blusky1
join:2005-05-05
Fort Lauderdale, FL
| HJT Log Adware.BetterInternet Nail.exe
I have been unsuccessful in deleting the Adware.BetterInternet Nail.exe It keeps trying to call out and Norton Antivirus keeps asking me if I should allow it to call out.
These are the steps that I have followed and all results:
Ran Norton Antivirus Results. Found 17 at risk files. deleted 9 files. Then ran Trend Micro. Then ran SpyBot.Next CWshredder.AboutBuster. Trojan hunter. HJT. All logs are include. AQny Help would be greatly appreciated. |
|
John2g
Qui Tacet Consentit
Premium
join:2001-08-10
England | You could try this solution.
»www.spywarewarrior.com/viewtopic.php?t=12677 |
|
TheJoker
Premium,VIP,MVM
join:2001-04-26
Alexandria, VA
| reply to blusky1
Here is the HJT log posted as text instead of a zipped file.
Logfile of HijackThis v1.99.1
Scan saved at 11:05:54 AM, on 5/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Nelson Rodriguez\My Documents\downloads\spyware virus progs\HJT\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »https://ras.ups.com/flightops
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = »channels.aimtoday.com/search/aimtoolbar.jsp
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.hotmail.com/"); (C:\Documents and Settings\Nelson Rodriguez\Application Data\Mozilla\Profiles\default\l24cnoxv.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Nelson Rodriguez\Application Data\Mozilla\Profiles\default\l24cnoxv.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [xbnuwxa] c:\windows\system32\zpoejid.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Nelson Rodriguez\Desktop\framxpro\FreeRAM XP Pro 1.40.exe" -win
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - »support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - »www.fileplanet.com/fpdlmgr/cabs/···0_44.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - »a840.g.akamai.net/7/840/537/2004···an53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - »www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - »security.symantec.com/sscv6/Shar···absa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - »https://www-secure.symantec.com/techsupp···Data.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Unknown owner - I:\programs\Agent\PQV2iSvc.exe (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
TheJoker |
|
TheJoker
Premium,VIP,MVM
join:2001-04-26
Alexandria, VA
| reply to blusky1
Please download the trial version of Ewido Security Suite here:
»www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.
Please run Notepad and copy the following text into a new file:
@ECHO OFF
cd %windir%
Nail.exe /FULLREMOVE
sc config SvcProc start= disabled
sc stop SvcProc
sc delete SvcProc
attrib -s -r -h nail.exe
attrib -s -r -h svcproc.exe
del nail.exe
del svcproc.exe
cd %windir%\system32
attrib -s -r -h DrPMon.dll
del DrPMon.dll
exit
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see the following site:
»www.pchell.com/support/safemode.shtml
Once in Safe Mode, please double-click on remove.bat. A window should open and close very quickly --- this is normal.
Then please run Ewido, and run a full scan. Post the log from the scan here for me.
Then please run HijackThis, click Scan, and check:
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [xbnuwxa] c:\windows\system32\zpoejid.exe
Close all open windows except for HijackThis and click Fix Checked.
Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
--
TheJoker |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to blusky1
this link here is said to remove aurora which is being spawned by nail.exe and svcproc.exe.
Mypctuneup.com performs technical support for a number of companies and we are sorry to hear that advertising software is causing you problems. We will gladly assist you in removing our partners' advertising software from your computer as expeditiously as possible.
From our website you can scan your PC and determine whether or not the software is installed on your machine, and if so, you can then choose to uninstall. To run the uninstall tool click on the link below:
»www.mypctuneup.com/evaluate.php
Or go to www.mypctuneup.com and click on free uninstall tool and follow the steps.
Remove Advertising Software With MyPCTuneUp.
Use our FREE uninstall program to remove the following Advertising Software programs from your computer: BestOffers, BetterInternet, Ceres, LocalNRD, MSView, MultiMPP, MXTarget, OfferOptimizer, Twaintec, and some others.
Please keep in mind that MyPCTuneUp isn't a general purpose Advertising Software or Spyware removal company. It will only remove the above programs listed, in addition to a few others.
The MyPCTuneUp uninstaller program will never collect any personally identifiable information, it will not install any additional programs, and it will delete itself once it finishes the uninstall process.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ |
|
blusky1
join:2005-05-05
Fort Lauderdale, FL
| Thanks Joker and Name Game for your help.
Joker I did exactly as you said and I have attached the HiJackthislog and the Ewido Log.
Name Game I will give it a shot and post back.
Appreciate the help. |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
2 edits | Don't give it a shot if you have already tried with joker and the hijackthis method....he will get it cleaned off for you..just make sure you do not have any more of those items they do list on your PC. 
here is your new log
Logfile of HijackThis v1.99.1
Scan saved at 9:38:07 PM, on 5/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\Documents and Settings\Nelson Rodriguez\My Documents\downloads\spyware virus progs\HJT\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »https://ras.ups.com/flightops
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = »channels.aimtoday.com/search/aimtoolbar.jsp
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.hotmail.com/"); (C:\Documents and Settings\Nelson Rodriguez\Application Data\Mozilla\Profiles\default\l24cnoxv.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Nelson Rodriguez\Application Data\Mozilla\Profiles\default\l24cnoxv.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [xbnuwxa] c:\windows\system32\zpoejid.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Nelson Rodriguez\Desktop\framxpro\FreeRAM XP Pro 1.40.exe" -win
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - »support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - »www.fileplanet.com/fpdlmgr/cabs/···0_44.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - »a840.g.akamai.net/7/840/537/2004···an53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - »www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - »security.symantec.com/sscv6/Shar···absa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - »https://www-secure.symantec.com/techsupp···Data.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Unknown owner - I:\programs\Agent\PQV2iSvc.exe (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
and here is your ewido log
»forum.gladiator-antivirus.com/in···ic=25854
--
Gladiator Security Forum »www.gladiator-antivirus.com/
Missing Kids
»www.missingkids.com/ |
|
TheJoker
Premium,VIP,MVM
join:2001-04-26
Alexandria, VA
| reply to blusky1
I'm at work right now and can't really look at this until tonight, but that log looks rather short, particularly on the running processes. Was that run from Safe mode? If it was, please post a new HijackThis log: boot to normal mode, close all other windows, run HijackThis, and click scan and post a new log. Please just post the text, copying and pasting it into a reply rather than uploading a zipped file.
--
TheJoker |
|
blusky1
join:2005-05-05
Fort Lauderdale, FL
| Thanks TheJoker for all your help. I am also at work for a couple of days. Yes it was run in safe mode as you had said. I will post the new HijackThis log as text hopfully Saturday night. Thanks for sticking with me on this one. I have learned some new things. |
|
zardiw7
join:2005-01-08
Palm Springs, CA | reply to Name Game
MyPCTuneup.com ..........I don't TRUST them
For instance, WHY does their 'removal' tool want to 'phone home'???????????????????
If you don't turn off your Firewall, guess what...no removal
What is it sending to the 'home office', I wonder????? |
|
zardiw7
join:2005-01-08
Palm Springs, CA | PS...NameGame...surprized that you recommended such a solution to this problem............I guess you have no problem with downloading stuff and then letting it run wild on your system......... |
|
DevilFrank
join:2003-07-13
 ·T-Com
| An adware company provides the uninstall-routine and the user had to turn off all 3rd party programs and establish an internet connection...
See the hardcoded EULA: »www.mypctuneup.com/Morpheus/EULA.htm#1
A trustworthy source. Wow...
--
Regards from Germany. Please excuse my stumbling English |
|
bobince
join:2002-04-19
DE
| reply to blusky1
Re: HJT Log Adware.BetterInternet Nail.exe
MyPCTuneUp sends a load of information back to its controlling servers, including lists of applications installed, your network card's uniquely-identifying MAC address and your Windows Product ID.
This is pretty scummy, but on the other hand if you've been infected by recent versions of DirectRevenue's parasites, they will already have sent all this information, so you'd not be losing anything as such... |
|
justageek
join:2002-03-07
Marietta, GA
3 edits | reply to blusky1
Attachments removed. Uploading executables not allowed. --WCB!
For those of you who are having a REAL Stubborn time with getting rid of the Nail (Like I had on a clients machine) there are a couple of files that you can download to help you in this quest. The FINDIT'S zip has a batch program that seeks and shows all the Aurora/nail/ShopAtHome related spyware infestations still present on your box. Now mind you, it may catch a couple of legit files so be real careful and do a google on file names that may look legit. The Killbox program is very effective for getting rid of stubborn STUBBORN files that do not want to be deleted. Just make sure that if you want to delete more than one file upon reboot, click NO when it asks you if you want to reboot now.
Hope this helps anyone else infected by those twits....
Oh yeah, and make SURE you have your SYSTEM RESTORE turned off. Otherwise you'll get re-infected.
May be beating a dead horse here but here's the directions I followed to get rid of NAIL and Aurora. Make sure ALL Anti-Virus programs you have and Spyware programs you have are up to date before you proceed.
1. Downloaded EWIDO security suite and updated same
2. Rebooted into safemode
3. Clicked START --> RUN --> then typed in SERVICES.MSC
4. Found SYSTEM STARTUP SERVICE and Stopped it, then Disabled it
5. Ran HJT and after it scanned, went to MISC TOOLS and clicked on DELETE NT SERVICE. Typed SvcProc in the box and hit enter.
6. Ran FINDITS.bat and then used KILLBOX to delete all the files it found in there (including icons) upon reboot, making sure not to reboot immediately.
7. START --> RUN --> CMD and typed in NAIL /FULLREMOVE
8. Re-ran KILLBOX and told it to delete NAIL upon reboot and rebooted system in safe mode again.
9. Ignored error message saying that windows couldn't find NAIL.EXE (Joy was had)
10. Ran all Spyware and AV programs twice to get rid of any residual infections that may be lingering.
11. Ran Findits.bat to see if anything remained.
12. Ran HJT in scan mode and got rid of the following lines.
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
13. Ran EWIDO security suite to make sure all infection was gone
14. Rebooted into windows.
15. No more popups.
16. Kick back with beverage of choice and smile. |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to zardiw7
Re: MyPCTuneup.com ..........I don't TRUST them
said by zardiw7  :PS...NameGame...surprized that you recommended such a solution to this problem............I guess you have no problem with downloading stuff and then letting it run wild on your system......... Baloney..all you people who have posted on that subject..you are all doing too much reading on the net and not testing..I have and it works and does not leave junk on your PC.
And all this stuff about it is stealing this and that info from your PC and hard drive...Wake up people..fact is if anyone already has been whacked with any of the BAD BOY adware they clean off..YOU HAVE ALREADY BEEN compromised for not only that info..but also lots more.:D
So all you purist that insist that mypctuneup is out to get ya..make me laugh.
I also know why people that have any of that crap on their PC..as to where they got it in the first place in the bundles..all of it could have been avoided in the first place if they were really concerned about security.
Now webhelper has writtien a few things up on this site..
»www.webhelper4u.com/tnewswritigs···ain.html
But he has mixed it all up with the old way and old name they used to remove under..making you think bad thing are to come.
If anyone like me has really tested it lately..and has documentation..not just heresay..start a new thread on the subject and post it..
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ |
|
siggyx
Siggy
Premium
join:2003-12-10
Cambridge
1 edit | reply to blusky1
Re: HJT Log Adware.BetterInternet Nail.exe
The removal tool that the bad guys supply works most of the time and then all you need is clean up. I hate using tools by the people that caused the issue in the first place but if it assists with the cleanup well......
--
The next best thing to being smart is being able to quote someone who is. |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to DevilFrank
Re: MyPCTuneup.com ..........I don't TRUST them
said by DevilFrank :An adware company provides the uninstall-routine and the user had to turn off all 3rd party programs and establish an internet connection... See the hardcoded EULA: » www.mypctuneup.com/Morpheus/EULA.htm#1A trustworthy source. Wow... Morpheus was not even trust worthy in the first place to download.
Frank i have a problem with what i am seeing at Security site and the methods they are using to clean off a PC..I see some using highjackthis and other tools that do a great job in cleaning a PC..but fact is that is all they do..it is already too late and I see very few explaing that to the member as they clean off badboys that already COMPROMISED the PC and its data..yet none are telling theese people to change their passwords...or even reformat/reinstall and then actually LOCK DOWN that PC.
So if all are really concerned about privacy and data compromise..then they should start helping people understand how to avoid it..and what to do if it happens.
You cant do it with most of the third party programs that are out there..and you are certianly not "good to go" after a teeth cleaning" all you do have is a PC that is functional..no more no less.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to blusky1
Re: HJT Log Adware.BetterInternet Nail.exe
You can play with this one too
Please download the trial version of Ewido Security Suite here:
»www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.
Please run Notepad and copy the following text into a new file:
quote:
@ECHO OFF
cd %windir%
Nail.exe /FULLREMOVE
sc config SvcProc start= disabled
sc stop SvcProc
sc delete SvcProc
attrib -s -r -h nail.exe
attrib -s -r -h svcproc.exe
del nail.exe
del svcproc.exe
cd %windir%\system32
attrib -s -r -h DrPMon.dll
del DrPMon.dll
exit
Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files".
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see the following site:
»www.pchell.com/support/safemode.shtml
Once in Safe Mode, please double-click on remove.bat. A window should open and close very quickly --- this is normal.
Then please run Ewido, and run a full scan. Post the log from the scan here for me.
Then please run HijackThis, click Scan, and check:
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
Close all open windows except for HijackThis and click Fix Checked.
Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ |
|
TheJoker
Premium,VIP,MVM
join:2001-04-26
Alexandria, VA | reply to blusky1
I haven't used the removel tool before, but I recall a thread where CalamityJane used it.
--
TheJoker |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
1 edit | said by TheJoker :I haven't used the removel tool before, but I recall a thread where CalamityJane used it. Hi joker
I can show you three threads where they used it and worked like a charm..excpet for those who had some AV running in the backgroud..or a firewall that would not even allow the tools it uses to understand what OS they were using..much less the version of the adware installed.
I personally have used it around my neck of the woods to clean it off neighbors PC's..but once you start working on it with hijackthis or some other killbit or etc fix..best to continue with that method and then make sure there are no nail326.exe (as example) and get rid of that..
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
if it is still there in the hijack log..
I like the ewido method myself also..since 9 out of ten PC's I have found not only have that group of adware types installed..but also things like messenger plus with it bundles as well as hijackers that have nothing to do with aurora or nail or etc.
Those people will still have problems with the other stuff.
But I also then have them look closely at BOClean to curb their passions.
Others might have a better way to help those less knowledgable..but I find that program to help them..a no brainer.
--
Gladiator Security Forum »www.gladiator-antivirus.com/
Missing Kids
»www.missingkids.com/ |
|
