A HijackThis for your review?

Hello. I have just finished with all in the sticky thread for spyware removal. I would like to get your okay to post a HijackThis log file for your review? The last time I ran all of this & it seemed my son's computer was protected, so we skipped the HijackThis step because we didn't have any more problems right away. Before these scans this time, he was re-infected again with lots of trojans (AVG), and Ad-aware was continually finding 30+ "critical objects" many of which seemed to be registry keys. So I've attached a logfile in case you request it. I'm going to switch to anti-virus protection through TrendMicro (which has a firewall), as I've just purchased it for 3 computers (we have 3 in our home network)...sound okay? I will follow rest of your suggestions for "protection from malware". My son spends much time online playing role-playing games, in which he "forwards ports" on our router. He has an EMachine, WinXP SP2, internet explorer running through a Belkin router & cable modem. Thanks for your time & I deeply appreciate any/all suggestions! Shannon

 

Completed Sticky please help

Hope I didn't rush things. We've done this a few times with MG's help & I thought it would help to save time. Thanks in advance, Shannon

 

Print or save this instructions locally because you must be offline and have no other Windows (like browsers or anything else running) before continuing.

- Click Start > Run and type: cmd and then click OK! This brings up a command prompt window.

Now leave the command prompt Window open and bring up Windows Task Manager by pressing CTRL-SHIFT-ESC simultaneously. Do not be alarmed when you see you Desktop (icons etc)disappear when you do the next steps. Do not close Task Manager until I tell you to do so.

- Now locate explorer.exe in the Process list and right click on it and select End Process

You should now only have two Windows showing Task Manager and the command prompt.

- At the command prompt opens, type the below commands each follow by the enter key. Take note of what happens with each one and tell me about it later when you come back here:
nail.exe /FullRemove
cd c:\windows
attrib -r -s -h nail.exe
del nail.exe
exit <--- this will close the command prompt window

Now go back to Task Manager and click File, and select New Task (Run....). Enter explorer.exe into the popup and click OK. This should bring back your Desktop.

Now you can close Task Manager.

Post a new HijackThis log as an attachment.

 

<edited> SPD beat me to it.

 

Thanks for your time! I completed your directions & have included a new HJT log. My starting command prompt was "C:\Documents and Settings\Mom>" and I entered "nail.exe" ... in which the same command prompt appeared below it with a flashing cursor. After 2nd command was entered, the command prompt below it changed to "C:\WINDOWS>" with flashing cursor, and the same for the rest, except for exit which closed the window. Should I go ahead and install a firewall now? And do I continue to allow "viewing of hidden files", etc...? I'm getting some pop-ups when online...just to let you know. Thanks again for your time & suggestions ! Shannon

 

You still are infected by Nail.

Download Nail/Bolder/Aurora Remover 0.3.3 Beta

Have HijackThis Fix the following line:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Reboot into safe mode and run Nail/Bolder/Aurora Remover. Don't reboot when asked.

Now run Windows Explorer and navigate to the following:

C:\WINDOWS\system32\ieuayw.exe <---- Delete the file if it exists
C:\WINDOWS\Nail.exe <---- Delete the file if it exists

Reboot into normal mode and post a new HijackThis log.

 

All done. "C:\WINDOWS\Nail.exe" found and deleted. "F2-REG:system.ini:..." fixed by HJT. The new HJT log attached. Thanks, Shannon

 

OK, that's better.

Now have HiJackThis fix the following lines:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINDOWS\system32\vbrundll.dll (file missing)

O4 - HKLM\..\Run: [richup] C:\WINDOWS\system32\richup.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [Sysnet] C:\DOCUME~1\Owner\LOCALS~1\Temp\sysnet.exe
O4 - HKLM\..\Run: [xgicmlo] C:\WINDOWS\xgicmlo.EXE
O4 - HKLM\..\Run: [jnntes] C:\WINDOWS\system32\tgqlerw.exe r

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\tvnxukv.exe (file missing)

Reboot and post a new HijackThis log.

 

Thanks for your quick reply ! Okay, all done. Here's my new HJT log. Thanks again, Shannon

 

We didn't get it, Nail is back.

Have HijackThis Fix the following line:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O4 - HKLM\..\Run: [ceqehsv] C:\WINDOWS\ceqehsv.EXE
O4 - HKLM\..\Run: [hhnouh] C:\WINDOWS\system32\rvlqako.exe r

Reboot into safe mode and run Nail/Bolder/Aurora Remover. Don't reboot when asked.

Now run Windows Explorer and navigate to the following:

C:\WINDOWS\system32\rvlqako.exe <---- Delete the file if it exists
C:\WINDOWS\ceqehsv.EXE <---- Delete the file if it exists
C:\WINDOWS\Nail.exe <---- Delete the file if it exists

Reboot into normal mode and post a new HijackThis log.

 

Okay, done... ...new log attached. Thank you, Shannon

 

Have HijackThis Fix the following line:

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\system32\richedtr.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [ceqehsv] C:\WINDOWS\ceqehsv.EXE
O4 - HKLM\..\Run: [zatagw] C:\WINDOWS\system32\srjbptf.exe r

Next Download, Install and Run CCLeaner.

Reboot into safe mode.

Now run Windows Explorer and navigate to the following:

C:\WINDOWS\ceqehsv.EXE <---- Delete the file if it exists
C:\WINDOWS\system32\srjbptf.exe r <---- Delete the file if it exists
C:\WINDOWS\system32\richedtr.dll <---- Delete the file if it exists

Next DELETE everything in C:\WINDOWS\Prefetch

Reboot into normal mode and post a new HijackThis log.

 

Shadow, here it goes...my latest HJT log. Thanks , Shannon

 

This wants to be stubborn

In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight

C:\WINDOWS\system32\xtgkiv.exe

Choose Kill Process

Download
- Pocket Killbox
- L2MeFix Tool

Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe.
Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop.

DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.

Your computer will go crazy for a bit, but just let it run. It should eventually spit out a log in Notepad. Please also attach this log to your message.

Please don't run any other files in the L2MFix folder.

Now scan and have HJT Fix this line if it exists

O4 - HKLM\..\Run: [icetmg] C:\WINDOWS\system32\xtgkiv.exe r

Now use Pocket Killbox with these options if the file is still there.
"Standard File Kill"
"End Explorer Shell while Killing File"

and paste this line:

C:\WINDOWS\system32\xtgkiv.exe

Click the Red X to confirm and let it reboot.

Post a fresh HijackThis Log

 

Shadow, No "C:\WINDOWS\system32\xtgkiv.exe" in Process Manager in HJT. Should I continue with the rest?

 

Shadow, I still didn't find the file "...xtgkiv.exe" but did all you requested anyway. Logs attached. Thanks for your time ...sorry this has been so much trouble !

 

Nail just won't go away. Try this again.

- While still in safe mode, run the abiremover.exe but make sure you are physically disconnected from the internet (unplug your cable to be sure). Just click install, wait (explorer window will disapear)

- When abiremover finishes just reboot into normal and continue with the below steps.


Also download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program

Post another HijackThis log.

 

Shadow, my last post for the night...thanks for hanging in there with me! New HJT log attached. Sweet dreams, Shannon

 

shanrene123,

Download the following file, after download is complete run the uninstaller. When uninstall is complete reboot to normal mode and procede with the below steps, I would like to check something.

Download Uninstaller


First, please run Panda Online Scan. After the scan attach the log to your next post. Also please follow the below:

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.


Now come back here and post all three logs as attachments.

 

Bjgarrick,
Attached are the log files from QoologicTool & RKTool. Unable to run "Uninstaller". Tried everything I could think of. Error message states, "C:\SpywareTools\MyPCUnistaller.exe is not a valid Win32 application." Also had some difficulties getting QoologicTool to work, but hoping it finally did. May just be the operator instead of the PC ?
Will post my log for Panda with my next quick reply. This would only allow me to attach 2. I'm already to the point of super frustrated here, but am still trying. If we totally reformat would it solve this? Seems we had tried that once previously with a friend's badly infected computer, and it was still very infected. Thanks to you & Shadow for your help! Shanrene

 

Panda Online log

Here's the Panda log.

 

First look in Add or Remove Programs in the Control Panel and uninstall the following if found:

Next In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight

Choose Kill Process

Now scan and have HJT Fix this line if it exists

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE open Windows Explorer navigate to and DELETE the following folders.

Reboot post a new HJT log.

 

Okay, Shadow, all done. HJT log attached. Thanks , shanrene

 

It looks like we got it that time. Reboot your computer and post a fresh HJT log just to make sure.

You should update your Sun Java to the latest version also.

 

Cool, Thanks ! My latest HJT log. I appreciate all your help! MGs are the greatest! Shanrene

 

Shadow & Bjgarrick, ran a scandisc & doing a defrag now. How do I update Sun Java? No pop-ups last time online ! Will know more how it is running after my son gets on it tonight. Is Trend-Micro AV w/firewall, Ad-aware, Spybot, Spyware Blaster, & CCleaner enough to keep him safe with online games & chatting? Of course, along with XP updates when needed. Just asking... If you all are ever in Knoxville, you have a free dinner coming ! Respectfully, Shanrene

 

It's gone.

You are using adequate protection. How long a system stays virus free, depends upon the users habits. This tutorial How to Protect yourself from malware! is a good place to start.

You can update your Sun Java by going to THIS WebSite. Uninstall the old version before installing JAVA 5.0, you can do that from Add or Remove Programs in the Control Panel.

Glad to help.