How do I remove 'The Best Offers'?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by simonrana, Sep 16, 2005.

  1. simonrana

    simonrana Private E-2

    Hi, first I'd like to thank you guys at MajorGeeks.com for your sound advice on removing spyware. I have only just finished administering the long clean up operation you outlined at

    http://forums.majorgeeks.com/showthread.php?t=38752

    which I believe got rid of the ABI thing that's been hassling me for ages. I say 'believe' because I can only verify this so far by the blissful absence of Aurora popups over my last half hour on the net, and by the fact that the ABI software is no longer listed in the Add/Remove programs population. However whilst looking over this I found a new dodgy piece of software listed - going by the name of 'The Best Offers'. Much like ABI, the change/remove option only takes you to a corporate website, which in this case offers an uninstall program that I definately don't trust. So far it isn't causing any visible problems, but given that I don't know what it's doing and that it's robust enough to sidestep all the tools that got rid of ABI I would really like to remove it. Any advice you could give me would be appreciated...
     
  2. simonrana

    simonrana Private E-2

    Correction - it's activities have now become apparent, it's another pop up one! Removal advice appreciated...
     
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The link you post in message number on is not a cleanup procedure. It does not do any cleanup. It is just a tutorial on HijackThis.


    Please follow the steps below:

    - download Nail/Bolder/Aurora Remover 0.3.1 Beta and save it to its own folder like c:\ABIremover

    - Now extract the abiremover.exe file from the ZIP file into the folder you created but do not run the EXE yet. We will run it later.

    - Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

    Make sure you check version numbers and get all updates for all programs.

    - Now while still in safe mode, run the abiremover.exe but make sure you are physically disconnected from the internet (unplug your cable to be sure). Just click install, wait (explorer window will disapear)

    - When abiremover finishes just reboot into normal and continue with the below steps.


    Also download HOSTER and then follow the below steps.
    • Unzip Hoster to a convenient folder such as C:\Hoster
    • Run Hoster.exe, click Restore Original Hosts and then click OK.
    • Click the X to exit the program
    - Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.



    After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps below:

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
  4. simonrana

    simonrana Private E-2

    The stuff on that READ ME FIRST link you provided was actually the clean up operation I was talking about before. Given that I've been back on the net since I performed these steps, and might have had some new trojan horses/spyware, etc find their way on to my computer since then, do I have to go through the whole process again before carrying on with the further steps you suggested or can I launch straight into them?
     
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Just complete ALL steps that you have not yet completed including what I gave you in my last message.
     
  6. simonrana

    simonrana Private E-2

    Did all the steps before resorting to Hijacker, and I think it worked - thanks very much! Only been on the net for a few minutes, but I've had no pop ups and my connection seems to be much quicker. However the scans did not get perfect results and did indicate that some infections remain on my PC -

    Bitdefender result - "You're computer is still infected."
    One file was found which it failed to update -
    blubstersetup250.exe=>wise0015=>(RAR Sfx o)

    Spybot couldn't fix 1 problem - Smitfraud-C.

    About:Buster scan was fine but for some reason I got an error whenever I tried to update the program, so I might not have been working with the most up-to-date information.
     
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I repeat
     
  8. simonrana

    simonrana Private E-2

    Sorry. Have run hijackThis and attached the log file as requested. Turns out "the best offers" spyware is still on my computer aswell.
     

    Attached Files:

  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Is the below Proxy Server setting for something you installed or for your ISP?
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 193.144.127.157:80

    Did you run ABIremover in safe mode?


    Let's try the below steps to remove Nail.exe

    - Click Start > Run and type: cmd and then click OK! This brings up a command prompt window.
    - At the command prompt opens, type the below command and then hit the enter key:

    nail.exe /FullRemove

    Close the command prompt window and reboot. After reboot continue with the below:


    Look in Add/Remove programs for the below and uninstall if found:
    Best Offers or The BestOffers or bsto-1


    Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixbo.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixbo.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.
    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\WINDOWS\system32\fqshfzl.exe <--- its very possible that this random named process may have renamed itself by now. See if you can find the new one if it has renamed. You will also see it in the O4 lines below.

    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.shopnav.com/sidesearch.cgi?uid=10333205&id=5.20013
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.shopnav.com/q.cgi?q=
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 193.144.127.157:80
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O4 - HKLM\..\Run: [nbifbo] C:\WINDOWS\system32\fqshfzl.exe r
    O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\Nail.exe
    C:\WINDOWS\system32\fqshfzl.exe
    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
  10. simonrana

    simonrana Private E-2

    In order...

    I have no idea! I'm honestly not even sure what a Proxy Server is.

    Yes I did.

    Not sure I understood this part. If you meant use the Add/Remove programs unistall to remove The Best Offers then I was not able to do this as the unistall option did not work - functioning only to take me to a dubious web page. If you meant "use the next part to unistall" (i.e. the notepad file) then I did as you suggested.

    As you guessed the fqshfzl.exe file did rename itself and I did manage to find the renamed file and delete it. Unfortunately I did not make a note of the new file name so I was unable to follow the later instructions for that file (sorry my mistake, should have read your instructions in full before I started following them).


    At the end of the process the Best Offers program unfortunately seems to have remained (a second log file is attached to this post). Also when I entered a new default home page, the automatic list offered (in addition to my previously chosen URL google) a rather obsene URL address to what clearly must be a porn site. This has me rather worried as I have no idea how this got here and I wonder what else might have been put on my computer...
     
  11. simonrana

    simonrana Private E-2

    Sorry, forgot to attach log file! Here it is...
     

    Attached Files:

  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you do the nail.exe /FullRemove step? Did it give you any message? Did you find and delete the c:\windows\nail.exe file?

    It does not look like you fixed all the items using with HijackThis? I still see:
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe

    And the trojan file is now:
    O4 - HKLM\..\Run: [eoqiki] C:\WINDOWS\system32\hqarlqh.exe r

    This will rename itself each time you shut down or reboot. So from now on, do not reboot or shutdown after posting any logs.

    Tell me if you see the following file:
    C:\WINDOWS\system32\Poller.exe


    Download WinPFind

    Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside c:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

    When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.
     
    Last edited: Sep 21, 2005
  13. simonrana

    simonrana Private E-2

    I did the step and there was no message, in fact it gave no indication that anything was done at all. I did delete the nail.exe file in the later step.

    I do not see this file.

    Attached is the results of the WinPFind scan.
     

    Attached Files:

  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download Pocket KillBox

    And extract is to its own folder somewhere that you will be able to locate it later. Do not run it yet.


    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\WINDOWS\system32\hqarlqh.exe <--- its very possible that this random named process may have renamed itself by now. See if you can find the new one if it has renamed. You will also see it in the O4 lines below.

    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O4 - HKLM\..\Run: [eoqiki] C:\WINDOWS\system32\hqarlqh.exe r
    O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe

    After clicking Fix, exit HJT.

    Now run Pocket Killbox.

    Click on Tools>Delete Temp Files
    Then, Check the following boxes: Unregister .dll before deleting (unless it is greyed out),
    Delete on Reboot . Highlight the entries in the quote box below and then Copy & paste them into the Killbox topmost box.
    After pasting them into the topmost textbox. Click the Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? Click Yes. If you get a Pending files operations error message, just reboot your PC yourself.

    Note: Killbox will let you know if the file does not exist.

    After the reboot, Scan and post another HJT log.
     
  15. simonrana

    simonrana Private E-2

    Log file attached...
     

    Attached Files:

  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You must have something installed that is blocking changes to the registry. The below items still appear:

    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O4 - HKLM\..\Run: [xmubui] C:\WINDOWS\system32\povdvcj.exe r
    O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe

    The povdvcj.exe is a randomly named executable file that may change after each reboot. It and nail.exe are both related to the Aurora problem. RUn the ABIremover tool and make sure your delete the randomly named executable like it tells you. It typically says something like:
    You will have to see what the randomly named file is now because (as I stated) it will keep changing names.
     
  17. simonrana

    simonrana Private E-2

    I have tried running the ABIremover, rebooting and using Hijacker to remove all those files you suggested (including the random file), and then running microsoft antispyware, rebooting and running antispyware again. Nail.exe seems to have finally kicked the bucket but the random named files are still around and microsoft antispyware still finds fresh ABI spyware files every time I run it. This problem is starting to get extremely frustrating!

    When you said
    I took this to mean "remove the randomly named file by killing the process and then fixing in scanmode in Hijacker". Is this right or did I miss a step? Perhaps that is where the problem is occurring...
     
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member


    Yes! Lines like:
    O4 - HKLM\..\Run: [xmubui] C:\WINDOWS\system32\povdvcj.exe r

    Are the random registry key and the random file name is povdvcj.exe

    Post a new HJT log and also post a log from MS Antispyware. MS AS could be getting in the way of making these registry changes.
     
  19. elmarice

    elmarice Private E-2


    hm hmmmm.....uh huh......

    this is the problem.....

    uh huh....uh hmmmmmm.......

    nail...aurora....the best offers....ad nauseum......

    this has been, and continues to be, the worst spyware ever to invade/infect/f-up and slow-down my compooooter in years.

    Every Geek thinks they have the solution, but, I beg to differ. I have bought, traded, bartered and sold my very soul for a fix to the dreaded Aurora. Guess what? HAHAHAHAHA

    Is what they're saying......Nuttin works!

    I have a goooood, gut feeling that they(them, Aurora, "thebestoffers") are in kahoots with all the software/spyware sites, and we're all being taken for a ride.

    what a bunchabull-patooty....

    makes me sick to me tummy
     
  20. Shadow_Puter_Dude

    Shadow_Puter_Dude MG Authorized Malware Fighter

    Nail is not that hard to get rid of; if you are being reinfected then you may need to modify your surfing habits.

    Please run this uninstaller - Nail Uninstaller

    Post a fresh HijackThis log as an ATTACHMENT; after you have run the above uninstaller
     
  21. Shadow_Puter_Dude

    Shadow_Puter_Dude MG Authorized Malware Fighter

    elmarice - Start your own thread to deal with this issues. Please never post in someone elses thread.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds