:\windows\system32\ulkxcll.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\Run: [qm9P37O] vb4trol.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
Then delete these files or directories (Do not be concerned if they do not exist):
C:\WINDOWS\svcproc.exe
C:\WINDOWS\Nail.exe
C:\WINDOWS\Bolger.dll
C:\WINDOWS\cfgmgr51.dll
C:\WINDOWS\EliteToolBar <-- this folder
C:\WINDOWS\EliteSideBar <-- this folder
C:\WINDOWS\system32\psoft1.exe
C:\WINDOWS\system32\amdldf <-- this folder
C:\WINDOWS\system32\ekleibb <-- this folder
C:\WINDOWS\system32\xlkt <-- this folder
C:\WINDOWS\system32\pqjqgobc <-- this folder
C:\WINDOWS\system32\sidcyaop <-- this folder
C:\WINDOWS\system32\qnjrjo <-- this folder
C:\WINDOWS\system32\qfarbdw <-- this folder
C:\WINDOWS\system32\gryb <-- this folder
C:\WINDOWS\system32\Rsoqaf.exe
C:\windows\system32\elitebgc32.exe
c:\windows\system32\ulkxcll.exe
C:\WINDOWS\system32\exp.exe
C:\WINDOWS\system32\wintask.exe
C:\WINDOWS\system32\vb4trol.exe
C:\Program Files\BullsEye Network <-- this folder
C:\Program Files\NaviSearch <-- this folder
C:\Program Files\CashBack <-- this folder
C:\PROGRA~1\VBOUNCER <-- this folder
Restart your computer and please post a new HijackThis log and the log from the Ewido scan.
An infected file was found in an archive that cannot be cleaned. Would you like to delete the file?
I clicked "yes". Right after that I got the dreaded Microsoft window that said:
Ewido Security Suite has encountered a problem and needs to close.....blah blah.
I believe the reason this happened is because with the addition of Ewido, I now have 4 anti-spyware programs and I also know that they can sometimes conflict with each other. I believe that Ewido found a file in an archive belonging to either-AdAware, SpyBot or Microsoft Anti-Spyware and when I clicked yes there was a conflict.
I will do the Ewido scan again this evening and this time if it asks me anything like the above I'm thinking about just clicking "no" or even selecting not to scan archives for now. After I finish all your instructions I will post the log from Ewido and HijackThis, for convenience, to this post and the original post. Thanks for all your help.
Skywalker.
Post the logs when you can and we'll take the next step.
@ECHO OFF
cd %windir%
Nail.exe /FULLREMOVE
sc config SvcProc start= disabled
sc stop SvcProc
sc delete SvcProc
attrib -s -r -h nail.exe
attrib -s -r -h svcproc.exe
del nail.exe
del svcproc.exe
cd %windir%\system32
attrib -s -r -h DrPMon.dll
del DrPMon.dll
exit
I’m concerned that maybe we should have ran this in normal mode and not safe mode. Is running it safe mode good enough? I’m only asking because I don’t think any NT services start in safe mode and I believe the svcproc.exe would run under an NT service. That’s OK though. svcproc.exe seems to be fully gone.
ewido security suite - Scan report
+ Created on: 7:59:00 PM, 4/27/2005
+ Report-Checksum: A586AC75
+ Date of database: 4/27/2005
+ Version of scan engine: v3.0
+ Duration: 36 min
+ Scanned Files: 92943
+ Speed: 41.87 Files/Second
+ Infected files: 1
+ Removed files: 1
+ Files put in quarantine: 1
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0
+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes
+ Scanned items:
C:\
Ewido actually found more than this, but kept shutting down before it could do a full clean. Nail was the only thing that showed up after I shut down restore. After I was completely finished I deleted everything in the Ewido quarantine. There was a lot of stuff there.
Logfile of HijackThis v1.99.1
Scan saved at 8:41:50 PM, on 4/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Documents and Settings\Jody and Robin\Desktop\Spyware tools\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\LiveUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webshots\WebshotsTray.exe
E:\Program Files\aceagent.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\Jody and Robin\Desktop\Hijack this\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by InsightBB.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r31.insightbb.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r31.insightbb.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.foxnews.com"); (C:\Documents and Settings\Jody and Robin\Application Data\Mozilla\Profiles\default\z2jt5qqy.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Jody and Robin\Application Data\Mozilla\Profiles\default\z2jt5qqy.slt\prefs.js)
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Kazaa Lite] KAZAALITE.EXE
O4 - HKLM\..\Run: [Rosary Reminder] E:\PROGRA~1\VIRTUA~1\reminder.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AceGain LiveUpdate] E:\Program Files\LiveUpdate.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .ipp: C:\PROGRA~1\INTERN~1\Plugins\npimth32.dll
O12 - Plugin for .ipt: C:\PROGRA~1\INTERN~1\Plugins\npimth32.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab?affiliate=WISH
O16 - DPF: {2F5B39C5-C6F5-447A-A946-48B382C53985} - http://www.pacimedia.com/install/pcs_0006.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {908F3C82-B57E-11D4-BF33-00A0CCE8754B} (TInterActXInstallObject) - http://www.mathxl.com/wizmodules/interact/installers/InterActXInstall.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://134.68.137.201/activex/AxisCamControl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C228AEDD-FC47-11D3-AF87-D128A9381404} (LSICapture Control) - http://www.link-systems.com/~sdk/SDK/paste/lsiw9x.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Jody and Robin\Desktop\Spyware tools\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Looks much better don’t you think? However here is a log from this morning:
Logfile of HijackThis v1.99.1
Scan saved at 7:16:45 AM, on 4/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Documents and Settings\Jody and Robin\Desktop\Spyware tools\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\LiveUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webshots\WebshotsTray.exe
E:\Program Files\aceagent.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\Jody and Robin\Desktop\Hijack this\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by InsightBB.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r31.insightbb.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r31.insightbb.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.foxnews.com"); (C:\Documents and Settings\Jody and Robin\Application Data\Mozilla\Profiles\default\z2jt5qqy.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Jody and Robin\Application Data\Mozilla\Profiles\default\z2jt5qqy.slt\prefs.js)
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Kazaa Lite] KAZAALITE.EXE
O4 - HKLM\..\Run: [Rosary Reminder] E:\PROGRA~1\VIRTUA~1\reminder.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AceGain LiveUpdate] E:\Program Files\LiveUpdate.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .ipp: C:\PROGRA~1\INTERN~1\Plugins\npimth32.dll
O12 - Plugin for .ipt: C:\PROGRA~1\INTERN~1\Plugins\npimth32.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab?affiliate=WISH
O16 - DPF: {2F5B39C5-C6F5-447A-A946-48B382C53985} - http://www.pacimedia.com/install/pcs_0006.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {908F3C82-B57E-11D4-BF33-00A0CCE8754B} (TInterActXInstallObject) - http://www.mathxl.com/wizmodules/interact/installers/InterActXInstall.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://134.68.137.201/activex/AxisCamControl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C228AEDD-FC47-11D3-AF87-D128A9381404} (LSICapture Control) - http://www.link-systems.com/~sdk/SDK/paste/lsiw9x.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Jody and Robin\Desktop\Spyware tools\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
As you can clearly see Nail.exe is back and won't seem to go away no matter what I do. I should add on a side note that I am on a cable/broadband connection at home and have had my modem disconnected since this began on Sunday except to download and update Ewido which was difficult due to popups. I have decided that I will not hook the modem back up until I know for sure that Nail.exe is gone and anything else associated with it. I went to the C:\windows directory and manually deleted Nail.exe, it came back right before my eyes. I renamed it Nail.xxx then deleted it, it came right back, I even renamed it and didn't move it and right beside the renamed Nail the new Nail.exe appeared. Could it be embedded in the registry and if so in what key? I'm doing all this communication from my PC at work so I might be a little slow with responses. I tried doing a /fullremove from a command prompt as well as changing attributes -r -s -h (even though these were already set). Still Nail.exe seems to keep respawning. I also have noticed that there are still some pretty cryptically named folders in my \windows\system32 directory as well as @ 15 files with the extension .nls--which I believe are related to NaviSearch. The cryptic folders may be OK but what about the .nls files? The NaviSearch program is definitely gone. Any other suggestion about how to get rid of Nail? I truly believe that if this file were gone I would be safe. I should add that there will be no more IE for me except for windows updates:) Firefox is going to be my browser from now on. Sorry so long. I'll wait for your response.
Skywalker
This is a very difficult infection to remove and you seem to have it bad. If Ewido didn't get rid of it for us, then we have to look to another method.
Download this tool and run it, following the directions on this page.
http://www.mypctuneup.com/evaluate.php
Reboot and post a new hijackthis log. If nail.exe is still present in your log and on your computer then we will have to kill it manually.
Download FindIt's.zip to your desktop.
Unzip/extract the files inside preferable to C:\ < a new folder.
Disconnect from the internet, if you use an always on internet connection unplug it.
Let your PC be idle for 15 minutes !!
Open the folder and run the FindIt's.bat and wait for a text to open, it will take awhile be patient, post the results please.
http://forums.net-integration.net/index.php?act=Attach&type=post&id=142443
If you get an error similar to: autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application...etc etc' or a 16 bit application error.
Go here and use the approprient fix for your system
http://www.tech-forums.net/computer/topic/29806.html
More info here: http://support.microsoft.com/default.aspx?scid=kb;en-us;324767
Logfile of HijackThis v1.99.1
Scan saved at 7:29:14 PM, on 4/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Documents and Settings\Jody and Robin\Desktop\Spyware tools\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\LiveUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webshots\WebshotsTray.exe
E:\Program Files\aceagent.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by InsightBB.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r31.insightbb.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r31.insightbb.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.foxnews.com"); (C:\Documents and Settings\Jody and Robin\Application Data\Mozilla\Profiles\default\z2jt5qqy.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Jody and Robin\Application Data\Mozilla\Profiles\default\z2jt5qqy.slt\prefs.js)
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Kazaa Lite] KAZAALITE.EXE
O4 - HKLM\..\Run: [Rosary Reminder] E:\PROGRA~1\VIRTUA~1\reminder.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AceGain LiveUpdate] E:\Program Files\LiveUpdate.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .ipp: C:\PROGRA~1\INTERN~1\Plugins\npimth32.dll
O12 - Plugin for .ipt: C:\PROGRA~1\INTERN~1\Plugins\npimth32.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab?affiliate=WISH
O16 - DPF: {2F5B39C5-C6F5-447A-A946-48B382C53985} - http://www.pacimedia.com/install/pcs_0006.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {908F3C82-B57E-11D4-BF33-00A0CCE8754B} (TInterActXInstallObject) - http://www.mathxl.com/wizmodules/interact/installers/InterActXInstall.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://134.68.137.201/activex/AxisCamControl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C228AEDD-FC47-11D3-AF87-D128A9381404} (LSICapture Control) - http://www.link-systems.com/~sdk/SDK/paste/lsiw9x.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Jody and Robin\Desktop\Spyware tools\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Find It's results:
Microsoft Windows XP [Version 5.1.2600]
The current date is: Thu 04/28/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first
»»»»» lagitamate file's can/will show in this section.
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»» Checking Windir\svcproc.exe and nail.exe.
»»»»» Checking for System32\DrPMon.dll.
»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.
Volume in drive C has no label.
Volume Serial Number is 3E38-0801
Directory of C:\WINDOWS\SYSTEM32
»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 3E38-0801
Directory of C:\WINDOWS\system32
04/24/2005 07:47 PM 4,286 greenmovie2313asaadsasfad112341231adsfa.ico
04/24/2005 07:47 PM 4,286 mp3red51aads.ico
04/24/2005 07:47 PM 3,262 creditcard32123123123asdsa.ico
04/24/2005 07:47 PM 3,262 kill spyware1.ico
04/24/2005 07:47 PM 3,262 vh e233.ico
04/24/2005 07:47 PM 3,262 kill popups.ico
6 File(s) 21,620 bytes
0 Dir(s) 10,315,104,256 bytes free
»»»»»»»»»»»»»»»»»»»»»»»».
! REG.EXE VERSION 3.0
HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj
<NO NAME> REG_SZ Bolger Functional Class
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll
Let me just extend a warm thank you to you and all who have helped me. Believe it or not I work in software development but on the testing end. I talked to one of our programmers today and he told me that Nail.exe actually starts as a random .exe file with a cryptic name and each time that Nail.exe is deleted or the system is rebooted this cryptic file changes its name and then renames itself Nail.exe but keeps the old cryptic name (in another .exe, of course) until the next deletion or reboot. So in your own words: "It is very difficult to remove". It's too bad that that the guys I work with program in Linux and their knowledge of Windows is a little rusty. I've also heard that the affiliate of the company that wrote the malicious code of nail, aurora, and other adware and trojans have a lawsuit pending against them. I hope they fry these guys. It's a real shame that programmers with such talent work for companies that make their money on their malicious programs. Just think about all the good they could do elsewhere. If there is anything else I need to do let me know.
Peace,
Skywalker
As a final clean up I would delete these files.
Directory of C:\WINDOWS\system32
04/24/2005 07:47 PM 4,286 greenmovie2313asaadsasfad112341231adsfa.ico
04/24/2005 07:47 PM 4,286 mp3red51aads.ico
04/24/2005 07:47 PM 3,262 creditcard32123123123asdsa.ico
04/24/2005 07:47 PM 3,262 kill spyware1.ico
04/24/2005 07:47 PM 3,262 vh e233.ico
04/24/2005 07:47 PM 3,262 kill popups.ico
Are you having any more problems?
Skywalker
- Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.
- Make your Internet Explorer more secure - This can be done by following these simple instructions:
- From within Internet Explorer click on the Tools menu and then click on Options.
- Click once on the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Click once on the Custom Level button.
- Change the Download signed ActiveX controls to Prompt
- Change the Download unsigned ActiveX controls to Disable
- Change the Initialize and script ActiveX controls not marked as safe to Disable
- Change the Installation of desktop items to Prompt
- Change the Launching programs and files in an IFRAME to Prompt
- Change the Navigate sub-frames across different domains to Prompt
- When all these settings have been made, click on the OK button.
- If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Next press the Apply button and then the OK to exit the Internet Properties page.
- Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
- Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
- Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
- Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
- Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
- Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
- Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
- Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.You can find instructions on how to enable and reenable system restore here:
Managing Windows Millenium System Restore
or
Windows XP System Restore Guide
Renable system restore with instructions from tutorial above
See this link for a listing of some online & their stand-alone antivirus programs:
Virus, Spyware, and Malware Protection and Removal Resources
For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls
A tutorial on installing & using this product can be found here:
Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
A tutorial on installing & using this product can be found here:
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware