Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Aurora / Nail.exe (Explorer popups) - HJT log included.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Aurora / Nail.exe (Explorer popups) - HJT log included.

Unread postby Incoming » June 7th, 2005, 8:38 am

Hi.

I am a victim of the "Aurora" explorer popups and that friggin Nail.exe file which shows up everywhere. I have searched through my computer with Ad-Aware SE, Spyware Doctor, Norton Antivirus, SpywareBlaster, Spybot SOD and XoftSpy.

XoftSpy actually found and determined the presence of "Aurora" as well as the "Nail.exe"-file and was able to remove those. But still, as soon as I restart my computer, they're all back in their regular places and popups swirling around the screen.

I have downloaded the latest Hijackthis and run a search immediately after regular windows startup and included the log-file beneath. Huge thanks to anyone who might take the time and go through this and hopefully help me to solve this problem. Whatever instructions I get I intend to save for any eventual future Aurora sicknesses.
Any info on how to prevent Aurora in the future would also be greatly appreciated !

Thanks !


Logfile of HijackThis v1.99.1
Scan saved at 14:26:58, on 2005-06-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program\CyberLink\PowerDVD\PDVDServ.exe
C:\Program\D-Tools\daemon.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
c:\windows\system32\focukcu.exe
C:\Program\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\regedit.exe
C:\Program\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program\Logitech\Video\FxSvr2.exe
C:\Program\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program\Delade filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [RemoteControl] C:\Program\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Temp\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ptblinj] c:\windows\system32\duzkak.exe
O4 - HKLM\..\RunOnce: [Spyware Doctor] "C:\Program\Spyware Doctor\swdoctor.exe" /C /FS /X
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Program\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [Creative Detector] C:\Program\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [AWMON] "C:\Program\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe (file missing)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 6272476483
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program\Delade filer\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe
Incoming
Active Member
 
Posts: 9
Joined: June 7th, 2005, 7:17 am
Advertisement
Register to Remove

Unread postby Bertha » June 7th, 2005, 1:18 pm

Hey Incoming,

I am looking at your Hijackthis Log for you

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

Unread postby Bertha » June 7th, 2005, 1:24 pm

Incoming,

Hello! and welcome to the Malware Removal forums.

Copy the following to notepad/print it off so you can follow it

From your Hijackthis Log I see characteristic no evidence of Nail, however lets deal with what I do see first and then tackle the Nail issue if it still persists

-

We'll need to disable AdAware's AdWatch, since it might interfere with other program(s) we might be using to 'clean' off your system; you can re-enable it after we're done. To disable this feature, run Run AdAware SE, then:

1. Click "AdWatch".
2. Click "Tools and Preferences".

(Look at the bottom of the window you will see two options...)


3. Uncheck these options:

Active: This will turn Ad-Watch On\Off without closing it
Automatic: Suspicious activity will be blocked automatically


Remember to re-enable this feature once your system is clean.

===============

Go to www.trendmicro.com, and then:

1. Click "Free Online Scan".
2. Click "Scan now, it's free".

It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's down:

1. Select all available drives.
2. Check(tick) "Auto Clean".
3. Click "Scan".

When it completes, post back the full filename of any files that cannot be cleaned or deleted.

===============

Let's look for, and delete, any program segments(prefetches) that might be present, and are associated with the 'problems' we're trying to remove from this system. To do this, let's:

1) Click "Start | Search", then search for each of these program's base name(s), in all files and folders:

focukcu.exe*

2) Then if any are found in the 'prefetch' folder, delete them.

Look closely, since the 'base' name will have a bunch of random numbers and letters attached to it.

===============

Run HiJackThis then:

1. Click "Config..."
2. Click "Misc Tools"
3. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

c:\windows\system32\focukcu.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:


O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O4 - HKLM\..\Run: [ptblinj] c:\windows\system32\duzkak.exe


Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders: see here - http://www.xtra.co.nz/help/0,,4155-1916458,00.html

files...

c:\windows\system32\focukcu.exe
c:\windows\system32\duzkak.exe

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from "Safe Mode" see here - http://service1.symantec.com/SUPPORT/ts ... ec_doc_nam

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

Temporary Files
Temporary Internet Files
Recycle Bin


===============

Post back a new log, and let me know how everything goes.

-

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

Unread postby Incoming » June 7th, 2005, 5:31 pm

First of all, I would like to thank you so much for your support. It's an incredible help you're all providing for end-users like me and it is heavily appreciated !

With that said, here's what happened;

- - - - - - - - STEPS TAKEN - - - - - - - -

As instructed, I began by deactivating the two options in AdWatch.
After that, I followed the link which you provided, found the "Free Online Scan" and let it go through the entire computer (including DVD-Units and Floppydrives). Here is the result of the scan:

----- FILES/VIRUSES FOUND BY ONLINE SCAN ("HouseCall") -----

-- VIRUS -- -- SCAN RESULT -- -- FILE --

TROJ DLOADER.KP CanNotAccess C:\WINDOWS\system32\focukcu.exe
TROJ NAIL.B Non Cleanable C:\WINDOWS\Nail.exe
TROJ BUDDY.F Non Cleanable C:\WINDOWS\qrafbfdndgj.exe
TROJ STERVIS.C Non Cleanable C:\WINDOWS\svcproc.exe

All of these files could be deleted by HouseCall except for "focukcu.exe" because it was currently in use.
------------------------------------------------------------

Once done, I closed "HouseCall" and continued with your instructions.
I performed a search for the unaccessible file "focukcu.exe*". The search came up with the following files:

"c:\WINDOWS\Prefetch\FOCUKCU.EXE-29E3BF14.pf"
"C:\WINDOWS\system32\focukcu.exe"

Although I was only instructed to delete any copy of this file in the "Prefetch" folder, I tried deleting them both.
The "FOCUKCU.EXE-29E3BF14.pf" file could be deleted, but "focukcu.exe" was currently in use so no removing that one.

On to the HijackThis step. In the Process Manager, I found one line containing "C:\WINDOWS\system32\focukcu.exe".
I killed the process, refreshed and confirmed that no other process with "focukcu.exe" existed.
After that, I let HijackThis scan my computer again and found the line;

"O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)"

which I checked and "fixed". I also remember "fixing" the "duzkak.exe" line after an earlier scan. So that line has also been present, but not any more, afaIk.

Next step was to look up the files "FOCUKCU.EXE" and "duzkak.exe" in Explorer.
Since I'm a quite experienced computer-user, I made sure that all hidden and system files/folders were shown. However, I found none of the files in the "C:\WINDOWS\system32" folder. Suppsedly, "FOCUKCU.EXE" was removed by HijackThis. Thus, no need to reboot into "safe-mode".

Last step was to run "cleanmgr" which I did. I made sure the three entrances you mentioned were ticked (as well as a few more I decided I could do without).

After having run the cleanmgr, though it wasn't adviced, I rebooted my computer and let it start up normally after which I ran HijackThis again which produced the following log attached below. I apologize if I wasn't supposed to reboot the computer prior to the new log-file. Please tell me and I'll do the whole thing again without rebooting in the end.

- - - - - - - - ADDITIONAL OCCURENCES - - - - - - - -

Upon windows start, I got two specific Ad-watch Alarms which displayed the following;

----- Ad-watch Alarm -----

WARNING! 23:15:13
An attempt to alter a protected object has been detected.
(Attempt to change a registry value)
Root: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Value: Shell
Data: explorer.exe
New Data: Explorer.exe C:\WINDOWS\Nail.exe

Please choose how to proceed.

Click here for advice

--------------------------

----- Ad-watch Alarm -----

WARNING! 23:19:03
An attempt to alter a protected object has been detected.
(Attempt to change a registry value)
Root: HKEY_LOCAL_MACHINE
Key: Software\Microsoft\Windows\CurrentVersion\Run
Value: phtftc
Data:
New Data: c:\windows\system32\yisIts.exe

Please choose how to proceed.

Click here for advice

--------------------------

I denied access to both these actions, however, they kept occuring over and over again so I had to let Ad-watch deny these changes automatically.
So far, I haven't seen any "AURORA" popups though, but I haven't surfed that much now either. Below is the HijackThis log.
Thanks so much for all your help and I hope that you can help me deal with whatever's left too.

Many thanks !

/ Incoming

-------- NEW HIJACKTHIS LOG --------

Logfile of HijackThis v1.99.1
Scan saved at 23:15:24, on 2005-06-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe
c:\windows\system32\yqrvly.exe
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program\CyberLink\PowerDVD\PDVDServ.exe
C:\Program\D-Tools\daemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Creative\MediaSource\Detector\CTDetect.exe
C:\Program\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program\HijackThis.exe
C:\Program\Logitech\Video\FxSvr2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program\Delade filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [RemoteControl] C:\Program\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Temp\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [phtftc] c:\windows\system32\yislts.exe
O4 - HKLM\..\Run: [tpjgld] c:\windows\system32\yqrvly.exe r
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Program\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [Creative Detector] C:\Program\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [AWMON] "C:\Program\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 6272476483
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program\Delade filer\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe
Incoming
Active Member
 
Posts: 9
Joined: June 7th, 2005, 7:17 am

Unread postby Incoming » June 7th, 2005, 10:56 pm

I just want to report that the "AURORA" popups are still there.
I've seen at least a couple of those things during my surfing.

/ Incoming
Incoming
Active Member
 
Posts: 9
Joined: June 7th, 2005, 7:17 am

Unread postby Bertha » June 8th, 2005, 7:44 am

Hey Incoming,

Ok now your Log is showing what I wanted, you have the "Nail" infection

Please print the following off so you can follow it

Lets tackle Nail now

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from here:
http://www.noidea.us/easyfile/file.php? ... 5010747824
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml


Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Next please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

Unread postby Incoming » June 8th, 2005, 12:09 pm

Ok. Once again I followed your instructions down to the word. Everything went well. The only mentionable thing was "Ewido" telling me that I needed to reboot the computer in order to clean it completely.

Anyway, after it was done scanning, I proceeded with HijackThis and let it remove that line you wrote after which I rebooted the computer and let it start normally. I run HijackThis once more and below is the resulting log-file.

Now when windows started, ad-aware did not mention any tries to change anything in the registry what so ever. Seems like a huge improvement to me ! And I have still to see any "AURORA" popups. Unfortunately, I'll have to leave my home soon (back on friday) - but I'm convinced that you've helped me to get rid of all my problems.

Thank you so much once more for your excellent help and support !
It's an amazing thing you are doing providing this service for whoever needs it.

Many thanks;

/ Incoming


----- EWIDO REPORT -----

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 17:26:58, 2005-06-08
+ Report-Checksum: AD070204

+ Date of database: 2005-06-08
+ Version of scan engine: v3.0

+ Duration: 88 min
+ Scanned Files: 146712
+ Speed: 27.63 Files/Second
+ Infected files: 12
+ Removed files: 12
+ Files put in quarantine: 12
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\

+ Scan result:
C:\Documents and Settings\Incoming\Cookies\incoming@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Incoming\Cookies\incoming@cz6.clickzs[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Incoming\Cookies\incoming@geocities[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Incoming\Cookies\incoming@hb.lycos[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Incoming\Cookies\incoming@image.masterstats[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Incoming\Cookies\incoming@search.msn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Incoming\Cookies\incoming@www.cheatserver[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Incoming\Cookies\incoming@xiti[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Incoming\Lokala inställningar\Temp\SDW\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\ikiqyeh.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\qrafbfdndgj.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\system32\wkcifi.exe -> Spyware.BetterInternet -> Cleaned with backup


::Report End



------ HIJACKTHIS LOG -----

Logfile of HijackThis v1.99.1
Scan saved at 17:57:51, on 2005-06-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program\CyberLink\PowerDVD\PDVDServ.exe
C:\Program\D-Tools\daemon.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\Program\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Creative\MediaSource\Detector\CTDetect.exe
C:\Program\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Temp\ewido\security suite\ewidoctrl.exe
C:\Program\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe
C:\Program\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program\Delade filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [RemoteControl] C:\Program\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Temp\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ptblinj] c:\windows\system32\duzkak.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Program\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [Creative Detector] C:\Program\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [AWMON] "C:\Program\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 6272476483
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Temp\ewido\security suite\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program\Delade filer\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe
Incoming
Active Member
 
Posts: 9
Joined: June 7th, 2005, 7:17 am

Unread postby Bertha » June 8th, 2005, 12:42 pm

Hey Incoming,

Print this off/copy it to notpead so you can follow it

Run Hijackthis and check the following entry

O4 - HKLM\..\Run: [ptblinj] c:\windows\system32\duzkak.exe

Now with all windows closed click "fix"

Ok lets use Killbox to remove the file/folder that is being so stubborn:

Download Pocket Killbox here - http://www.malwareremoval.com/downloads.html

Now take a look at this post as it will guide you through the installation process as well as the removal process incase you get confused:

http://www.malwareremoval.com/forum/viewtopic.php?t=320

Once you have installed Killbox we need to begin to delete the file folder:

If you look at the topic above this is what we are going to do (so read this part):

How to use KILLBOX to delete a file - Delete on reboot kill - Delete on reboot kill

ChrisRLG

Open Killbox and check a mark in the "RadioBox" which says "Delete On Reboot"

Under "Full Path or File to Delete copy and paste this entry below:

c:\windows\system32\duzkak.exe

Now press the red cross and a new window will pop up asking you to confirm the removal CLICK YES

After you have added the above entry and it asks if you wish to restart CLICK YES and the computer will restart

Post back a new Hijackthis Log for me

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

Unread postby Incoming » June 8th, 2005, 2:35 pm

Ok. Done what you said.

First I ran HijackThis and "fixed" the "duzkak.exe".
Then I installed (or downloaded and extracted) KillBox and ran that one.
I chose for it to remove the file on reboot, entered the path/filename and initiated the process.

After KillBox asked me if I wanted to reboot the computer (where I chose "Yes"), a windows alert message came up displaying the following text;

PendingFileRenameOperations Registry Data has been Removed by External Process!

So, I restarted the computer manually and ran HijackThis again after bootup which produced the following log (note that the "duzkak.exe" file is still there) and I'm a bit sceptical whether KillBox actually could delete that file permanently. I mean, if KillBox deletes that file upon next reboot - isn't there a chance that "duzkak.exe" is back after the following reboot again ?

Anyway, here's the log (I really appreciate if you have any further advice as of what I can do about this) !

Many thanks for your time and help so far.

/ Incoming


----- HIJACKTHIS LOG -----

Logfile of HijackThis v1.99.1
Scan saved at 20:16:48, on 2005-06-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program\CyberLink\PowerDVD\PDVDServ.exe
C:\Program\D-Tools\daemon.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Logitech\MouseWare\system\em_exec.exe
C:\Program\Creative\MediaSource\Detector\CTDetect.exe
C:\Program\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Temp\ewido\security suite\ewidoctrl.exe
C:\Program\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe
C:\Program\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program\Delade filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [RemoteControl] C:\Program\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Temp\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ptblinj] c:\windows\system32\duzkak.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Program\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [Creative Detector] C:\Program\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [AWMON] "C:\Program\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 6272476483
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Temp\ewido\security suite\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program\Delade filer\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe
Incoming
Active Member
 
Posts: 9
Joined: June 7th, 2005, 7:17 am

Unread postby Bertha » June 8th, 2005, 2:57 pm

Hey,

Print this off so you can follow it

Run Hijackthis and check the following

O4 - HKLM\..\Run: [ptblinj] c:\windows\system32\duzkak.exe

With all windows closed click "fix"


Open Killbox

Now take a look at this post as it will guide you through
the installation process as well as the removal process incase you get
confused:

http://www.malwareremoval.com/forum/viewtopic.php?t=320

Once you have installed Killbox we need to begin to delete the file
folder:


If you look at the topic above this is what we are going to do (so read
this part):

How to use KILLBOX to delete a file

ChrisRLG

Open Killbox and check a mark in the "RadioBox" which says "Standard File Kill"

Under "Full Path or File to Delete copy and paste this entry below:

c:\windows\system32\duzkak.exe

Now press the red cross and a new window will pop up asking you to
confirm the removal CLICK YES

It will then confirm the deletion

Post a new Log back here, if this fails we can try another way

Bertha[/b]
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

Unread postby Incoming » June 10th, 2005, 6:07 am

Done what you said. When trying to remove the file with "Killbox" I got the message saying: "File doesn't seem to exist."

When I check that "duzkak.exe" line in HijackThis and click "Fix", HijackThis deletes that file, thus leaving nothing for Killbox to remove. But when I reboot my computer, the duzkak.exe file is back.
Running HijackThis after reboot generates the exact same LOG as included in my most recent reply (except for the date and time stamp of course).

The only way I can have Killbox remove / delete the duzkak.exe file is to not fix the corresponding line in HijackThis first. But even so, I'm afraid that duzkak.exe will be back again after reboot. Couldn't there be something else hidden in my computer which re-generates the duzkak.exe upon reboot (if missing) ?

Appreciate your help as always !

/ Incoming
Incoming
Active Member
 
Posts: 9
Joined: June 7th, 2005, 7:17 am

Unread postby Bertha » June 10th, 2005, 11:32 am

Hey Incoming,

Ok try the Killbox fix first without delting the item in Hijackthis,

Then once you have done the Killbox deletion, run Hijackthis and see if the O4 is back,

Let me know how things go and post back a new Hijackthis Log when done

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

Unread postby Incoming » June 10th, 2005, 4:55 pm

Hmmm, this is weird...

I rebooted the computer and did a scan with HijackThis. The 04....duzkak.exe file was there again, as usual. However, I did not "fix" anything with HijackThis, I just closed the program. Then I ran Killbox and typed in the folder/file name exactly as it should be ("c:\windows\system32\duzkak.exe"), I used the "Standard File Kill" option and clicked the red cross.
Killbox then responded with the message:

"This file does not seem to exist"

Note, again, that I did not remove or fix anything with HijackThis prior to using Killbox. How come Killbox can't see a file which is evidently there ?

I'll be standing by for further advice.

Thanks !

/ Incoming


* EDIT:

And the HijackThis LOG is still the same after windows startup as the last one I posted.
Incoming
Active Member
 
Posts: 9
Joined: June 7th, 2005, 7:17 am

Unread postby Bertha » June 11th, 2005, 3:50 am

Hey Incoming,

Ok please do as follows:

This to Disable AdWatch

Please disable AdWatch, as it may hinder the removal of some entries. You can re-enable it after you're clean.
To disable AdWatch:

Open AdAware SE.
Go to AdWatch User Interface.
Go to Tools and Preferences.
At the bottom of the screen you will see 2 options Active and Automatic.
Active: This will turn Ad-Watch On\Off without closing it
Automatic: Suspicious activity will be blocked automatically
Uncheck both options. You can enable these after resolving your problem.

Now run Hijackthis and check the following

O4 - HKLM\..\Run: [ptblinj] c:\windows\system32\duzkak.exe

With all windows closed click "fix"

Now reboot, and post a new hijackthis Log back here

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

Unread postby Incoming » June 11th, 2005, 5:09 am

YES - Finally got it !

(Please read, this is important - someone else might be doing the same error as I did)

You see, I am using Ad-watch. I've had it set on "Active" and "Automatic". Every time I've tried to delete the "duzkak.exe" file through HijackThis - I've actually never bothered with unchecking Ad-watch Active nor Automatic, I have just right-clicked on the Ad-watch icon in the system-tray and chosen "Unload". This terminates Ad-watch completely, thus I figured that I can be 100% certain that nothing will interfere with my deleting that "duzkak.exe" file.

After having let HijackThis delete the file, I have always rebooted, only to see that d*mn file back again after Windows startup.

But this time, I actually un-checked both "Active" and "Automatic", and then I unloaded Ad-watch. I let HijackThis remove the file and I rebooted. When Windows started, Ad-watch came up telling me about some suspicious activity - asking me to Accept or Block. As I red the rest of the message, I saw that there was an attempt to delete a registry value (probably caused by HijackThis) - trying to delete "C:\windows\system32\duzkak.exe" from window's registry.

I chose to Accept the modification and *poof* - problem solved. I have rebooted my computer a couple of times and still no "duzkak.exe" in the HijackThis scan.


What must have happened all earlier times is that HijackThis hasn't been able to delete that registry value right away when clicking "fix" - maybe it has been locked up in an active process or something. So HijackThis has schedueled the deletion of that registry value upon next reboot. However, Ad-watch has started up in the background again, and since it's been set on both "Active" and "Automatic" - Ad-watch has blocked HijackThis attempt to delete duzkak.exe from the registry.

And now when I unchecked "Automatic" - I could accept that change instead.

-----------------------------------

I know that you instructed me to uncheck "Active" and "Automatic" in Ad-watch which I evidently did not do. I just thought I was doing stuff even more properly and for that I apologize. This matter would probably have been resolved a lot sooner had I done exactly what you told me.
But I learned something from it though ! =)

Thanks so much for all your help Bertha !

Take Care;

/ Incoming
Incoming
Active Member
 
Posts: 9
Joined: June 7th, 2005, 7:17 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 40 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware