|
|||||||
 |
|
|
LinkBack | Thread Tools | Search this Thread | Rate Thread | Display Modes |
05-26-2005, 05:11 PM
|
#1 |
|
Member (5 bit)
Join Date: Dec 2002
Posts: 26
|
can't get rid of nail.exe/aurora...hijackthis log
Anyone willing to take a look at this for me. I've got MS antispyware and adaware and neither are taking care of this aurora/nail.exe ****. Thanks
Logfile of HijackThis v1.99.1 Scan saved at 6:00:56 PM, on 5/26/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\acs.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\Ati2evxx.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe c:\windows\system32\jjxqrn.exe C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\explorer.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\NaviSearch\bin\nls.exe C:\WINDOWS\System32\msxct.exe C:\Temp\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.exactsearch.net/sidesearch R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q= R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file) O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [ocqnxm] C:\WINDOWS\System32\ocqnxm.exe O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe O4 - HKLM\..\Run: [msxct] msxct.exe O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe O4 - HKLM\..\RunOnce: [AAW] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe" "+b1" O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ? O4 - Global Startup: D-Link REG Utility.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O15 - Trusted Zone: http://www.neededware.com O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe |
|
|
|
05-26-2005, 05:12 PM
|
#2 |
|
Member (5 bit)
Join Date: Dec 2002
Posts: 26
|
I already deleted all the obvious stuff with htj but as you can see it all comes right back
|
|
|
|
|
05-26-2005, 05:42 PM
|
#3 |
|
Staff
Premium Member
Join Date: Sep 2004
Location: Cardiff, Wales. UK
Posts: 6,555
|
Here is a link to the HJT analysis of your log:
http://www.hijackthis.de/logfiles/03...0bfc71a5b.html According to HJT you have a few nasties that need to be fixed and manually deleted, it might be worth your while waiting to see if Lobos shows up and takes a look.
__________________
Niwa no niwa ni wa, niwa no niwatori wa niwaka ni wani o tabeta. |
|
|
|
05-26-2005, 05:46 PM
|
#4 | |
|
Member (5 bit)
Join Date: Dec 2002
Posts: 26
|
Quote:
|
|
|
|
|
|
05-26-2005, 06:09 PM
|
#5 |
|
Staff
Premium Member
Join Date: Sep 2004
Location: Cardiff, Wales. UK
Posts: 6,555
|
The chances are the garbage has ambiguous application names that are just not being deleted. If I were you I would pick one of the names that keeps coming back and search your computer for that name and whatever it finds just delete it. Have you run your scans in safe mode and have you tried running them with system restore switched off?
|
|
|
|
|
05-26-2005, 06:44 PM
|
#6 |
|
Member (10 bit)
Join Date: Mar 2004
Location: California
Posts: 936
|
This was done by a few of the experts down at castles cops and SWI
Please download the trial version of Ewido Security Suite here: http://www.ewido.net/en/download/ Install it, and update the definitions to the newest files. Do NOT run a scan yet. Please download Nailfix from here: http://www.noidea.us/easyfile/file.p...50515010747824 Unzip it to the desktop but please do NOT run it yet. Next, please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Select the first option, to run Windows in Safe Mode. For additional help in booting into Safe Mode, see the following site: http://www.pchell.com/support/safemode.shtml Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal. Then please run Ewido, and run a full scan. Save the logfile from the scan. Next please run HijackThis, click Scan, and check: F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe Close all open windows except for HijackThis and click Fix Checked. Restart your computer in normal mode and please post a new HijackThis log, . Lobos Last edited by Lobos; 05-26-2005 at 06:47 PM. |
|
|
|
|
05-26-2005, 09:16 PM
|
#7 |
|
Forum Administrator
Staff
Premium Member
Join Date: May 2000
Location: Joplin MO
Posts: 41,163
|
Bad link for nailfix, lobos.
Try this one: For XP: http://users.pandora.be/bluepatchy/nailfix.zip For 2K: http://users.pandora.be/bluepatchy/nailfix2k.zip |
|
|
|
|
05-26-2005, 09:54 PM
|
#8 |
|
Member (10 bit)
Join Date: Mar 2004
Location: California
Posts: 936
|
thanks glc i guess they moved it
|
|
|
|
|
05-27-2005, 01:06 PM
|
#9 |
|
Forum Administrator
Staff
Premium Member
Join Date: May 2000
Location: Joplin MO
Posts: 41,163
|
No, you copied and pasted the link from another VB thread by dragging the mouse - so the ...... truncation came over with it. You gotta right click links with ...... visible to copy the whole thing to the clipboard.
|
|
|
|
|
05-27-2005, 03:01 PM
|
#10 | |
|
Member (5 bit)
Join Date: Dec 2002
Posts: 26
|
I'll try that, thanks.
I did manage to find their contact info and left those assholes a nice little message  Direct Revenue LLC 107 Grand Street 3rd Floor New York, NY 10013 V: 646.613.0376 F: 646.613.0386 Quote:
|
|
|
|
|
|
05-30-2005, 02:04 AM
|
#11 |
|
Member (10 bit)
Join Date: Mar 2004
Location: California
Posts: 936
|
mojo how are you doing did you get rid of it
|
|
|
|
|
05-30-2005, 05:24 PM
|
#12 |
|
Member (5 bit)
Join Date: Dec 2002
Posts: 26
|
Lobos
Did everything you said, here's the new HTJ log. As far as I can tell the aurora stuff is gone. I only see a few things that I don't know about, that toolbar, and the "trusted zone". Should I just remove those too? Thanks alot for all your help! Logfile of HijackThis v1.99.1 Scan saved at 6:19:20 PM, on 5/30/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\acs.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\Ati2evxx.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\WINDOWS\System32\wuauclt.exe C:\Temp\HijackThis.exe O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing) O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file) O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ? O4 - Global Startup: D-Link REG Utility.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O15 - Trusted Zone: http://www.neededware.com O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe |
|
|
|
|
05-30-2005, 05:25 PM
|
#13 |
|
Member (5 bit)
Join Date: Dec 2002
Posts: 26
|
And if it helps any here is the Ewido log
--------------------------------------------------------- ewido security suite - Scan report --------------------------------------------------------- + Created on: 6:12:53 PM, 5/30/2005 + Report-Checksum: 5A5826CC + Date of database: 5/30/2005 + Version of scan engine: v3.0 + Duration: 32 min + Scanned Files: 66866 + Speed: 34.76 Files/Second + Infected files: 35 + Removed files: 35 + Files put in quarantine: 35 + Files that could not be opened: 0 + Files that could not be cleaned: 0 + Binder: Yes + Crypter: Yes + Archives: Yes + Scanned items: C:\ + Scan result: C:\Documents and Settings\Andrew\Cookies\andrew@advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Andrew\Cookies\andrew@ar.atwola[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Andrew\Cookies\andrew@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Andrew\Cookies\andrew@doubleclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Andrew\Cookies\andrew@servedby.advertising[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Andrew\Cookies\andrew@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Program Files\sf\sf.exe -> TrojanDownloader.Small.hs -> Cleaned with backup C:\Program Files\SurfSideKick 3\Ssk.exe -> Spyware.SurfSide -> Cleaned with backup C:\RECYCLER\S-1-5-21-790525478-1606980848-1060284298-1004\Dc19.exe -> Trojan.Nail -> Cleaned with backup C:\RECYCLER\S-1-5-21-790525478-1606980848-1060284298-1004\Dc20.exe -> Trojan.Nail -> Cleaned with backup C:\RECYCLER\S-1-5-21-790525478-1606980848-1060284298-1004\Dc21.exe -> Spyware.BetterInternet -> Cleaned with backup C:\WINDOWS\aswxmhyllh.exe -> Spyware.BetterInternet -> Cleaned with backup C:\WINDOWS\cfgmgr52\EECH1.bsx -> Spyware.BookedSpace -> Cleaned with backup C:\WINDOWS\cfgmgr52\SPZ3.bsx -> Spyware.BookedSpace -> Cleaned with backup C:\WINDOWS\systb.dll -> Spyware.ImiBar.d -> Cleaned with backup C:\WINDOWS\system32\bbchk.exe -> Spyware.Bargainbuddy -> Cleaned with backup C:\WINDOWS\system32\Cache\ven_d1.exe -> TrojanDownloader.IstBar -> Cleaned with backup C:\WINDOWS\system32\exclean.exe -> Spyware.BargainBuddy -> Cleaned with backup C:\WINDOWS\system32\exdl.exe -> Spyware.BargainBuddy.q -> Cleaned with backup C:\WINDOWS\system32\exdl1.exe -> Spyware.BargainBuddy.q -> Cleaned with backup C:\WINDOWS\system32\exdl2.exe -> Spyware.BargainBuddy.q -> Cleaned with backup C:\WINDOWS\system32\exdl3.exe -> Spyware.BargainBuddy.q -> Cleaned with backup C:\WINDOWS\system32\exul.exe -> Spyware.BargainBuddy.q -> Cleaned with backup C:\WINDOWS\system32\exul1.exe -> Spyware.BargainBuddy.q -> Cleaned with backup C:\WINDOWS\system32\exul3.exe -> Spyware.BargainBuddy.q -> Cleaned with backup C:\WINDOWS\system32\halrage.exe -> Trojan.AproposAd -> Cleaned with backup C:\WINDOWS\system32\hotdlg.exe -> Trojan.AproposAd -> Cleaned with backup C:\WINDOWS\system32\javexulm.vxd -> Spyware.BargainBuddy.q -> Cleaned with backup C:\WINDOWS\system32\jjxqrn.exe -> Trojan.Agent.cp -> Cleaned with backup C:\WINDOWS\system32\mqexdlm.srg -> Spyware.BargainBuddy.q -> Cleaned with backup C:\WINDOWS\system32\msxct.exe -> Spyware.BargainBuddy -> Cleaned with backup C:\WINDOWS\system32\ps1.exe -> Spyware.Pacer.a -> Cleaned with backup C:\WINDOWS\tdtb.exe -> Trojan.Imiserv.c -> Cleaned with backup C:\WINDOWS\wupdt.exe -> TrojanDownloader.Intexp.c -> Cleaned with backup C:\WINDOWS\yxmfrpj.exe -> Spyware.BetterInternet.c -> Cleaned with backup ::Report End |
|
|
|
|
05-30-2005, 06:59 PM
|
#14 |
|
Member (10 bit)
Join Date: Mar 2004
Location: California
Posts: 936
|
Be sure to look this solution over before you begin. There are a some item(s) i'm not familar with. If you recognze any, then just omit them from this fix.
=============== Before we begin, let's move HiJackThis to it's own folder; like c:\HJT. When we're done 'cleaning' off your system, we're going to 'flush' the temporary folders which, with HiJackThis in it's current location, we'll lose both the program and the backups it creates. These backups are important in case we need to restore any 'fixed' entry(s) later. Also move the "Backups" folder, for HiJackThis, if present. =============== Right click on this link http://www.greyknight17.com/spy/DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. Run HiJackThis and click "Scan", then check(tick) the following, if present: O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing) O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file) O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe O15 - Trusted Zone: http://www.neededware.com Now, with all windows closed except HiJackThis, click "Fix checked". =============== REBOOT Post back a new log, and let me know how everything goes. - Lobos |
|
|
|
|
05-30-2005, 11:52 PM
|
#15 |
|
Member (3 bit)
Join Date: May 2005
Posts: 7
|
I really need some help on this too. I am having some major adware problems and every time I remove them they come back. I have tried this nail.exe resolution (as I found it on another forum also) but when I boot in safe mode Hijackthis is not any where to be found. I saved it to the desktop when I downloaded. How can I resolve this? Thanks in advance for any advice.
Nicki |
|
|
|
|
05-31-2005, 12:07 AM
|
#16 |
|
usual suspect
Join Date: Jun 2002
Location: not here
Posts: 2,051
|
when you log in in safe mode, are you logging in as the user who saved HJT to the desktop or the Admin? make sure you log in as the original user
craig
__________________
the universe is against this current wave of success i'm having. -johnny drama, entourage |
|
|
|
|
05-31-2005, 03:23 AM
|
#17 |
|
Member (10 bit)
Join Date: Mar 2004
Location: California
Posts: 936
|
nikdawn please start your own thread so as not to cause confusion in cleaning up mojo3120 computer
Lobos |
|
|
|
|
| Bookmarks |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
Linear Mode
