Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

please help... I have quite a few problems

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby silverleaf » April 15th, 2005, 11:57 am

I followed 3162's instructions, and managed to delete nail.exe in the DOS wondow, but couldn't delete the other file because it was being "used by another process".

Both files showed up in HJT and I fixed them but they were back again after reboot.

Then I follwed Chris's instructions, ran the killnail.bat file and got the following text:


C:\Documents and Settings\anna\Desktop>cd\

C:\>CD WINNT

C:\WINNT>dir C:\WINNT\Nail.exe
Volume in drive C has no label.
Volume Serial Number is B4B1-BE7C

Directory of C:\WINNT

15/04/2005 16:48 71,168 Nail.exe
1 File(s) 71,168 bytes
0 Dir(s) 1,513,877,504 bytes free

C:\WINNT>del C:\WINNT\Nail.exe

C:\WINNT>CD winnt\system32
The system cannot find the path specified.

C:\WINNT>dir c:\WINNT\system32\vxztlx.exe
Volume in drive C has no label.
Volume Serial Number is B4B1-BE7C

Directory of c:\WINNT\system32

04/12/2003 16:24 76,288 vxztlx.exe
1 File(s) 76,288 bytes
0 Dir(s) 1,513,951,232 bytes free

C:\WINNT>del c:\winnt\system32\vxztlx.exe
c:\winnt\system32\vxztlx.exe
The process cannot access the file because it is being used by another process.

C:\WINNT>pause
Press any key to continue . . .

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 17:03:09, on 15/04/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
c:\winnt\system32\epovre.exe
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
F:\Programs\BullGuard 5.0\bullguard.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
c:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Belkin\BLUETO~1\BTSTAC~1.EXE
F:\Programs\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [DataLayer] c:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] c:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [gcasServ] "f:\Programs\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [fyvamr] c:\winnt\system32\epovre.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [BullGuard 5.0] "F:\Programs\BullGuard 5.0\bullguard.exe"
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Global Startup: BTTray.lnk = C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/c ... /pt1_x.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/ ... acscom.cab
O16 - DPF: {74EC0CB3-E304-11D4-AD00-00508BF6CCD1} (IMContainerG Control) - https://i10.uktransco.com/gals/galsmaps.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... Client.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btopenworld.com/templa ... ontrol.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E56F6F16-5CBD-4FC5-92FA-EC49131572EC}: NameServer = 195.92.195.95 195.92.195.94
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
User avatar
silverleaf
Regular Member
 
Posts: 33
Joined: April 13th, 2005, 8:11 am
Advertisement
Register to Remove

Unread postby 3162 » April 15th, 2005, 12:02 pm

Could you do a check for us please and see if you have this file on your machine:
Use windows search for......
EVNAMNB.EXE
User avatar
3162
MRU Emeritus
MRU Emeritus
 
Posts: 648
Joined: March 20th, 2005, 7:10 am

Unread postby silverleaf » April 15th, 2005, 12:19 pm

Can't find that file.
User avatar
silverleaf
Regular Member
 
Posts: 33
Joined: April 13th, 2005, 8:11 am

Unread postby silverleaf » April 15th, 2005, 12:28 pm

I've just got a Bullguard message:

Bullguard has detected someone scanning your ports.

Please consult the security log for details.
attacker was banned for 600 seconds.

Attacker IP address 62.136.208.34
Attacker MAC address 7C-F4-20-00-01-00

This is not good! I don't know if it's relevant or not, but I thought I'd let you know anyway.
User avatar
silverleaf
Regular Member
 
Posts: 33
Joined: April 13th, 2005, 8:11 am

Unread postby 3162 » April 15th, 2005, 12:33 pm

Please bear with us, I am installing the infection shortly and should have more information soon
User avatar
3162
MRU Emeritus
MRU Emeritus
 
Posts: 648
Joined: March 20th, 2005, 7:10 am

Unread postby ChrisRLG » April 15th, 2005, 12:35 pm

Are you an Energis customer
===================
WHOIS results for 62.136.208.34
Generated by http://www.DNSstuff.com
Location: United Kingdom [City: Solihull, England]


% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

inetnum: 62.136.192.0 - 62.136.255.255
netname: POL-CAG2
descr: Energis UK
descr: Dialup customers (Dynamic IP)
country: GB
admin-c: MADM1-RIPE
tech-c: MADM1-RIPE
status: ASSIGNED PA
mnt-by: ENERGIS-MNT
changed: *****@energis.com 20020919
source: RIPE

route: 62.136.0.0/15
descr: Energis UK
origin: AS5388
mnt-by: ENERGIS-MNT
changed: *******@planet.net.uk 19990521
changed: *****@energis.com 20020916
source: RIPE

role: Modem and DSL Team
address: Energis UK
address: Melbourne Street
address: Leeds, LS2 7PS
address: United Kingdom
phone: +44 113 2345100
e-mail: ******@energis.com
admin-c: ENIT1-RIPE
tech-c: ENIT1-RIPE
nic-hdl: MADM1-RIPE
remarks: Abuse reports to *****@energis.com please!
remarks: No actions are taken on abuse reports sent to modem team.
mnt-by: ENERGIS-MNT
changed: *****@energis.com 20021127
source: RIPE


[The following lines added by http://www.dnsstuff.com per requirement by RIPE]
This service is subject to the terms and conditions stated in the RIPE NCC Database Copyright Notice.
Contact dnsstuff.com's 'info@' address to report problems regarding the functionality of the service.

[If E-mail address(es) were hidden on this page, you can click here to get the results with the E-mail address.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby silverleaf » April 15th, 2005, 12:36 pm

I've never even heard of Energis.
User avatar
silverleaf
Regular Member
 
Posts: 33
Joined: April 13th, 2005, 8:11 am

Unread postby ChrisRLG » April 15th, 2005, 12:40 pm

I would not worry about that - it is in a range of IP provided for dialup users. It is probably someone else who is infected with a virus or other malware.

It is not from a website etc which could be connected tothis problem.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby silverleaf » April 15th, 2005, 12:41 pm

Okay, thanks.

It scared me a bit. :roll:
User avatar
silverleaf
Regular Member
 
Posts: 33
Joined: April 13th, 2005, 8:11 am

Unread postby 3162 » April 15th, 2005, 1:21 pm

OK, this is a nasty little sucker....makes a number of changes to security settings and system.
It'll take me a while to sort through the 2k registry here, but I think we can take care of this.
I'll be back....eventually
User avatar
3162
MRU Emeritus
MRU Emeritus
 
Posts: 648
Joined: March 20th, 2005, 7:10 am

Unread postby 3162 » April 15th, 2005, 6:42 pm

Alrighty...took a while but I did manage to kill off Nail.exe on test box here.

Please print this page, as most all of it will be done in safe mode.

Create a registry backup: This is important, just in case something goes awry, you can restore registry if you have to.
How to back up, edit, and restore the registry in Windows 2000

Now click Start >> Run >> type in regedt32 and click Enter.
Navigate to, and highlight,
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}
by clicking the + to expand the tree.

At the top of registry editor, click Security >> Permissions and then highlight Everyone by l-clicking it one time.
At bottom of that page, checkmark Full Control and click Apply >>OK.

Do the same for
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}

Close registry editor.
Any problems with this part, post back before doing the rest of this.

Then, copy contents of code box below to a notepad file, save it to desktop named Fixreg.reg FileType .*. AllFiles.
Code: Select all
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count]
"{HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\FcljnerFbyhgvbaf\Qrfxgbc\AnvyVasrpgrq\Anvy.rkr}"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count]
"{HRZR_EHACNGU}"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 
"{Shell}"=-

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kmixer\Enum]
"{Count}"=-

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kmixer\Enum]
"{NextInstance}"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kmixer\Enum]
"{Count}"=-
	
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kmixer\Enum] 
"{NextInstance}"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 
"Name"=Shell
"Type"=REG_SZ
"Data"=Explorer.exe

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kmixer\Enum]
"Name"=Count
"Type"=REG_DWORD
"Data"=01, 00, 00, 00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kmixer\Enum]
"Name"=NextInstance
"Type"=REG_DWORD
"Data"=01, 00, 00, 00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kmixer\Enum]
"Name"=Count
"Type"=REG_DWORD
"Data"=01, 00, 00, 00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kmixer\Enum] 
"Name"=NextInstance"
"Type"=REG_DWORD
"Data"=01, 00, 00, 00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count]
"Name"=HRZR_EHACNGU"
"Type"=REG_BINARY
"Data"=06, 00, 00, 00, 98, 00, 00, 00, D0, A8, 5E, 17, DB, 41, C5, 01

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}\Control]
"Name"=DeviceReference
"Type"=REG_DWORD
"Data"=B0, 01, 23, 84

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}\Control] "Name"=DeviceReference
"Type"=REG_DWORD
"Data"=B0, 01, 23, 84

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kmixer\Enum]
"Name"=0
"Type"=REG_SZ
"Data"=SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kmixer\Enum]
"Name"=0"
"Type"=REG_SZ
"Data"=SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}


Now save contents of next code box, name it Fixreg2.reg >>Save to desktop.
Code: Select all
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "{Shell}"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "Name"=Shell
"Type"=REG_SZ
"Data"=Explorer.exe



Now,
Reboot to safe mode.
To access safe mode in 2k, tap F8 at the second splash screen when the machine comes up. You can then use the up/down arrows to select safe mode, and click Enter.
Choose Windows2000 at next screen if it isn't already highlighted. Click Enter.
It'll be slow...and agree to the nag screen about going into safe mode.

Once you are in safe, run hijackthis again, click Config >>Misc Tools >>Process Manager and end task on userinit
also end task on the random named file, if it is running (it wasn't running in safe on my box)

Go back to main page of hijackthis, and checkmark/fix the random named 04 line, and the F2 C:\WINNT\Nail.exe line, if they are there.

Now delete the randomly named file, by manually navigating to it in the C:\WINNT\System32 Folder >>r-click on the file and choose delete.
Same for C:\WINNT\Nail.exe >>delete it.


Now double click FixReg.reg on desktop and allow it to merge with registry.

If for some reason it balks at the merge, then double click Fixreg2.reg and allow the merge. We can deal with the others later, once we are sure we have the nasty killed.

Reboot to normal Windows, and post a fresh log please.
User avatar
3162
MRU Emeritus
MRU Emeritus
 
Posts: 648
Joined: March 20th, 2005, 7:10 am

Unread postby silverleaf » April 16th, 2005, 7:08 am

How to Back Up the System State on a Domain Controller

1. Click Start, point to Programs, point to Accessories, point to System Tools, and then click Backup.
2. Click the Backup tab.
3. Click to select the System State check box. (All of the components to be backed up are listed in the right pane. You cannot individually select each item.)

NOTE: During the system state backup, you must select to back up the Winnt\Sysvol folder. You must also select this option during the restore operation to have a working sysvol after the recovery.


Where do I find the bit about selecting to back up the winnt\sysvol folder?
I did the backup but it said nothing about sysvol.
User avatar
silverleaf
Regular Member
 
Posts: 33
Joined: April 13th, 2005, 8:11 am

Unread postby 3162 » April 16th, 2005, 7:34 am

If you created an Emergency Repair Disk (ERD), just ignore the SystemState backup part, and continue with the rest of my proposed fix.

Thanks
User avatar
3162
MRU Emeritus
MRU Emeritus
 
Posts: 648
Joined: March 20th, 2005, 7:10 am

Unread postby silverleaf » April 16th, 2005, 7:38 am

Okay then.... here goes nothing! ;)
User avatar
silverleaf
Regular Member
 
Posts: 33
Joined: April 13th, 2005, 8:11 am

Unread postby silverleaf » April 16th, 2005, 8:09 am

When I try to shut down the random name file in HJT Process Manager, it just morphs immediately every time.

I fixed both files, then manually deleted them. I noticed that nail.exe appears to have been deleted but if I navigate back it's still there.

FixReg.reg ran fine, but obviously the two files are still there.


Logfile of HijackThis v1.99.1
Scan saved at 13:09:15, on 16/04/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
c:\winnt\system32\prnuzv.exe
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
F:\Programs\BullGuard 5.0\bullguard.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
c:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
F:\Programs\HJT\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [DataLayer] c:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] c:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [gcasServ] "f:\Programs\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ehnvuu] c:\winnt\system32\prnuzv.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [BullGuard 5.0] "F:\Programs\BullGuard 5.0\bullguard.exe"
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Global Startup: BTTray.lnk = C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/c ... /pt1_x.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/ ... acscom.cab
O16 - DPF: {74EC0CB3-E304-11D4-AD00-00508BF6CCD1} (IMContainerG Control) - https://i10.uktransco.com/gals/galsmaps.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... Client.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btopenworld.com/templa ... ontrol.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E56F6F16-5CBD-4FC5-92FA-EC49131572EC}: NameServer = 195.92.195.94 195.92.195.95
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
User avatar
silverleaf
Regular Member
 
Posts: 33
Joined: April 13th, 2005, 8:11 am
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 478 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware