Options

Can't remove "nail", popup deluge - SavageDL

Unknown
edited May 2005 in Spyware & Virus Removal
Deluged with popups, avg reports download.small.15 & variants but won't remove. Adaware & Spybot S&D have both been run and removed many hits (+/- 100, high number for me). In reading around "nail.exe" seems to be a factor but I can't remove it. Halting System Startup Service using services.msc seems to slow it down. Any help would be greatly appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 9:38:52 AM, on 4/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\e44gnjod.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
c:\windows\system32\iileaxl.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.yahoo.com/config/login?.partner=sbc&.done=http%3a//sbc.yahoo.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr51.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\nsv1E8.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteswb32.exe
O4 - HKLM\..\Run: [e44gnjod] C:\WINDOWS\system32\e44gnjod.exe
O4 - HKLM\..\Run: [hgsktsd] c:\windows\system32\iileaxl.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {2F5B39C5-C6F5-447A-A946-48B382C53985} - http://www.pacimedia.com/install/pcs_0015.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper20040728.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/04e4d9edb7750c6b4a05/netzip/RdxIE601.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - ftp://gis.evpl.org/web/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094912773214
O16 - DPF: {7876E4A5-78B7-4020-B08F-C960A1ED54C9} (WebWatch Class) - http://219.80.63.55/Ctl/WinWebPush.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - D:\Program Files\Symantec\PCAnywhere\awhost32.exe
O23 - Service: jatzlvigxzvz (tsfoaoqx5) - Unknown owner - C:\WINDOWS\system32\imxqgrdy5.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Comments

  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited April 2005
    Please download the trial version of Ewido Security Suite here:
    http://www.ewido.net/en/download/
    Install it, and download all updates. Then exit Ewido once all updates are installed.


    Please download and install Cleanup 4.0
    http://cleanup.stevengould.org/



    Please run Notepad and copy the following text into a new file:
    @ECHO OFF
    cd %windir%
    Nail.exe /FULLREMOVE
    sc config SvcProc start= disabled
    sc stop SvcProc
    sc delete SvcProc
    attrib -s -r -h nail.exe
    attrib -s -r -h svcproc.exe
    del nail.exe
    del svcproc.exe
    cd %windir%\system32
    attrib -s -r -h DrPMon.dll
    del DrPMon.dll
    exit

    Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files".

    Reboot your computer into Safe Mode
    Once in Safe Mode, please double-click on remove.bat. A window should open and close very quickly --- this is normal.


    Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
    How to see hidden files in Windows



    Run CleanUp 4.0 that you installed earlier.



    Run a full scan with Ewido, remove anything found, and then restart into normal mode and post the logfile from the scan for me.



    Now open up Hijackthis. Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr51.dll
    O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
    O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\nsv1E8.dll
    O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
    O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteswb32.exe
    O4 - HKLM\..\Run: [e44gnjod] C:\WINDOWS\system32\e44gnjod.exe
    O4 - HKLM\..\Run: [hgsktsd] c:\windows\system32\iileaxl.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/04e4d9e...ip/RdxIE601.cab
    O23 - Service: jatzlvigxzvz (tsfoaoqx5) - Unknown owner - C:\WINDOWS\system32\imxqgrdy5.exe (file missing)


    Then delete these files or directories (Do not be concerned if they do not exist):

    C:\WINDOWS\system32\imxqgrdy5.exe
    C:\WINDOWS\system32\nsv1E8.dll
    C:\windows\system32\eliteswb32.exe
    C:\WINDOWS\system32\e44gnjod.exe
    c:\windows\system32\iileaxl.exe
    C:\WINDOWS\Bolger.dll
    C:\WINDOWS\Nail.exe
    C:\WINDOWS\cfgmgr51.dll




    Restart your computer and please post a new HijackThis log and the Ewido log.
  • SavageDL
    edited April 2005
    Here's Ewido and current Hijackthis. Looks like F2 nail is still there. But there have been no popups since I restarted altho ewido has already removed another 2.

    Thanks so much for your help.
    ewido security suite - Scan report

    + Created on: 11:37:51 AM, 4/30/2005
    + Report-Checksum: 9DEA08C2

    + Date of database: 4/30/2005
    + Version of scan engine: v3.0

    + Duration: 61 min
    + Scanned Files: 44606
    + Speed: 12.01 Files/Second
    + Infected files: 56
    + Removed files: 56
    + Files put in quarantine: 56
    + Files that could not be opened: 0
    + Files that could not be cleaned: 0

    + Binder: Yes
    + Crypter: Yes
    + Archives: Yes

    + Scanned items:
    C:\
    D:\

    + Scan result:
    C:\Program Files\Comedy-Planet\comedy-planet.exe -> Spyware.ComedyPlanet.a -> Cleaned with backup
    C:\Program Files\DeskAd Service\DeskAdComm.dll -> Spyware.WinAD.m -> Cleaned with backup
    C:\Program Files\DeskAd Service\DeskAdKeep.exe -> Spyware.WinAD.k -> Cleaned with backup
    C:\Program Files\Media Pass\MediaPass.exe -> Spyware.WinAD.ac -> Cleaned with backup
    C:\Program Files\Media Pass\MediaPassC.dll -> Spyware.WinAD.ac -> Cleaned with backup
    C:\Program Files\Media Pass\MediaPassK.exe -> Spyware.WinAD.ab -> Cleaned with backup
    C:\Program Files\SBC Self Support Tool\bin\closeAll.exe -> Trojan.Autoit.d -> Cleaned with backup
    C:\Program Files\XoftSpy\Quarantine\XoftSpyBackup.zip/1 -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Program Files\XoftSpy\Quarantine\XoftSpyBackup.zip/10 -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Program Files\XoftSpy\Quarantine\XoftSpyBackup.zip/11 -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Program Files\XoftSpy\Quarantine\XoftSpyBackup.zip/12 -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Program Files\XoftSpy\Quarantine\XoftSpyBackup.zip/14 -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Program Files\XoftSpy\Quarantine\XoftSpyBackup.zip/2 -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Program Files\XoftSpy\Quarantine\XoftSpyBackup.zip/3 -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Program Files\XoftSpy\Quarantine\XoftSpyBackup.zip/6 -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Program Files\XoftSpy\Quarantine\XoftSpyBackup.zip/7 -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Program Files\XoftSpy\Quarantine\XoftSpyBackup.zip/8 -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Program Files\XoftSpy\Quarantine\XoftSpyBackup.zip/9 -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\trofkz.REG -> Trojan.LowZones.a -> Cleaned with backup
    C:\WINDOWS\Bolger.dll -> Spyware.BetterInternet -> Cleaned with backup
    C:\WINDOWS\bsx32\EECH1.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\SPZ3.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\cfgmgr51.dll -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\Downloaded Program Files\DeskAdX.dll -> Spyware.WinAD.f -> Cleaned with backup
    C:\WINDOWS\Downloaded Program Files\installer_MARKETING11.exe -> TrojanDownloader.Adload.a -> Cleaned with backup
    C:\WINDOWS\Downloaded Program Files\MediaPassX.dll -> Spyware.WinAD.w -> Cleaned with backup
    C:\WINDOWS\Downloaded Program Files\pcs_0015.exe -> Spyware.Pacer.b -> Cleaned with backup
    C:\WINDOWS\Downloaded Program Files\pcs_0025.exe -> Spyware.Pacer.b -> Cleaned with backup
    C:\WINDOWS\farmmext.exe -> Spyware.ConsCorr -> Cleaned with backup
    C:\WINDOWS\localNRD.dll -> Spyware.BiSpy.t -> Cleaned with backup
    C:\WINDOWS\Nail.exe -> Trojan.Nail -> Cleaned with backup
    C:\WINDOWS\ohhkewllubf.exe -> Spyware.BetterInternet -> Cleaned with backup
    C:\WINDOWS\system32\bln02nqv.exe -> Spyware.Sahat.o -> Cleaned with backup
    C:\WINDOWS\system32\BundleLite_westfrontier1001.exe -> Spyware.Sahat.m -> Cleaned with backup
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CX6F0P2J\protector_update[1].exe -> Spyware.Hijacker.Generic -> Cleaned with backup
    C:\WINDOWS\system32\elitepjx32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
    C:\WINDOWS\system32\elitesud32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
    C:\WINDOWS\system32\eliteswb32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
    C:\WINDOWS\system32\elitewsr32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
    C:\WINDOWS\system32\elitexie32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
    C:\WINDOWS\system32\f3PSSavr.scr -> Spyware.MyWebSearch -> Cleaned with backup
    C:\WINDOWS\system32\javex80.vxd/C:/WINDOWS/system32/nvms.dll -> Spyware.Bargainbuddy -> Cleaned with backup
    C:\WINDOWS\system32\javex80.vxd/C:/Program Files/NaviSearch/bin/nls.exe -> Spyware.ExactSearchBar -> Cleaned with backup
    C:\WINDOWS\system32\nsv1E8.dll -> Spyware.Beginto.c -> Cleaned with backup
    C:\WINDOWS\system32\nsvsvc\nsv.ocx -> Spyware.DelphinMediaViewer.c -> Cleaned with backup
    C:\WINDOWS\system32\nsvsvc\nsvs.dll -> Spyware.DelphinMedia.f -> Cleaned with backup
    C:\WINDOWS\system32\PreInstaller_p1.exe -> TrojanDownloader.Keenval.o -> Cleaned with backup
    C:\WINDOWS\system32\psis80ex.ax/C:/WINDOWS/system32/mscb.dll -> Spyware.BargainBuddy.i -> Cleaned with backup
    C:\WINDOWS\system32\psis80ex.ax/C:/Program Files/CashBack/bin/cb.exe -> Spyware.CashBack.b -> Cleaned with backup
    C:\WINDOWS\system32\psis80ex.ax/C:/Program Files/CashBack/bin/flash.exe -> Spyware.CashBack.d -> Cleaned with backup
    C:\WINDOWS\system32\psoft1.exe -> Spyware.Pacer.a -> Cleaned with backup
    C:\WINDOWS\system32\temperror32.dat -> Spyware.Hijacker.Generic -> Cleaned with backup
    C:\WINDOWS\system32\thin-94-5-x-x.exe -> Spyware.BetterInternet -> Cleaned with backup
    C:\WINDOWS\system32\zjvlnv.exe -> Trojan.Agent.cp -> Cleaned with backup
    D:\Program Files\hijackthis\backups\backup-20050430-081450-536.dll -> Spyware.BetterInternet -> Cleaned with backup
    D:\updlog35.exe -> Spyware.Hijacker.Generic -> Cleaned with backup


    ::Report End


    Logfile of HijackThis v1.99.1
    Scan saved at 1:27:13 PM, on 4/30/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\Program Files\Yahoo!\browser\ybrwicon.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\system32\ctfmon.exe
    D:\Program Files\AIM\aim.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    d:\Program Files\ewido\security suite\ewidoctrl.exe
    d:\Program Files\ewido\security suite\ewidoguard.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    D:\Program Files\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.yahoo.com/config/login?.partner=sbc&.done=http%3a//sbc.yahoo.com/
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
    O16 - DPF: {2F5B39C5-C6F5-447A-A946-48B382C53985} - http://www.pacimedia.com/install/pcs_0015.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper20040728.dll
    O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - ftp://gis.evpl.org/web/mgaxctrl.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094912773214
    O16 - DPF: {7876E4A5-78B7-4020-B08F-C960A1ED54C9} (WebWatch Class) - http://219.80.63.55/Ctl/WinWebPush.cab
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
    O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - D:\Program Files\Symantec\PCAnywhere\awhost32.exe
    O23 - Service: ewido security suite control - ewido networks - d:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - d:\Program Files\ewido\security suite\ewidoguard.exe
    O23 - Service: jatzlvigxzvz (tsfoaoqx5) - Unknown owner - C:\WINDOWS\system32\imxqgrdy5.exe (file missing)
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
    O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited April 2005
    Fix these lines, reboot and post a new hijackthis log.

    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O23 - Service: jatzlvigxzvz (tsfoaoqx5) - Unknown owner - C:\WINDOWS\system32\imxqgrdy5.exe (file missing)
  • SavageDL
    edited May 2005
    Ran HJT, checked the 2 lines, normal reboot, scanned with HJT. Here's the log. The 2 lines are still there. Popups have dissappeared. Ewido finds a duplicate file a couple of times, most of the times I access the internet. Always the same file. ohhkewllubf.exe - Spyware.BetterInternet.

    Thanks for sticking with me on this!

    Logfile of HijackThis v1.99.1
    Scan saved at 8:01:52 AM, on 5/1/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\Program Files\Yahoo!\browser\ybrwicon.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\ctfmon.exe
    D:\Program Files\AIM\aim.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    d:\Program Files\ewido\security suite\ewidoctrl.exe
    d:\Program Files\ewido\security suite\ewidoguard.exe
    C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgw.exe
    D:\Program Files\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.yahoo.com/config/login?.partner=sbc&.done=http%3a//sbc.yahoo.com/
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
    O16 - DPF: {2F5B39C5-C6F5-447A-A946-48B382C53985} - http://www.pacimedia.com/install/pcs_0015.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper20040728.dll
    O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - ftp://gis.evpl.org/web/mgaxctrl.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094912773214
    O16 - DPF: {7876E4A5-78B7-4020-B08F-C960A1ED54C9} (WebWatch Class) - http://219.80.63.55/Ctl/WinWebPush.cab
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
    O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - D:\Program Files\Symantec\PCAnywhere\awhost32.exe
    O23 - Service: ewido security suite control - ewido networks - d:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - d:\Program Files\ewido\security suite\ewidoguard.exe
    O23 - Service: jatzlvigxzvz (tsfoaoqx5) - Unknown owner - C:\WINDOWS\system32\imxqgrdy5.exe (file missing)
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
    O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited May 2005
    Download KillBox and unzip it to your desktop.
    http://www.downloads.subratam.org/KillBox.zip


    Open Killbox and select the Delete on reboot option.


    Copy and paste the following file to the field labeled "Full path of file to delete"

    C:\WINDOWS\ohhkewllubf.exe

    Press the Delete button (the button that looks like a red circle with a white X in it).
    A first dialog box will ask if you want to delete the file on reboot, press the YES button.
    A second dialog box will ask you if you want to REBOOT now. Press the NO button.

    Copy and paste the following file to the field labeled "Full path of file to delete"

    C:\WINDOWS\nail.exe

    Press the Delete button (the button that looks like a red circle with a white X in it).
    A first dialog box will ask if you want to delete the file on reboot, press the YES button.
    A second dialog box will ask you if you want to REBOOT now. Press the YES button.


    Reboot your computer.



    Reboot your computer into Safe Mode

    Click Start -> Run -> (type) services.msc

    Scroll down and find the service called jatzlvigxzvz When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.


    Run Hijackthis and click on Open the Misc Tools section -> Delete an NT Service
    Copy and paste this into the text box and click OK.

    tsfoaoqx5


    Now fix this line with hijackthis.

    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe


    Reboot and post a new hijackthis log.
  • SavageDL
    edited May 2005
    BINGO!!! Bless you Sam!

    Logfile of HijackThis v1.99.1
    Scan saved at 8:52:10 PM, on 5/2/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\Program Files\Yahoo!\browser\ybrwicon.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\ctfmon.exe
    D:\Program Files\AIM\aim.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    d:\Program Files\ewido\security suite\ewidoctrl.exe
    d:\Program Files\ewido\security suite\ewidoguard.exe
    C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\wanmpsvc.exe
    D:\Program Files\hijackthis\HijackThis.exe
    C:\WINDOWS\system32\wuauclt.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.yahoo.com/config/login?.partner=sbc&.done=http%3a//sbc.yahoo.com/
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
    O16 - DPF: {2F5B39C5-C6F5-447A-A946-48B382C53985} - http://www.pacimedia.com/install/pcs_0015.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper20040728.dll
    O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - ftp://gis.evpl.org/web/mgaxctrl.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094912773214
    O16 - DPF: {7876E4A5-78B7-4020-B08F-C960A1ED54C9} (WebWatch Class) - http://219.80.63.55/Ctl/WinWebPush.cab
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
    O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - D:\Program Files\Symantec\PCAnywhere\awhost32.exe
    O23 - Service: ewido security suite control - ewido networks - d:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - d:\Program Files\ewido\security suite\ewidoguard.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
    O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited May 2005
    I see one more line that needs to be fixed.

    O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)


    Past that, your log looks clean to me. Are you having any more problems?
Sign In or Register to comment.