Aurora and Nail.exe

I have done all the things in the READ ME FIRST BEFORE ASKING FOR SUPPORT section, but Nail.exe keeps reappearing in my Hijack This log as an F2 entry. And with that, I keep getting popups from Aurora, whoever that is. Also, I keep getting an R0 entry redirecting my browser homepage. I agreed not to write anything objectionable when I signed up here, so I won't type the name of the site.

In addition to all of the antispyware that you recommended, I also ran Microsoft AntiSpyware Beta.

I use Windows Firewall, but even though I have administrative rights, I can't make any changes to it, other than to check the "Don't Allow Exceptions" box, which I did, and the above problems continue to happen. Is it possible that the same thing that is causing these problems has also taken away some of my administrator rights?

Any help would be appreciated.

 

First, lets start with the Nail.exe problem.

- Click Start > Run and type: cmd and then click OK! This brings up a command prompt window.
- At the command prompt opens, type the below command and then hit the enter key:

nail.exe /FullRemove

Next, lets take care of the Aurora problem.

Download and run the uninstaller.

Download Here!

After you run this tool, reboot and then procede with the next step.


http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Aurora and Nail gone - browser hijacker still there

Thank you very much. Aurora and Nail appear to have beat a hasty retreat in the face of the superior Major Geek forces !!

Now I just have the other problem - the browser hijack. My log file is attached. The "mreis.mlxchange" entry is what I want for my homepage. It's that second R0 item that I need to remove and keep it away. It seems that it regenerates every few minutes. Also, every site that I open has a "Trusted Sites" green checkmark at the bottom right of the IE window. But there are no trusted sites in my security settings. Is this from the hijacker too?

 

First:
Please update your version of Hijack This.

• Hijack This 1.99.1

Second:
Download and install Microsoft® Windows AntiSpyware during the install make sure you get any updates.

REBOOT INTO SAFE MODE!

Please make sure ALL Browser Windows are Closed.

Now allow the Microsoft Antispyware program to run a full scan. After it completes, reboot again in normal boot mode and attach a fresh HJT log using the new version.

 

OK, here it is.

 

Be sure you have the latest version of MSAS. You MUST have these updates for MSAS to remove this baddie!

Microsoft AntiSpyware Version: 1.0.509

Microsoft AntiSpyware Spyware Definition Version: 5711

 

Okay, I have the latest MSAS. Funny thing about Hijack This. I thought I had the right version, having downloaded it from your site. But after your last message, I did it again. When I checked the properties of the exe file, it says version 1.99.0.1, but when the program runs, it says version 1.99.1. So I hope this is the right version.

When I ran MSAS, the message was "Possible Browser Hijack (Browser Modifier)", and below it listed the offending site. It then proceeded to correct it, or so it said. Afterwards, I kept getting the little popup box from MSAS saying it had blocked an attempt by the bad site to take over my start page.

Anyway, here are two log files. The first one, hijackthis-Monday.log, is the one I did right after the normal reboot, as per your instructions. I did the second one, hijackthis-Monday2.log, after a few hours and a couple of reboots. The offending R0 entry is in the second one, but not the first. And all of my IE windows open up as "Trusted Zone", even though I have no sites listed in my "Trusted Zone" section.

One more thing that might be relevant, and it might not. As Windows was shutting down in safe mode, I got an "end program" box for something called "sample" I let it run, and it eventually went to "not responding", so I did an end now.

Thank you for your responses.

 

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.baldpussyteens.net/promout.php

O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe

O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)

O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\WINDOWS\isrvs ←–– Delete this whole folder!

C:\WINDOWS\System32\LgNotify.dll

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

Yikes, what a morning!!

As soon as I booted my computer, I was attacked by a bunch of stuff. MSAS, Spybot Tea Timer and AVG were all giving me their popup warnings that changes were trying to be made. Among them were apropomedia, 180search, isearch and yoursitebar. I clicked "deny" and "heal" as fast as I could. There were some trojans that AVG said it could not heal, delete or move to the virus vault. So I just hit "continue"

I know that iSearch has its own uninstaller, and I used that earlier when this problem first began before I contacted you. I used it because even though Spybot and MSAS said they deleted it, it was always still there. The iSearch uninstaller seemed to work temporarily, but the darned thing keeps coming back.

I then went here and found your reply, so I printed it out, and followed the instructions. When I ran Hijackthis, there were a bunch of other 015 entries which added sites to my trusted zone. I checked and fixed them, as well as the lines that you told me to.

I was unable to delete LgNotify.dll. "Cannot delete LgNotify: access is denied" So I unchecked the read-only box and tried again. Still no success. I followed the remaining instructions. hijackthis log file is attached. Spybot found iSearch, callinghome.biz, DyFuCa, peopleonpage, n-case and shopathome.

As I am typing this, I just got an MSAS popup saying that Trojan:Startpage is trying to install. Also, another one just popped up saying that the start page was trying to be changed to our old friend, and MSAS had blocked it based on my past responses.

I believe I mentioned that I am using Windows Firewall. And even though I have administrator rights, I can't change anything on it, except to check "Don't Allow Exceptions". It reads, "For your security, some settings are controlled by group policy" Has this been hijacked also? Is it possible that there is a port being left open that is exposing me to the world? Symantec security check says that I have three ports open. ICMP-ping port, port 21 for FTP, and port 80 for HTTP. Are these critical, and how do I close them if they are?

Thanks for your continued advice.

 

Download Pocket KillBox

Regarding the file basfipm.exe, do you have anything Broadcom installed?


Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Please look in Add or Remove Programs for the following and Uninstall them if found:

180solutions

Now scan with HijackThis and Check the Boxes for the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.baldpussyteens.net/promout.php

O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [hebel] C:\WINDOWS\hebel.exe
O4 - HKLM\..\Run: [w72O3Ee] mobcoins.exe
O4 - HKCU\..\Run: [hwtEROK5W] mmchping.exe

O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)

Make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner

NOW:
Locate PocketKillbox

Now, Copy and Paste C:\WINDOWS\hebel.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\mobcoins.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\mmchping.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

After you reboot, procede with the next set of instructions:

1) Download TrojanHunter

2) Install TrojanHunter, At the end of the install setup will prompt you to update definitions. Please do so!

3) Once installed and updated, select drive C:\ and do a Full Scan. Remove all found infections.

After you do ALL of the above, let finish up by doing a sweep with SpySweeper.

Download, install, update, and run Spy Sweeper
Let me know what it finds. Save a log and post it if you can.

After doing ALL of the above, reboot and post a fresh HJT log and also let me know how things are running now.

Good Luck!

 

I just finished doing all the stuff you asked me to.

First - about Broadcom. My network adapter is Broadcom, and I have two related programs that show up on add/remove programs - Broadcom Advanced Control Suite and Broadcom ASM Management Applications.

I got hit with another blast when I booted back up this afternoon. I did a MSAS scan and deleted a bunch of the same stuff that I have been deleting on a regular basis - apropos, isearch, etc. I then ran HJT, and it had 20 lines of 015, which listed sites that were put in my trusted zone, as well as the same two trusted zone lines that you had me remove yesterday.

180solutions was no longer on the HJT log. The only O4 line that was still there was the hebel one. The 018 line wasn't there either. None of the files that you asked me to use killbox on were there.

Trojanhunter found and deleted 12 trojans. And I have attached the SpySweeper log and the latest HJT log. SpySweeper is running in the background and when I rebooted, it detected the start page hijack attempt. But as the HJT log shows in the RO line, the file is still there.

 

Boot into Safe Mode

Scan with HJT and have if fix this entry:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.baldpussyteens.net/promout.php

Your log looks ok other than this, what problems are you having now?

 

So far, no more big slams, and I've rebooted several times.

But the RO line immediately regenerates after HJT deletes it. I went to safe mode, and I've also done it in normal mode. SpySweeper pops up and blocks it sometimes, and sometimes MSAS pops up and blocks it, but sooner or later it's gonna get in. I need to get rid of it. Totally.

 

I guess I spoke too soon. Since the start page hijacker was continually regenerating itself after HJT deleted it, I ran MSAS, and all our old friends were there - AproposMedia Browser Modifier, Shop at Home, iSearch, and a couple of "Unclassified Spyware" items, along with our famous start page hijacker. MSAS went "not responding" while it said it was removing the start page hijacker. I had to end task with task manager.

Do you know anything about the iSearch removal tool? I mentioned that I ran it once a while ago and it took iSearch out for a while. But I don't know if it did more harm than good.

By the way, I was in normal mode when I did all this stuff.

 

You do have System Restore disabled correct?

Before we do anything else, run a full scan as requested below:

Download Ad-Aware SE

Make sure you have the updated ref file, it should be the below:
Ad-aware SE referencefile SE SE1R41 25.04.2005

Now boot into Safe Mode and run a full system scan and remove all found infections.

NEXT:
Locate PocketKillbox

Now, Copy and Paste C:\WINDOWS\System32\toolbar.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

After your system has rebooted, you can download and run the removal tool.

iSearch Toolbar Removal Tool

After doing ALL of the above, scan with HJT and have it fix that entry if it still remains. Then reboot a few times and tell me how things look now.

 

The "Turn Off System Restore" box is checked.

I ran Ad-Aware (the correct version). It found and deleted a couple of things. toolbar.dll was not there. When I ran the iSearch removal tool, all my antispyware (MSAS, SpySweeper, Spybot Tea Timer) told me that it was trying to install itself. I wasn't sure whether the antispy stuff had misinterpreted the changes that were being made, or if the removal tool was really not what it claims to be.

I have run HJT several times and rebooted several times. The RO entry continues to regenerate immediately after being "fixed" by HJT.

 

One of the problems is that you have too much protection, everything we are doing is being prevented from all this protection.

Uninstall what your not using so nothing will be blocking any of this.

Try running the removal tool again with the programs uninstalled and tell me what happens.

 

Here's the sequence of what I have done since the last message.

Since I had been attacked again, I booted in safe mode and ran some tools as follows

SpyBot - found and deleted 3 items
AdAware - found and deleted 46 items
MSAS - found and deleted 3 items
SpySweeper - found and deleted 4 items
Trojan Hunter - found and deleted 3 trojans
CCleaner - cleaned out a bunch of stuff
HJT - removed RO entry and sixteen O15 entries that had put things in my Trusted Sites.

I assumed (hopefully correctly) that when you said "uninstall" that disabling the real time stuff would serve the same purpose. So I unchecked SpyBot Tea Timer, deactivated all three real time functions in MSAS, shut down SpySweeper, and turned off Trojan Guard. Ad-Watch is not running.

I then rebooted in safe mode, checked to make sure all that stuff was still off, and ran the iSearch removal tool. Nothing popped up and it said it removed it. I then ran HJT and the RO entry was listed twice. I deleted them both, and an R3 entry came up. I deleted that and further HJT scans in safe mode did not have the RO line.

I rebooted in normal mode and ran HJT. RO was back. I fixed it, and scanned again. It's still there. And it continues to regenerate immediately after being fixed by HJT. The log file is attached.

Any ideas about where to go from here?

Thanks.

 

Roger that.

OK, here's the latest sequence.

I uninstalled:
SpyBot
AdAware and Plugins
MSAS
Spy Sweeper
Trojan Hunter
Spyware Blaster

I then rebooted in safe mode and ran the iSearch removal tool. Once again, it said it deleted it.

I then ran HJT. It had the RO and an R3 line. The attached log file ending in weds-pm2 shows this. I fixed those, and ran HJT again and they stayed gone. I rebooted again in safe mode, ran HJT and they were still gone.

I then rebooted in normal mode, and my IE start page had been hijacked to our old RO friend. I ran HJT and the R0 line was there twice, but the R3 line was gone. The attached log file ending in weds-pm3 shows this.

I fixed the R0 entries and ran HJT again. No R0, but my IE properties said "about:blank". Remembering that name from the "DO NOT POST UNTIL YOU HAVE READ THIS" section, I ran services.msc to check for the three services that you mentioned. None of them were there.

I changed IE to default and ran HJT. R0 was still gone.

I rebooted again in normal mode. The IE page was still hijacked and the R0 reappeared in the HJT scan.

Right now I have no antispyware installed. Should I reinstall all that stuff?

 

OK, I completed all of that. The lines stayed gone all the way through and including point 5. I ran Process Explorer and the list is attached.

I did one more step. I rebooted in normal mode and the R0 lines are back and the majorgeek R0 line is gone. Log file attached.

 

Oh yeah, I almost forgot. That last reboot was while I was connected to the internet. I mentioned in one of my posts the ports that Symantec said I had open. And the only firewall I am running is the Windows one. And even though I am the administrator, I can't control it. Do you think this has something to do with the problem?

 

I did reboot in normal mode between points 1 and 2, just not connected to the internet. The reboot I did at the end was while I was connected to the internet. That's when the bad lines appeared.

I'll redo the steps a bit later and repost. Somebody else is working on my network until 1 pm. My laptop is wireless, so I just disconnect the DSL phone line. (I assumed that just disabling the wireless connection might not be as effective) I can't do that until after he leaves at 1:00

 

OK, I want to try to avoid misunderstanding so I will detail all the steps I have taken.

I disconnected from the internet, ran HJT and fixed the offending R0 entries.

I ran HJT again and the lines were still gone.

I followed your step 2 with my IE icon. I Reset Web settings and changed my home page address to www.majorgeeks.com. I deleted cookies and files, including offline content. I also cleared history.

I ran HJT. R0 says majorgeeks, as I would expect. The offending lines were not there. This is point 1.

I rebooted in normal mode, still disconnected from the internet. HJT was the same as before - no bad R0's. This is point 2.

I opened IE, waited for the "page cannot be displayed" notice, and then closed it and ran HJT again. Still the same - no bad R0's. This is point 3.

I plugged in the internet cable and ran HJT again. Still the same - no bad R0's. This is point 4.

I opened IE, waited a minute and closed it. HJT still was the same - no bad R0's. This is point 5.

I pulled the power cord, left the internet connected, waited a few minutes and turned it on. HJT showed the bad R0's - twice. I fixed them.

I disconnected the internet wire, pulled the power cord, waited a few minutes and turned it on. HJT showed no bad R0's.

I reset the web settings, put majorgeeks back as my home page, pulled the plug to shut down (no internet), rebooted - no bad R0 lines.

I pulled the plug to disconnect, turned it back on with internet connected, bad lines are back.

The following is a quote from my earlier post.

I believe I mentioned that I am using Windows Firewall. And even though I have administrator rights, I can't change anything on it, except to check "Don't Allow Exceptions". It reads, "For your security, some settings are controlled by group policy" Has this been hijacked also? Is it possible that there is a port being left open that is exposing me to the world? Symantec security check says that I have three ports open. ICMP-ping port, port 21 for FTP, and port 80 for HTTP. Are these critical, and how do I close them if they are?

 

I installed Zone Alarm as you suggested. I then reinstalled all the antispyware stuff that I had previously uninstalled and ran scans with Spybot, Ad-Aware and MSAS. They all found a lot of stuff. I ran HJT.

But the only way I can get on the internet is to close ZA. It tells me that IE is trying to access the internet, I say to allow. It also asks to allow a "Generic Host Process for Win 32". The application name is svchost.exe. I denied access to that first, and could not get on the net. I then tried allowing that process, but still no dice getting on. After I shut down ZA, open the browser, and reopen ZA, I can run fine. But I wonder what I am letting into my computer in the meantime.

Any ideas?

 

In the Access and Server columns, they are all question marks (no X's) except for Microsoft Office Oulook and Firefox, which are green checkmarks. I don't see a Send Mail or Password Locked column. Also, I can't find a Components tab. Are those features of Zone Alarm Pro? I just have the free edition for now.

I am about ready to flush and reinstall XP. I don't want to because I know it will take me all day to reinstall all my software, but.......

 

OK, I think I really may have put my foot in it now. Yesterday I ran HJT and deleted some lines I knew were bad - like the trusted zone ones and the bad R0 ones. But I also deleted some other lines that I didn't recognize and thought were bad. Attached are two HJT logs. One is the one I just did this morning. The other is just a list of the lines I deleted, which I found from comparing it to a log I took before I started deleting anything. Now I can't get into my mreis site, which I need for work. And, as I mentioned, I can't get on the net at all unless I disable ZA. I'm posting from a different computer now.

So, how bad did I screw up??

 

Probably because when I installed ZA, I checked the custom option that denied everything unless I gave it permission, which I was doing on a case by case basis. I uninstalled and reinstalled using the recommended option, and now I have green checks in the access columns for Firefox, Generic Host Process for Win32 Services, IE, and Services and Controller app. In the Server columns, there is a green check in the trusted column of Generic Host Process for Win32 Services, and a red X in the internet column for it. All the others are blue question marks.

I decided to start over with your recommendations. Hidden files are shown and system restore is off.

Services.msc will not run. It says "MMC cannot open the file C:\Windows\System32\services.msc", but the file is there.

Trend Micro scan found 21 trojans. It fixed all but one.

Symantec security check found the same open ports as before, even with ZA running.

Stinger found the Qhosts.apd trojan and fixed it.

Ad-Aware found nothing.

SpyBot found DyFuCa, Callinghome.biz, and iSearchTech.PowerScan

MSAS found nothing.

I have attched two HJT logs. One from this morning, and one from just now.
(Sorry about sending one as a Word file. For some reason, the one from this morning would not work. I know it should. But it wouldn't upload).

I still cannot access my mreis web page. The message is:

Client script error in page [signInJS.asp] in function [GetAuthKey]: Exception (-2146827859) Automation server can't create object SiteCode:MRE Login: 006869

I can access the page from other computers, just not my laptop.

And periodically, my internet connection just quits, and the dial up box comes up. When I shut down ZA, no problems getting on the net. (All except the mreis page. Nothing I can do gets me on that now.)

 

I am still unable to access Windows Firewall to disable it. The appropriate boxes are grayed out. The links you sent talked about Group Policy administrators in a Microsoft Windows Server domain, and I have no clue what that is all about.

I restored those HJT entries that you mentioned, and rebooted. Still having the same problems. Can't log into mreis, and the internet connection goes in and out. It's not the connection because I am using another computer on the same network with no problems.

 

This one seems to have disappeared. I restored it, but now when I run HJT, it is gone, and it is no longer in backup.

 

I have just run Spybot, Ad Aware and MSAS with no infections found. Latest HJT log attached. Thank you very much for your help.

I don't know where all the other trojans came from. Maybe from the times when I had to disable Zone Alarm in order to get on the net.

I had ZA before I installed SP2, and I uninstalled it afterwards because I thought the Windows firewall was as good, and ZA was a bit quirky, like it is now. I still had the exe file, so I reinstalled from that, and updated to the latest version.

I still can't access Windows Firewall, and yes, I do have administrator privileges.

Any suggestions as to where to go from here? It seems that this is no longer a spyware issue. Should I post this as a new thread to a different forum, like the software one?

 

Thank you very much, chaslang and bjgarrick, for your help and for sticking with me all this time. I will post my Windows/ZoneAlarm firewall conflict issue on the software forum.

 

You guys rock thanks a bunch I think the verman is gone for good

 

Yeah the first time I tried it showed back up, of coarse because I did not follow directions exactly, the second time I did everything by the book and have seen nothing of still