i'm just about to blow my brains out, HJT log attached

Hi jflo and Welcome to Majorgeeks

Please follow our standard cleaning procedures which are necessary for us to provide you support, they cover specific order of running the cleaning applications as HJT is a last resort and mop up program, Also there are steps included for installing, running, and posting HijackThis logs as attachments.


- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis


When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)

• Bitdefender
• Panda Scan
• HijackThis

.

 

You need to complete the directions in step 7 of the READ ME and attach a new HJT log. Make sure you follow the directions in step 7 because you had HijackThis installed incorrectly and you were running MSconfig to control startup which you must not do. This is all covered in the link referenced in step 7 of the READ ME.

You also did not follow the direction in step 6 for creating the Bitdefender log. The log should have been an HTML formatted file with a .txt extension. Following those directions makes it much easier and less time consuming for use to read thru the logs.

 

You did not need to start over. When the scan finished all you had to do was save the file like he directions indicated. Just forget about Bitdefender now.

I need you to run another tool which may help to remove some of the hidden baddies you have. Follow the steps in the below link and attach the Ewido log:

Running Ewido Anti-Malware

Is your version of CounterSpy, a paid version? If yes, uninstall Windows Defender and keep CounterSpy.
If you CounterSpy version is a free trial, uninstall CounterSpy and keep Windows Defender.

You appear to have Solo Antivirus running:

You must use only one antivirus (see step 3 of the READ ME). Uninstall either Solo or Symantec.

Do all of the above before continuing to the below!!!

Then also attach a NEW HJT log.

 

Please follow the steps below:

- download Nail/Bolder/Aurora Remover 0.3.1 Beta and save it to its own folder like c:\ABIremover

- Now extract the abiremover.exe file from the ZIP file into the folder you created but do not run the EXE yet. We will run it later after boooting safe mode

- Now boot into safe mode, run the abiremover.exe but make sure you are physically disconnected from the internet (unplug your cable to be sure). Just click install, wait (explorer window will disapear). If it says anything about removing a hidden process or file, look for and delete this file: C:\WINDOWS\system32\srfxpul.exe

- When abiremover finishes just reboot into normal mode and continue with the below steps.


Also download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster
• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program

Download - Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later to run it.


Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click OK.

Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

C:\WINDOWS\Nail.exe
C:\WINDOWS\system32\srfxpul.exe

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself. However BOOT INTO SAFE MODE during this reboot and do not run anything but what I request. DO NOT open any browsers!

Please run HijackThis and do a System Scan only and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [kjzdbg] C:\WINDOWS\system32\srfxpul.exe r

Now exit HJT
Run Windows Explorer and double check to make sure the below files are all deleted (some we already got with killbox):

C:\WINDOWS\Nail.exe
C:\WINDOWS\system32\srfxpul.exe

Now reboot into normal mode and after reboot double check the same HJT entries I had you fix above and if any still remain, fix them again a second time.

Now attach a new HJT log.

Also tell me how things are working!

 

That's because it changed names as you were commenting about some random file name. It used to be C:\WINDOWS\system32\srfxpul.exe now the file is C:\WINDOWS\system32\ytgteq.exe


The log you just posted looks totally different than your previous log! There is a lot more running now! WHY????
You must not use MSconfig like you are doing. See step 7 of the READ ME. You must select Normal Startup, reboot, and then attach a new HJT log. DO NOT reboot afterwards otherwise the file name will change again. Wait for me to post a fix. This is all part of the Nail (BetterInternet) infection.

 

The ignorelist must not be used while we are trying to fix things!

 

I'm waiting on you! You never completed what I asked you to do in message # 11:

It is important that you give me a new log and DO NOT reboot or shutdown your PC afterwards! Your previous log is 5 days old and I'm sure you have rebooted since posting it.

 

Do you have a real software firewall installed? Note this does not include the Windows XP SP2 firewall! It is not a true firewall!

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to System Startup Service ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

SvcProc

If you receive any error messages just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.

C:\WINDOWS\system32\yrzvcmb.exe <--- if you do not see this process running, compare to your current processes to the previous ones and you should see another new random process name running. Kill it.

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [pdbfkd] C:\WINDOWS\system32\yrzvcmb.exe r
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe


Now exit HJT

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click OK.

Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

C:\WINDOWS\system32\yrzvcmb.exe
C:\WINDOWS\Nail.exe
C:\WINDOWS\svcproc.exe

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself. However BOOT INTO SAFE MODE during this reboot and do not run anything but what I request. DO NOT open any browsers!

While in safe mode we are going to run HijackThis a second time as a double check for this problem. Please run HijackThis and do a System Scan only and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [pdbfkd] C:\WINDOWS\system32\yrzvcmb.exe r <--- if you do not see this O4 line with the ending text yrzvcmb.exe r look for a similar new process and an 'r' at the end of the line and fix it.
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe


Now exit HJT
Run Windows Explorer and double check to make sure the below files are all deleted (some we already got with killbox):

C:\WINDOWS\Nail.exe
C:\WINDOWS\svcproc.exe
C:\WINDOWS\system32\yrzvcmb.exe (or whatever new name you may have found)

Now reboot into normal mode and after reboot double check the same HJT entries I had you fix above and if any still remain, fix them again a third time.

Now attach a new HJT log.

Also tell me how things are working! Again DO NOT REBOOT after attach this new log. Please respond by telling me that you are keeping your PC running.

 

You did not answer my question about a firewall. This is important! If you do not have a real firewall, we want to get one installed so it can block some of these bad file names from contacting the sites they are downloading from.

The process that keeps coming back is all part of the BestOffers infection with nail.exe svcproc.exe (and of course the random filename). Anyone of these can respawn the others. That is why I had you kill the svcproc.exe service first. It was an attempt to stop the service and then kill the random process before the service could be restarted by the random process. If you look at your HJT log, you will see the nail.exe is back. It is not gone as you stated. Take a look for yourself. Don't do anything with it though. Funny thing is, I'm surprised that Windows Defender does not popup asking about allowing the new process to startup each time it renames itself.

If you do not want the below to be running, we can stop it. It was more than likely installed when you installed your iPod software. It's up to you. From what I know, it is not needed.
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

To stop this service.
- Right-click on My Computer and choose Manage.
- Then expand the Services and Applications section and click on Services.
- On the right-side of the screen, find the entry for InstallDriver Table Manager and double-click on it.
- Change the Startup Type: to Manual.
- Hit the OK button and close the Computer Management screen.


Now back to BestOffers!

Click on the below link to download a program that we have used to fix this in the past:

Download Nail FIX


Save it to your Desktop. After download is complete reboot into Safe Mode. Extract the contents to your desktop and run the fixnail.bat Your desktop will disappear, that's normal. The Windows shell (explorer.exe) is being terminated while fixing the malware. After tool has finished running, reboot into normal mode!

Also since you have Ewido installed already, run the below procedure (ignoring the install but make sure you check for updates). Attach the Ewido log:

Running Ewido Anti-Malware


Now also attach a new HJT log.

 

Sorry about that! I forgot to edit my message. You have to double click on nailfix.cmd

Here is what I want you to do! Run Ewido again (save the log) and as soon as it finishes, double click on nailfix.cmd

Then immediately run HJT and fix lines like below (if found)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [pdbfkd] C:\WINDOWS\system32\uvjwvx.exe r <--- obviously this one may have a different filename
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Then get a new HJT log and save it as hjt1.log.

Then reboot and save a new HJT log to hjt2.log

Now come back and attach the new Ewido log and the two HJT logs.

 

For the firewall, goto the below link and see step 3:

How to Protect yourself from malware!

I suggest you download and install ZoneAlarmFree. Do this after completing the steps in my previous message.

 

You last log looks good! Uninstall Ewido now!

If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

Make sure to install a real firewall (if you did not already install it).

 

Which files did you find and were you able to delete them? In message # 24 you said they were gone.

Check to see if they come back again after a reboot.
Also check to see if anything reappeared in your HJT log.

 

Generic Host Process is svchost.exe a valid Windows Process. If you are getting errors about it, you should capture the complete word for word error message and post a message in the Software Forum about it. Make sure you include the exact error message and also indicate exactly when you are getting this error.