Hi all, that was all the malware items listed in the HijackThis log, but Nail is a bit harder to remove.
You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.
Please download, install, and update the free version of
Ewido trojan scanner:
[*]When installing, under "Additional Options"
uncheck "Install background guard" and "Install scan via context menu".
[*]When you run ewido for the first time, you will get a warning "Database could not be found!". Click
OK. We will fix this in a moment.
[*]From the main ewido screen, click on
update in the left menu, then click the
Start update button.
[*]After the update finishes (the status bar at the bottom will display "Update successful")
[*]Exit Ewido. DO NOT scan yet.
Download
CCleaner and install, but do not run it yet.
Please download the
Nail/Aurora Spyware Fix from NoIdea.US. (Alternate download link:
dknoppix mirror)
Unzip it to the desktop but do NOT run yet.
Reboot into Safe Mode. To do this with Windows XP, you can follow these steps from
Microsoft:
[*]Restart your computer and start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when you the Boot Menu appears.
[*]Select an option when the Windows Advanced Options menu appears, and then press ENTER.
[*]When the Boot menu appears again, and the words "Safe Mode" appear in blue at the bottom, select the installation that you want to start, and then press ENTER.
Once in Safe Mode, please double-click on
nailfix.cmd that you unzipped earlier. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.
Next, run CCleaner.
[*]
Uncheck "Cookies" under "Internet Explorer".
[*]
If you are running Firefox: ,then click on the "Applications" tab and
uncheck "Cookies" under "Firefox".
[*]Click on
Run Cleaner in the lower right-hand corner. This can take quite a while to run.
Now run
Ewido again.
[*]Click on the
Scanner button in the left menu, then click on the
Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
[*]If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on
OK.
[*]When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
Then run
HijackThis, click
Scan, and place a checkmark by the following item:
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Internet Explorer Hot Fix - {E0A0833D-5B85-4913-9315-6B7D27487C33} - C:\WINDOWS\System32\jytyz.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe (file missing).
Finally, restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
I see you're from Palm Desert & noted right away that you had some strange name servers in 3 lines of your HJThis log - [among other things]
