Okay...this is weird

Discussion in 'Malware Help (A Specialist Will Reply)' started by msbehavin, Jul 27, 2005.

Page 1 of 2
  1. msbehavin

    msbehavin Private E-2

    Hi, I followed all your instructions on how to rid my computer of spyware/adware and it seems like after I ran all the programs and everything, I actually have more popups and other problems. :confused: When I ran the online scans, they finished without detecting anything. When I ran Spybot and the other downloads, they came up with hundreds of problems which I supposedly fixed but a few minutes later, they were back. What should I do now?
     
    msbehavin, Jul 27, 2005
    #1
  2. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

    http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

    http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

    http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

    http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting
     
    bjgarrick, Jul 27, 2005
    #2
  3. msbehavin

    msbehavin Private E-2

    Here is my HijackThis log...
     

    Attached Files:

    msbehavin, Jul 27, 2005
    #3
  4. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Fisrt, download Nail/Bolder/Aurora Remover 0.3.3 Beta and save it to its own folder like c:\ABIremover

    - Now extract the abiremover.exe file from the ZIP file into the folder you created but do not run the EXE yet.

    - Reboot into Safe Mode with no network suppost and do not run anything else but what I tell you to run!

    - Run the ABIRemover.exe, press install, wait (explorer window will disapear)

    - When it finishes just reboot and continue with the below steps.


    Download the following items:

    L2MeFix Tool

    Generic Detection Tool - NT/2000/XP

    Pocket KillBox


    Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
    Your computer will go crazy for a bit, but just let it run. It should eventually spit out a log in Notepad. Please attach that log along with a fresh HJT log

    Please don't run any other files in the L2MFix folder.
     
    bjgarrick, Jul 27, 2005
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Just a dropping a note to msbehavin. You should have followed the directions I gave you in message # 23 back in your previous problem thread: http://forums.majorgeeks.com/showthread.php?t=56632

    You never followed those steps. You still do not have a real firewall.

    Also note: you have not recently run the READ ME FIRST. No signs of the online scanners are showing.
     
    chaslang, Jul 28, 2005
    #5
  6. msbehavin

    msbehavin Private E-2

    Oh, someone told me that the Windows firewall turned on counted as a firewall and I shouldn't download one of those but I will do it immediatly after I finish with this...I did run the online scanners, maybe I thought they were finished but instead they closed themselves? They said they were done though. I'm sorry! :(
     
    msbehavin, Jul 28, 2005
    #6
  7. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Windows Firewall is a firewall but its not good enough. You need to install one of the free ones we have on out How To Protect list which I will give you once your all clean.

    For now please continue with post #4!
     
    bjgarrick, Jul 28, 2005
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    BJ is correct.

    msbehavin, see the note at the end of step 3 in the How to Protect thread.

    Which online scanners do you think you ran? None of them seem to have been run.
     
    chaslang, Jul 28, 2005
    #8
  9. msbehavin

    msbehavin Private E-2

    The two that are on the "Read Before You Ask For Help" page...Bitdefender and Rav, I think they are called? I can run them again if it didn't work...

    Here is the new HJT log, it won't let me upload the other one because it says the file size is too large. What should I do?
     

    Attached Files:

    msbehavin, Jul 28, 2005
    #9
  10. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Copy and paste it here and I will convert it for you.

    Also, it doesnt appear that you ran the Nail/Bolder/Aurora Remover 0.3.3 Beta utility I requested because it still shows in your log. Go back and run this.
     
    bjgarrick, Jul 28, 2005
    #10
  11. msbehavin

    msbehavin Private E-2

    Thanks...I did run the ABIremover program but I guess I will try it again! =)

    Inline log attached!
     

    Attached Files:

    Last edited by a moderator: Jul 28, 2005
    msbehavin, Jul 28, 2005
    #11
  12. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    All I can say from that log is, WOW!!!!!!!

    Thats a ton of infections, because it was so many I am going to request you run it once more to be sure nothing was left behind.

    DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
    Your computer will go crazy for a bit, but just let it run. It should eventually spit out a log in Notepad. Please attach that log.

    Again, please don't run any other files in the L2MFix folder.
     
    bjgarrick, Jul 28, 2005
    #12
  13. msbehavin

    msbehavin Private E-2

    Oh no! Well thanks for looking...I'll run it again right away. I realized why it doesn't seem I ran the ABI remover though, because when its finished installing, it says to reboot into safe mode again and remove the "random componant" or I would be immediatly re-infected. I did reboot but I had no idea what the "random componant" was or how to delete it, so I just restarted into regular mode like you said I should. I guess I was immediatly reinfected...can you tell me how to remove the random componant? :confused:
     
    msbehavin, Jul 28, 2005
    #13
  14. msbehavin

    msbehavin Private E-2

    Here is the L2MFix File -- sorry, it was too big to be uploaded again

    Inline log attached!
     

    Attached Files:

    Last edited by a moderator: Jul 28, 2005
    msbehavin, Jul 28, 2005
    #14
  15. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Do you have System Restore disabled?

    Download the following file, after download is complete run the uninstaller. When uninstall is complete reboot back to normal mode and follow the below steps.

    Download Uninstaller


    Unzip the Generic Detection Tool to a safe folder of your choice and run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

    The tool should generate a long text file. Attach this log as an attachment to your post.
     
    bjgarrick, Jul 28, 2005
    #15
  16. msbehavin

    msbehavin Private E-2

    I tried following your directions and my computer won't let me open the program because it says it "isn't a valid win32 file" I don't know what that means but I can't open the program. And yes, my system restore is disabled. Is that right? I also tried the ABI Remover again and it still says to remove the random componant and the regkey or I will be re-infected (which I have been since I couldn't find those). I don't know what those are either. Sorry I'm so clueless! :( :confused:
     
    msbehavin, Jul 28, 2005
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    BJ,

    A suggestion to try and make some headway here. Ignore the nail/aurora problem for now. Also the VX2 infection seems to be some what hidden from HJT's perspective but it does seem to be very bad. Also ignore it for the moment.

    First focus on the below items and give msbehavin a fix for these. Hopefully they get fixed and do not return. If they do come back, I would install a real firewall first (and disable Win XP SP2's firewall) and then repeat fixes.

    Here is what I would fix first:

    C:\WINDOWS\system32\wintask.exe
    C:\WINDOWS\eyhfdll.EXE
    C:\WINDOWS\lleyenc.EXE
    c:\windows\system32\bpxggo.exe
    C:\WINDOWS\htyesvc.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
    O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
    O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
    O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
    O4 - HKLM\..\Run: [eyhfdll] C:\WINDOWS\eyhfdll.EXE
    O4 - HKLM\..\Run: [lleyenc] C:\WINDOWS\lleyenc.EXE
    O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
    O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
    O4 - HKLM\..\Run: [icegzr] c:\windows\system32\bpxggo.exe r
    O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\htyesvc.exe <----- this is Win32.Agent.mu Worm
     
    chaslang, Jul 28, 2005
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay since BJ seems to be gone right now and msbehavin is back. Here is what I was asking BJ to have you fix first.

    Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Windows VisFx Components Then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

    Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

    Windows VisFx Components

    You may be told to reboot at this point. Do not reboot just exit HijackThis and we will be restarting it with different options in a moment.


    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\WINDOWS\system32\wintask.exe
    C:\WINDOWS\eyhfdll.EXE
    C:\WINDOWS\lleyenc.EXE
    c:\windows\system32\bpxggo.exe
    C:\WINDOWS\htyesvc.exe

    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
    O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
    O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
    O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
    O4 - HKLM\..\Run: [eyhfdll] C:\WINDOWS\eyhfdll.EXE
    O4 - HKLM\..\Run: [lleyenc] C:\WINDOWS\lleyenc.EXE
    O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
    O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
    O4 - HKLM\..\Run: [icegzr] c:\windows\system32\bpxggo.exe r
    O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\htyesvc.exe

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:C:\WINDOWS\cfgmgr52.dll
    C:\WINDOWS\dsr.dll
    C:\WINDOWS\eyhfdll.EXE
    C:\WINDOWS\lleyenc.EXE
    C:\WINDOWS\htyesvc.exe
    C:\WINDOWS\dinst.exe
    C:\WINDOWS\system32\wintask.exe
    c:\windows\system32\bpxggo.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.


    Now reboot in normal mode and post a new HJT log.
     
    chaslang, Jul 28, 2005
    #18
  19. msbehavin

    msbehavin Private E-2

    Here is the new HJT log :)
     

    Attached Files:

    msbehavin, Jul 29, 2005
    #19
  20. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Unzip the Generic Detection Tool to a safe folder of your choice and run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

    The tool should generate a long text file. Attach this log as an attachment to your post.
     
    bjgarrick, Jul 29, 2005
    #20
  21. msbehavin

    msbehavin Private E-2

    It won't let me run that program because it says it is not a valid Win32 file
     
    msbehavin, Jul 29, 2005
    #21
  22. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Have you tried deleting the one you have and re-downloading it and trying again?
     
    bjgarrick, Jul 29, 2005
    #22
  23. msbehavin

    msbehavin Private E-2

    Yea, I deleted and re-installed it a few times...still wont work :confused:
     
    msbehavin, Jul 29, 2005
    #23
  24. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

    2 - Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.


    Now come back here and post both logs as attachments!
     
    bjgarrick, Jul 29, 2005
    #24
  25. msbehavin

    msbehavin Private E-2

    Here ya go...
     

    Attached Files:

    • log.txt
      File size:
      897 bytes
      Views:
      3
    • log.txt
      File size:
      1.3 KB
      Views:
      3
    msbehavin, Jul 29, 2005
    #25
  26. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Locate PocketKillbox
    (Procede with this step even if they do not show in blue)

    Now, Copy and Paste C:\WINDOWS\dsr.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

    Now, copy and paste every file listed below just like you did above. DO NOT REBOOT until you have entered the last file. Then allow Killbox to reboot your system.

    C:\WINDOWS\eyhfdll.exe
    C:\WINDOWS\htyesvc.exe
    C:\WINDOWS\icont.exe
    C:\WINDOWS\io2uns.exe
    C:\WINDOWS\lleyenc.exe
    C:\WINDOWS\Nail.exe
    C:\WINDOWS\pxrmjbmeavm.exe
    C:\WINDOWS\ru.exe
    C:\WINDOWS\svcproc.exe
    C:\WINDOWS\visfxun.exe

    C:\WINDOWS\system32\AUNPS2.dll
    C:\WINDOWS\system32\bluestd.exe
    C:\WINDOWS\system32\DrPMon.dll
    C:\WINDOWS\system32\fvdues.exe
    C:\WINDOWS\system32\greenstd.exe
    C:\WINDOWS\system32\kwdstd.exe
    C:\WINDOWS\system32\mswwwd.exe
    C:\WINDOWS\system32\skytown.exe
    C:\WINDOWS\system32\terust.exe

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nddk.exe


    After you have completed the above step, reboot and attach 2 new logs from the tools.
     
    bjgarrick, Jul 29, 2005
    #26
  27. msbehavin

    msbehavin Private E-2

    I don't understand what you mean by locate PocketKillBox...?
     
    msbehavin, Jul 30, 2005
    #27
  28. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Locate where you saved it and run it, then procede with my previous post.
     
    bjgarrick, Aug 1, 2005
    #28
  29. msbehavin

    msbehavin Private E-2

    Hey...sorry I haven't been around in awhile but I was moving and my internet was not hooked up until today. I'm still having problems with Aurora and other things too. I did the steps you told me to though, and I attached the logs. Thanks!
     

    Attached Files:

    • log.txt
      File size:
      726 bytes
      Views:
      1
    • log.txt
      File size:
      709 bytes
      Views:
      1
    msbehavin, Aug 19, 2005
    #29
  30. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    To help things keep moving a long for BJ do a few more things in the below order:

    1) Run the Nail/Bolder/Aurora Remover 0.3.3 Beta tool again. See message # 4 for how to do this in safe mode.

    2) Run the Panda Online Scan and attach the log once its complete.

    3) Since it has been awhile since you were last here it would be a good idea to post a new HJT log to make sure things have not changed.
     
    chaslang, Aug 20, 2005
    #30
  31. msbehavin

    msbehavin Private E-2

    The Panda scan is still going but I tried the Aurora remover before I started that and it still gave me the same message-- Reboot into safe mode again and remove the "random componant" or you will be immediatly re-infected. I don't understand what the random componant is or how to remove it...?
     
    msbehavin, Aug 20, 2005
    #31
  32. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    After the Panda scan reboot into Safe Mode and run the program again.
     
    bjgarrick, Aug 20, 2005
    #32
  33. msbehavin

    msbehavin Private E-2

    I did the Panda scan and attached the log (I know I was supposed to do it after the ABI Remover but since I can't figure that out...I did the Panda scan anyway)

    I ran the ABI Remover also but I still can't figure out what that message means. Here are the instructions from the ABI Remover download page (the bolded part is what I can't understand how to do)

    This tool assists in removing nail, bolder and aurora spyware infections. For more, visit our spyware specific forums.

    Here is the step by step guide:

    1. Download the Remover (attached) to your desktop
    2. Download (if not already done) latest Hijackthis and unpack it in its own folder
    3. Reboot into safemode, don´t start anythink there, no ie windows or such
    4. Start the ABIRemover.exe, press install, wait (explorer window will disapear)
    5. Reboot directly and again reboot into safemode
    6. Fix the random key in the registry with hijackthis (normally HKLM\Software\Microsoft\Windows\CurrentVersion\Run ) and maybe the bolger BHO. Remember the random name and delete it in your system32 directory
    7. Reboot into normal mode and run at least one online virus scanner, for example Panda AV: http://www.pandasoftware.com/produc...n_principal.htm
    You´re done.

    I just don't understand exactly what I'm supposed to do once I boot back into safe mode...
     

    Attached Files:

    msbehavin, Aug 20, 2005
    #33
  34. msbehavin

    msbehavin Private E-2

    Does anyone know what the "random key" is? :confused:
     
    msbehavin, Aug 21, 2005
    #34
  35. msbehavin

    msbehavin Private E-2

    Thanks!! The log is attached... :)
     

    Attached Files:

    msbehavin, Aug 21, 2005
    #35
  36. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You HJT log must be from normal boot mode.

    You have a load of things that should be removed from the Panda scan. Boot into safe mode and delete the below files and folders. Make sure you tell us what you can and could not delete.

    C:\x.bat
    C:\x.html
    C:\TEMP\salm.log
    c:\windows\system32\fvdues.exe
    C:\WINDOWS\SYSTEM32\DrPMon.dll
    C:\WINDOWS\SYSTEM32\winupdt.008
    C:\WINDOWS\system32\bccnnnx.exe
    C:\WINDOWS\system32\Cache\20001.exe
    C:\WINDOWS\system32\Cache\dr.exe
    C:\WINDOWS\system32\cngrqp.exe
    C:\WINDOWS\system32\dffggga.dll
    C:\WINDOWS\system32\fvdues.exe
    C:\WINDOWS\system32\iroc\imaaalsl.exe
    C:\WINDOWS\system32\jddnn.dll
    C:\WINDOWS\SYSTEM32\CACHE\mswinstall.exe
    C:\WINDOWS\a95kfrhe.exe
    C:\WINDOWS\abiuninst.htm
    C:\WINDOWS\cfgmgr52.ini
    C:\WINDOWS\usta33.ini

    C:\PROGRAM FILES\Aprps <--- the whole folder
    C:\PROGRAM FILES\MySearch <--- the whole folder
    C:\PROGRAM FILES\sf <--- the whole folder
    C:\PROGRAM FILES\WeirdOnTheWeb <--- the whole folder
    C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
    C:\WINDOWS\EliteToolBar <--- the whole folder
    C:\Program Files\3839ieoj <--- the whole folder
    C:\WINDOWS\system32\ahxhkgwc <--- the whole folder

    Additional step to delete files in the C:\WINDOWS\DOWNLOADED PROGRAM FILES folder. You have three there.
    - Click Start, Run, and enter cmd in the box and click OK. This opens a commend prompt windows.
    - Enter the following command lines each followed by the enter key
    cd C:\WINDOWS\Downloaded Program Files\
    attrib -r -h -s ActiveX.ocx
    del ActiveX.ocx
    cd CONFLICT.1
    attrib -r -h -s HDPlugin1019.dll
    del HDPlugin1019.dll
    cd ..
    cd CONFLICT.1
    attrib -r -h -s HDPlugin1019.dll
    del HDPlugin1019.dll
    exit

    Also look for the below!
    C:\WINDOWS\system32\??anregw.exe <--- I am not sure what the ?? may actually show as so just look in this folder and tell us what you find that ends with "anregw.exe"

    Do you know what this ASHeuristic folder is for?
    C:\WINDOWS\Temp\ASHeuristic\imaaalsl.exe.vir
    C:\WINDOWS\Temp\ASHeuristic\prsxt.exe.vir

    Now reboot in normal mode and post a new Panda log. There was a trojan in your last log that we need to fix. Now move on to my next message.
     
    Last edited: Aug 22, 2005
    chaslang, Aug 21, 2005
    #36
  37. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Let's try the below steps to remove Nail.exe

    - Click Start > Run and type: cmd and then click OK! This brings up a command prompt window.
    - At the command prompt opens, type the below command and then hit the enter key:

    nail.exe /FullRemove

    Close the command prompt window and reboot.


    I'm not sure if that trojan I mentioned will still be the same after doing any reboots but let's assume for now that it did not change and complete the steps below.

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.

    c:\windows\system32\uingzt.exe

    After killing all the above processes, click "Back".

    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50171
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
    O4 - HKLM\..\Run: [rtbvfty] c:\windows\system32\uingzt.exe r


    After clicking Fix, exit HJT.

    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\Nail.exe
    c:\windows\system32\uingzt.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.


    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.


    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Aug 22, 2005
    #37
  38. msbehavin

    msbehavin Private E-2

    Okay...I followed the instructions in your previous two messages.

    Most of the things in the first message were easily deleted. These are the ones that would not allow me to delete them:
    C:\windows\system32\fvdues.exe
    C:\WINDOWS\SYSTEM32\DrPMon.dll
    C:\WINDOWS\system32\bccnnnx.exe
    C:\WINDOWS\system32\Cache\20001.exe
    C:\WINDOWS\system32\cngrqp.exe
    C:\WINDOWS\system32\fvdues.exe
    C:\WINDOWS\system32\jddnn.dll
    C:\WINDOWS\abiuninst.htm

    I found C:\WINDOWS\system32\??anregw.exe like you asked me to...This is the only thing I found in the file: scanregw.exe

    I didn't know what this file that you asked about was so I went ahead and deleted it....C:\WINDOWS\Temp\ASHeuristic\

    C:\WINDOWS\Nail.exe would not let me delete it, it kept coming back until one final time when I successfully deleted it, but when I rebooted into normal mode, Aurora was still here.

    c:\windows\system32\uingzt.exe....I couldn't find this file anywhere.

    My Panda log and HJT log are attached!
     

    Attached Files:

    msbehavin, Aug 22, 2005
    #38
  39. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do the below steps with no physical connection available (unplug your cable) and with no browsers running.

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).


    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\DOCUME~1\Allison\LOCALS~1\Temp\XBT\aurareco.exe
    C:\WINDOWS\system32\idjcwy.exe


    After killing all the above processes, click "Back".

    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O4 - HKLM\..\Run: [zzbgha] C:\WINDOWS\system32\idjcwy.exe r


    After clicking Fix, exit HJT.

    Boot into safe mode and use Windows Explorer to delete:
    C:\DOCUME~1\Allison\LOCALS~1\Temp\XBT\aurareco.exe
    C:\WINDOWS\system32\idjcwy.exe
    C:\WINDOWS\Nail.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.


    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.


    Now reboot in normal mode and post a new HJT log. And tell us how things are working. Do not reboot or power down at this point!!!!!!
     
    chaslang, Aug 22, 2005
    #39
  40. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    We are may have to use Pocket Killbox to delete the below items. Do you still have Pocket Killbox.

    C:\WINDOWS\SYSTEM32\winupdt.bin
    C:\TEMP\salmau.dat
    C:\WINDOWS\Nail.exe
    C:\WINDOWS\etb
    C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.dll
    C:\WINDOWS\system32\idjcwy.exe
    C:\WINDOWS\system32jddnn.dll
    C:\windows\system32\fvdues.exe
    C:\WINDOWS\SYSTEM32\DrPMon.dll
    C:\WINDOWS\system32\bccnnnx.exe
    C:\WINDOWS\system32\Cache\20001.exe
    C:\WINDOWS\system32\cngrqp.exe
    C:\WINDOWS\abiuninst.htm
     
    chaslang, Aug 22, 2005
    #40
  41. msbehavin

    msbehavin Private E-2

    Yes I still have Pocket Killbox...should I delete those in safe mode or regular? In the meantime, I will do the instructions in the first message...
     
    msbehavin, Aug 22, 2005
    #41
  42. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try using Killbox in safe mode. Use instructions like BJ gave you in message number 26 to delete files.
     
    chaslang, Aug 22, 2005
    #42
  43. msbehavin

    msbehavin Private E-2

    Okay, I followed all of those instructions..Aurora/Nail.exe still won't seem to go away! I deleted everything with Pocket Killbox in safe mode except:

    C:\WINDOWS\system32\idjcwy.exe --> couldn't find this one
    C:\WINDOWS\Nail.exe --> wouldnt delete
     
    msbehavin, Aug 22, 2005
    #43
  44. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You had a particularly bad case of VX2 infection way back when BJ had you run L2MeFix in message # 4. There could be some stuff still hanging on. Let's do the below:

    Download: Find It NT/2000/XP

    Unzip the files in the zip to their own folder of your choice (like c:\Findit ) and run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

    The tool should generate a long text file. Attach this log as an attachment to your post. This will not fix anything. It just looks for potential problem files.

    Then also attach a new HJT log.
     
    chaslang, Aug 22, 2005
    #44
  45. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I also think we are going to need to have you complete step # 3 in: How to Protect yourself from malware! which you never did along time ago (Try ZoneAlarm). You need to get a real firewall installed and then disable the one in WinXP SP2 which does not provide adequate protection.
     
    chaslang, Aug 22, 2005
    #45
  46. msbehavin

    msbehavin Private E-2

    I ran Find It and the log + the new HJT log is attached. I also followed the directions on the Protect Yourself from Malware thread, but ZoneAlarm wouldnt run on my computer so I got the first one in the list instead :)
     

    Attached Files:

    msbehavin, Aug 22, 2005
    #46
  47. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you get any notices from the firewall for processes like the be.low:

    C:\WINDOWS\Nail.exe
    C:\WINDOWS\dinst.exe
    C:\WINDOWS\system32\icqxtoa.exe r

    If so, they should not be allowed to have any access.

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\WINDOWS\dinst.exe <--- probably will not see this
    C:\WINDOWS\system32\icqxtoa.exe

    Let me know if any of these cannot be killed.

    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
    O4 - HKLM\..\Run: [pstgbfj] C:\WINDOWS\system32\icqxtoa.exe r


    After clicking Fix, exit HJT.
    Boot into safe mode and do the below:

    - Click Start > Run and type: cmd and then click OK! This brings up a command prompt window.
    - At the command prompt opens, type the below command and then hit the enter key:

    nail.exe /FullRemove

    Close the command prompt window.

    Let me know the results of running this nail fullremove command.


    Now use Windows Explorer to delete:
    C:\WINDOWS\Nail.exe
    C:\WINDOWS\dinst.exe
    C:\WINDOWS\system32\icqxtoa.exe

    If you get an error when deleting a file, Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open HJT's process manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Aug 22, 2005
    #47
  48. msbehavin

    msbehavin Private E-2

    No, I didn't get any notices about those programs although it seems like I should have since they were all running on my computer...?

    I could not find any of the processes you told me to kill in HJT running (C:\WINDOWS\dinst.exe, C:\WINDOWS\system32\icqxtoa.exe,C:\WINDOWS\Nail.exe) but I deleted all three w/ HJT.

    I don't really understand what you mean about the results of the Nail Full Remove command...it didn't make any noticible difference to me :rolleyes:

    I deleted the three things you told me to delete in Windows Explorer but Nail.exe still wouldn't let me delete it...it just kept reappearing...
     

    Attached Files:

    msbehavin, Aug 22, 2005
    #48
  49. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This process C:\WINDOWS\system32\icqxtoa.exe showed in your previous HJT log as running and should have been there unless you had rebooted or powered down after posting your last log, You must not power down or reboot unless requested.

    Did the nail.exe /full remove command give any response message at all?

    When you say you deleted nail.exe but it still reappears, do you mean that it deletes but comes back? Or do you mean when you try to delete it you get an error message?
     
    chaslang, Aug 22, 2005
    #49
  50. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Looks like that trojan file ( C:\WINDOWS\system32\icqxtoa.exe ) is gone and has not reappeared in your log with a new name. At least not yet!

    Do you see the C:\windows\nail.exe file if you look for it?
     
    chaslang, Aug 22, 2005
    #50
Page 1 of 2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds