Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

please help... I have quite a few problems

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby 3162 » April 15th, 2005, 9:38 am

OK, apparantly another Forum already has a copy of Nail.exe so let's see about killing your infection.

Please copy the following instructions to a notepad file and save them because you won't be able to see this page.
Keep the notepad file Open
You will need to be Offline and NO IE windows open. When ready to start the fix, unplug your cat-5 wire from machine if you are on cable or a network.


    [1] Download the Pocket Killbox if you haven't already got it.
    [2] Unzip the contents of KillBox.zip to a convenient location.
    [3] Disconnect from internet and shut down all running programs
    [4] Double-click on KillBox.exe. and keep killbox Open.
    (Important to keep killbox and notepad file open)
    [4a] Use task manager to end process on all instances of explorer.exe
    Your desktop will disappear but that's normal.
    [5] Click "Replace on Reboot" and check the "Use Dummy" box.
    [6] Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINNT\Nail.exe
    [7] Click the "Delete File" button which looks like a stop sign.
    [8] Click "Yes" at the Replace on Reboot prompt.
    [9] Click "No" at the Pending Operations prompt.
    [10] skip....

    [11] Click "Replace on Reboot" and check the "Use Dummy" box.
    [12] Paste this file into the top "Full Path of File to Delete" box.
    • c:\winnt\system32\huvkxo.exe <<or the new file name/location
    [13] Click the "Delete File" button which looks like a stop sign.
    [14] Click "Yes" at the Replace on Reboot prompt.
    [15] Click "Yes" at the Pending Operations prompt to restart your computer. Allow machine to reboot. Reboot manually if you need to.
    [16] Once restarted...new hijackthis log please.

Then Please Do Not reboot until I reply back.
User avatar
3162
MRU Emeritus
MRU Emeritus
 
Posts: 648
Joined: March 20th, 2005, 7:10 am
Advertisement
Register to Remove

Unread postby silverleaf » April 15th, 2005, 9:42 am

Is it possible that nail.exe keeps regenerating the other file every time I delete it?
User avatar
silverleaf
Regular Member
 
Posts: 33
Joined: April 13th, 2005, 8:11 am

Unread postby silverleaf » April 15th, 2005, 10:01 am

Logfile of HijackThis v1.99.1
Scan saved at 15:05:05, on 15/04/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
F:\Programs\BullGuard 5.0\bullguard.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
c:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
c:\winnt\system32\laxchb.exe
C:\PROGRA~1\Belkin\BLUETO~1\BTSTAC~1.EXE
F:\Programs\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [DataLayer] c:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] c:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [gcasServ] "f:\Programs\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [xvnlfe] c:\winnt\system32\laxchb.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [BullGuard 5.0] "F:\Programs\BullGuard 5.0\bullguard.exe"
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Global Startup: BTTray.lnk = C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/c ... /pt1_x.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/ ... acscom.cab
O16 - DPF: {74EC0CB3-E304-11D4-AD00-00508BF6CCD1} (IMContainerG Control) - https://i10.uktransco.com/gals/galsmaps.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... Client.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btopenworld.com/templa ... ontrol.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E56F6F16-5CBD-4FC5-92FA-EC49131572EC}: NameServer = 195.92.195.94 195.92.195.95
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)


Doesn't want to go, does it?
User avatar
silverleaf
Regular Member
 
Posts: 33
Joined: April 13th, 2005, 8:11 am

Unread postby ChrisRLG » April 15th, 2005, 10:02 am

I will answer - yes, also on each reboot, this and the random file are checking each other all the time, not a new method as we have seen it before.

=============

For your information accross the ASAP network of forums we have at least 4 other topics like yours, you are not alone - as soon as one of you five show an answer we will use that method on all of you.

One of those was able to provide copies of the files and experts are even now taking them appart to find how they work.

You may see lots of views of this topic as the various experts check all the infections. Lots of trainees will also be looking over this and the other topics looking to see how the experts are dealing with this.

So in short with the collective network of anti-malware experts on this case it will just be a matter of time for a fix to be found.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby 3162 » April 15th, 2005, 10:26 am

THis is for Win2k only:

Click on Start, then Run ... type command and press "OK".

In the next box that opens, type cd\ and press "Enter". Now you'll see the C: prompt ... looks like this: C:\>

Type cd\winnt and then Enter.

Next, type nail.exe /FullRemove (make sure there is a space between nail.exe and the /) ... then Enter.

Then type exit and click Enter (this will close the command prompt window)

Now run hijackthis again, and checkmark/fix, if found:
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O4 - HKLM\..\Run: [xvnlfe] c:\winnt\system32\laxchb.exe


Navigate to c:\winnt\system32\laxchb.exe and delete the file.
Check for, and delete if found C:\WINNT\Nail.exe

Reboot, and post a fresh log please.
Last edited by 3162 on April 15th, 2005, 10:39 am, edited 1 time in total.
User avatar
3162
MRU Emeritus
MRU Emeritus
 
Posts: 648
Joined: March 20th, 2005, 7:10 am

Unread postby silverleaf » April 15th, 2005, 10:29 am

Yay!

I'm actually quite enjoying this - in a strange way I'm helping other people and helping to prevent this happening to others in the future.
User avatar
silverleaf
Regular Member
 
Posts: 33
Joined: April 13th, 2005, 8:11 am

Unread postby silverleaf » April 15th, 2005, 10:32 am

3162 wrote:Type cd\windows and then Enter.


Do you mean cd\winnt ?

Cos it says cd\windows is an invalid directory.
User avatar
silverleaf
Regular Member
 
Posts: 33
Joined: April 13th, 2005, 8:11 am

Unread postby ChrisRLG » April 15th, 2005, 10:36 am

Type cd\windows and then Enter.

Yes that bit should be

Type cd\WINNT and then Enter.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby silverleaf » April 15th, 2005, 10:38 am

"C:\WINNT>nail.exe /fullremove
The system cannot execute the specified program."
User avatar
silverleaf
Regular Member
 
Posts: 33
Joined: April 13th, 2005, 8:11 am

Unread postby silverleaf » April 15th, 2005, 10:40 am

Do I need to turn off Bullguard? Maybe that's blocking the file?
User avatar
silverleaf
Regular Member
 
Posts: 33
Joined: April 13th, 2005, 8:11 am

Unread postby 3162 » April 15th, 2005, 10:45 am

I suspect your 06 control panel present is blocking removal, for one thing.

Bear with me here...loading another 2k box to check something
User avatar
3162
MRU Emeritus
MRU Emeritus
 
Posts: 648
Joined: March 20th, 2005, 7:10 am

Unread postby silverleaf » April 15th, 2005, 10:46 am

I just wanted to take the opportunity to say that you guys are complete stars... thank you for all your help. :)
User avatar
silverleaf
Regular Member
 
Posts: 33
Joined: April 13th, 2005, 8:11 am

Unread postby 3162 » April 15th, 2005, 11:22 am

A bit rusty on my DOS commands for 2k...but this should do it
Run hijackthis again to get the new name of the 04 line file.
Checkmark/fix the 06 line.
Turn off Bullguard.

Click on Start, then Run ... type command and press "OK".

In the next box that opens, type cd\ and press "Enter". Now you'll see the C: prompt ... looks like this: C:\>

Type dir WINNT and then Enter.
That should list the contents of the winnt folder.

Now type del C:\WINNT\Nail.exe and click Enter

Should be back at C:\>

Now type dir winnt\system32 Enter
Type del c:\winnt\system32\laxchb.exe Enter <<Type the name of the file from 04 line in hijackthis earlier

Run hijackthis, checkmark/fix the two lines if they are there, and reboot.
New log please.
Last edited by 3162 on April 15th, 2005, 11:26 am, edited 1 time in total.
User avatar
3162
MRU Emeritus
MRU Emeritus
 
Posts: 648
Joined: March 20th, 2005, 7:10 am

Unread postby 3162 » April 15th, 2005, 11:25 am

And turn off Bullguard first ;)
User avatar
3162
MRU Emeritus
MRU Emeritus
 
Posts: 648
Joined: March 20th, 2005, 7:10 am

Unread postby ChrisRLG » April 15th, 2005, 11:35 am

or try this instead

Copy this quote dox to notepad - save as killnail.bat (as type all files) to the desktop

Change the lexchb.exe in the two lines below to the name of the file from 04 line in hijackthis earlier

cd\
CD WINNT
dir C:\WINNT\Nail.exe
del C:\WINNT\Nail.exe
CD winnt\system32
dir c:\WINNT\system32\lexchb.exe
del c:\winnt\system32\laxchb.exe
pause


Now double click that new icon for killnail.exe which is now on your desktop.

It will leave a DOS window open, you should be able to use the menu from that window (alt/space) to be able to copy paste the text for us.

Run hijackthis, checkmark/fix the two lines if they are there, and reboot.
New log please.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 296 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware