Green Link Spyware

By bumping your thread you only made it take longer for someone to respond.
We look for the oldest threads with 0 responses first. By bumping, your response was not 0 and you made it newer rather than older. So you see bumping will not help you.

 

Is this next line valid? Do you recognize this URL?
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
d:\windows\system32\rnadopg.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
F2 - REG:system.ini: Shell=Explorer.exe D:\WINDOWS\Nail.exe
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - D:\WINDOWS\Bolger.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - D:\WINDOWS\System32\rtneg.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [gah95on6] D:\WINDOWS\System32\gah95on6.exe
O4 - HKLM\..\Run: [cwibzao] d:\windows\system32\rnadopg.exe
O4 - HKLM\..\RunOnce: [WMC_RebootCheck] D:\WINDOWS\inf\unregmp2.exe /FixUps
O4 - HKCU\..\Run: [a05mRQc7i] redatelc.exe
O4 - HKCU\..\RunOnce: [MPlayer2_FixUp] D:\WINDOWS\inf\unregmp2.exe /Fixups
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm


After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
D:\WINDOWS\Bolger.dll
D:\WINDOWS\System32\rtneg.dll
d:\windows\system32\rnadopg.exe
D:\WINDOWS\System32\gah95on6.exe
D:\WINDOWS\System32\redatelc.exe
C:\Program Files\AutoUpdate <--- the whole folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Did you fix the below line last time in HijackThis?

F2 - REG:system.ini: Shell=Explorer.exe D:\WINDOWS\Nail.exe

Please look in c:\windows does the nail.exe file exist.

If so fix the F2 line again using HJT. Then boot into safe mode and rename the nail.exe file to nail.xxx. Now locate your system.ini file (c:\windows\system.ini) and double click on it from Windows Explorer. That will open the file up in notepad. Look for a line have the D:\WINDOWS\Nail.exe file on it and delete it. Save the the file and exit notepad.

Reboot into normal mode and post a new HJT. Tell me the results of the above and how things are working.

 

Okay! But is the line now gone from your HJT log? Are you currently in normal boot mode or safe mode?

 

Did you try fixing the F2 line again using HijackThis?

Please look in c:\windows did the nail.exe file come back? Or is it still nail.xxx?

system.ini is a file and you already looked in the file for nail.exe

 

Try this!


- Click Start > Run and type: cmd and then click OK! This brings up a command prompt window.
- At the command prompt opens, type the below command and then hit the enter key:

nail.exe /FullRemove

Close the command prompt window and reboot and post a current HJT log and tell me where things stand now.

Were you able to remove the other file you found?

 

In the below steps I'm assuming that you saw the vpdvsahha.exe and buddy.exe files in the D:\windows folder. If that is not correct just substitute into my directions the proper folder name.

Please download Pocket KillBox and extract it to its own folder somewhere.

Please run Pocket Killbox. Select the option to Replace on Reboot.

Now, Copy and Paste D:\WINDOWS\vpdvsahha.exe into the box and check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click No.

Now, Copy and Paste D:\WINDOWS\buddy.exe into the box and check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click No.

Now, Copy and Paste d:\windows\system32\pfppgsl.exe into the box and check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click Yes!

And allow your system to reboot but boot into safe mode.

In safe mode run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions:
O4 - HKLM\..\Run: [lfmxzzr] d:\windows\system32\pfppgsl.exe

After clicking Fix, exit HJT.

I want to double check that the bad files are really gone so let's also do the below.

While still in safe mode run Windows Explorer to delete
D:\WINDOWS\vpdvsahha.exe
D:\WINDOWS\buddy.exe
d:\windows\system32\pfppgsl.exe

Now reboot in normal mode and post a new HJT log. And tell us how things are working.