HELP Please- Adware.BetterInternet - Adware.Begin2search And others

Yes, I read all of the sticky info and I have done all of the scans and removed a lot of stuff already.

This is a new install of XP tuesday morning and somehow this stuff got on here the same day. I could just reinstall XP but I am really interested in finding out how this stuff got on here.

The only things I can think of are LimewirePro which I downloaded from their website and after installing Limewire I recived a Sun Java request for an update which I allowed to happen. The only other thing would be a version of DIVX 5 which I downloaded from USENET. The DIVX was also installed on another machine and it has no problems so DIVX is less likely to be the source. Both of the orignal apps Limewire Pro and DIVX that I downloaded are still sitting on these machines and have not shown any problems in all of the scans I have done so it is looking more like a fake Java update that did this. Does that make sense?

Now to the problems. I clicked on a Google link on my desktop Tuesday evening and I had lots of popups happen and my browser was redirected to some other site and my desktop recieved a wack of icons for various "deals". I removed some shopping program from my add remove programs, it had me enter a code to verify that I wanted to uninstall it. The next 24 hours or so here was just a flurry of activity as I was deleting files and reg entries only to have them return. At that point I started looking for help on the web and found your site and started doing the stuff you listed. I ended up getting rid of a lot of stuff and don't really have that much left.

==Norton says I have:
C:\WINDOWS\Nail.exe is infected with Adware.BetterInternet
C:\WINDOWS\system32\nsvB.dll is infected with Adware.Begin2sear

Something I used has disabled Active X in Explorer and I now can't run the Symantec online scan anymore. I am too tired to figure it out right now. I was not able to get rid of these two files tho.

==Trend Says I have:
TROJ AGENT.ABS CanNotAccess C:\windows\system32\ggyyjmm.exe
TROJ BUDDY.F Non Cleanable C:\WINDOWS\inhdbanddi.exe

I was able to delete both of these files and they have not returned, so far.

==Ad-aware says I have:
Vendor:Windows
Category:Vulnerability
Object Type:RegData
Size:33 Bytes
Location:software\microsoft\windows nt\currentversion\winlogon "Shell" (explorer.exe c:\windows\nail.exe)
Last Activity:28-04-2005
Risk Level:Low
TAC index:3
Comment:Shell Possibly Compromised
Description:General Windows Security Issue. Your system security may be compromised. The specifics of the possible compromised item are listed in the comments section.

There is nail again. I can delete it but it returns right away.

There was also a file listed in Task Manager that would change it's name and return every time I deleted it. It seems to have disapeared at some point, not sure when but it's no longer there.

One other thing when I click on a link with my internet disconnected I see the browser trying to connect to:

http://toolbar3.trafficgeneration.biz/cgi-bin/err.fcgi?url=

After the equal sign the URL just continues to repeat it's self for a long URL. Windows that pop up have "Aurora" in the top left corner.

Nothing else, Spybot or any of the other scans found anything. AVG which I use turns up none of this stuff at all.

I removed a lot of stuff with Hijack This but there are still a few things. Nail.exe keeps comming back and I am not sure what Bolger.dll and svcproc.exe are. There is also the Windows shell thing from above which does not show up in Hijack This.

I am just going to post the three suspect lines from Hijack here and I will attach the whole Hijack log. The rest of the stuff in the Hijack log is know to me or I have checked it out with Google searches but I will include it for completeness.

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Hopefully someone can give me some more ideas.

Thanks
Dr.J

 

Hey thanks for the help but this did not work. I had already tried this at some point this past week but did it again and nothing has changed. And I did have all apps closed when I tried it.

Here is my Hijack log again.

 

chaslang, it looks like I have beaten this nail and Aurora thing. When the "nail.exe /FullRemove" did not work I went looking around and found some info on this site, in this thread:

http://forums.majorgeeks.com/showthread.php?postid=565392#poststop

I ran the Aurora uninstall bjgarrick mentions in that post and it removed all three lines that were suspect from the hijack log. It's clean as a whistle now. Also I Just ran Ad-aware and the Windows Shell Compromise it listed also seems to be gone.

The only other thing is the C:\WINDOWS\system32\nsvB.dll Symantec says is infected with Adware.Begin2sear. I can't check it because I can no longer run activeX controls on this machine. The error I get is:

-----
Unable to run Virus Detection

In order to run Virus Detection you must be using Microsoft Internet Explorer 5.0 or higher with ActiveX and Scripting enabled.
-----

I've checked all the setting in Explorer and they seem right. I'm going to compare with another machine and see if I can figure this out and will post back when I get Symantec to scan.

Thanks
Dr.J

 

I was using Spywareblaster protection and Spybot imunization and maybe that is why "nail.exe /FullRemove" did not work. It says in your FAQ to enable them. Anyway the uninstall from mypctuneup cleaned up everything.

I have now disabled Spywareblaster protection and Spybot imunization tho to try to sort out this activeX problem. I'm still trying to fix that.


Thanks
Dr.J

 

Well all the crap seems gone but I still have 1 unresolved problem. It is this activeX thing. I have compared all the Explorer settings from a working machine with this one and can see no problem in Explorer's settings. I have defaulted the settings and still it won't run the Symantec AV Scan. I get the error listed above. If anyone has any ideas I would love to hear them.

Thanks for your help chaslang.