pop ups and registry problems

[Guest]

I hope some one can help. My kids computer is running like crap. Pop ups
appear regularly even when the aren't on the net. We are on cable and always
on. We installed AVG some time ago and it was working well, but something
happened and now it won't work and won't let me remove or repair or reinstall
it. I have tried Ad-aware and spybot, which have found and cleaned a number
of problems, but the pop ups still happen and I can't get rid of the AVG.
HELP, please.

Gord

 

[pcbutts1]

Microsoft Windows AntiSpyware (Beta1)
http://www.microsoft.com/downloads/...A2-6A57-4C57-A8BD-DBF62EDA9671&displaylang=en

If none of the above fixes the issue then download Hijack this, run it, save
a copy of the log file and cut and paste it back here to the group so that I
can analyze it.

HijackThis
http://www.pcbutts1.com/downloads/HijackThis.zip

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com

 

[Rick \Nutcase\ Rogers]

Hi,

Run the spyware removal tools in Safe mode. How to start in Safe mode:
http://www.rickrogers.org/fixes.htm#Safe mode

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP

Associate Expert - WindowsXP Expert Zone

Windows help - www.rickrogers.org

 

[Guest]

Here is the log from hijack this.

Logfile of HijackThis v1.99.1
Scan saved at 8:41:49 PM, on 8/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\72ao9l71.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Gord\Local Settings\Temporary Internet
Files\Content.IE5\ZG8X1I2J\HijackThis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://as.starware.com/dp/search?x=...bKjfFLhwlVVFeGr+zinMnyfJeXMdpAkKgpL9oGPjBZQ==
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} -
C:\Program Files\iMesh\iMesh5\iMeshBHO.dll
O2 - BHO: (no name) - {46991200-292B-233C-FC00-80F3F0FC626E} - (no file)
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} -
C:\WINDOWS\AuroraHandler.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program
Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7744AA1E-00D3-62E4-C44B-0E4828E154DC} - (no file)
O2 - BHO: (no name) - {7777AE19-A488-D2B4-3F4B-A224B03CA128} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN
Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -
C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: Starware - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - C:\Program
Files\Starware\bin\Starware.dll
O2 - BHO: PosHelp - {CDEEC43D-3572-4E95-A2A5-F519D29F00C0} -
C:\PROGRA~1\ADVANC~1\ADVANC~1.DLL (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program
Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar.dll
O3 - Toolbar: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} -
C:\PROGRA~1\ADVANC~1\advancedsearchbar.dll (file missing)
O3 - Toolbar: Starware - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - C:\Program
Files\Starware\bin\Starware.dll
O4 - HKLM\..\Run: [72ao9l71] C:\WINDOWS\System32\72ao9l71.exe
O4 - HKLM\..\Run: [Nvvnr] C:\Program Files\Shgiucy\Unufon.exe
O4 - HKLM\..\Run: [WinFixer 2005] C:\Program Files\WinFixer 2005\wfx5.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Advanced Searchbar -
{57F02779-3D88-4958-8AD3-83C12D86ADC7} -
C:\PROGRA~1\ADVANC~1\advancedsearchbar.dll (file missing)
O9 - Extra 'Tools' menuitem: Advanced Searchbar -
{57F02779-3D88-4958-8AD3-83C12D86ADC7} -
C:\PROGRA~1\ADVANC~1\advancedsearchbar.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient
Class) -
http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} -
http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c9.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
http://spaces.msn.com/PhotoUpload/MsnPUpld.cab?10,0,910,0
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
(MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class)
- http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O18 - Protocol: OWC11.mso-offdap - {32505114-5902-49B2-880A-1F7738E5A384} -
C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\fwe.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH -
C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner -
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany
- C:\Program Files\AVPersonal\AVWUPSRV.EXE

I hope you can help.

 

[pcbutts1]

Have hijackthis fix the following lines they are all spyware/malware and
needs to be removed. You are aslo infected with Aurora/Nail.exe malware. Fix
those lines first then download and run the nail fix from here.
http://www.pcbutts1.com/downloads/nailfix.exe After you run the nail fix
then reboot in safe mode and run the nail fix again. After that run
hijackthis again and post the log again so I can see if it is all gone.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://as.starware.com/dp/search?x=...bKjfFLhwlVVFeGr+zinMnyfJeXMdpAkKgpL9oGPjBZQ==
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} -
C:\Program Files\iMesh\iMesh5\iMeshBHO.dll
O2 - BHO: (no name) - {46991200-292B-233C-FC00-80F3F0FC626E} - (no file)
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} -
C:\WINDOWS\AuroraHandler.dll (file missing)
O2 - BHO: (no name) - {7744AA1E-00D3-62E4-C44B-0E4828E154DC} - (no file)
O2 - BHO: (no name) - {7777AE19-A488-D2B4-3F4B-A224B03CA128} - (no file)
O2 - BHO: Starware - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - C:\Program
Files\Starware\bin\Starware.dll
O2 - BHO: PosHelp - {CDEEC43D-3572-4E95-A2A5-F519D29F00C0} -
C:\PROGRA~1\ADVANC~1\ADVANC~1.DLL (file missing)
O3 - Toolbar: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} -
C:\PROGRA~1\ADVANC~1\advancedsearchbar.dll (file missing)
O3 - Toolbar: Starware - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - C:\Program
Files\Starware\bin\Starware.dll
O4 - HKLM\..\Run: [72ao9l71] C:\WINDOWS\System32\72ao9l71.exe
O4 - HKLM\..\Run: [Nvvnr] C:\Program Files\Shgiucy\Unufon.exe
O4 - HKLM\..\Run: [WinFixer 2005] C:\Program Files\WinFixer 2005\wfx5.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe

O9 - Extra button: Advanced Searchbar -
{57F02779-3D88-4958-8AD3-83C12D86ADC7} -
C:\PROGRA~1\ADVANC~1\advancedsearchbar.dll (file missing)
O9 - Extra 'Tools' menuitem: Advanced Searchbar -
{57F02779-3D88-4958-8AD3-83C12D86ADC7} -
C:\PROGRA~1\ADVANC~1\advancedsearchbar.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL


--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com

 

[Guest]

I did all that you said to do. I am not sure if nail.fix worked or not. When
I rebooted there was a message that windows couldn'd find or start nail.fix.
Also, now internet explorer will not run. When started it goes directly to
the internet options box. Anyway, here is the newest log from HijackThis.
Logfile of HijackThis v1.99.1
Scan saved at 1:58:35 PM, on 8/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Gord\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.google.ca/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program
Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN
Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -
C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program
Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient
Class) -
http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} -
http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c9.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
http://spaces.msn.com/PhotoUpload/MsnPUpld.cab?10,0,910,0
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
(MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class)
- http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O18 - Protocol: OWC11.mso-offdap - {32505114-5902-49B2-880A-1F7738E5A384} -
C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\fwe.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH -
C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner -
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany
- C:\Program Files\AVPersonal\AVWUPSRV.EXE

Have hijackthis fix the following lines they are all spyware/malware and
needs to be removed. You are aslo infected with Aurora/Nail.exe malware. Fix
those lines first then download and run the nail fix from here.
http://www.pcbutts1.com/downloads/nailfix.exe After you run the nail fix
then reboot in safe mode and run the nail fix again. After that run
hijackthis again and post the log again so I can see if it is all gone.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://as.starware.com/dp/search?x=...bKjfFLhwlVVFeGr+zinMnyfJeXMdpAkKgpL9oGPjBZQ==
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} -
C:\Program Files\iMesh\iMesh5\iMeshBHO.dll
O2 - BHO: (no name) - {46991200-292B-233C-FC00-80F3F0FC626E} - (no file)
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} -
C:\WINDOWS\AuroraHandler.dll (file missing)
O2 - BHO: (no name) - {7744AA1E-00D3-62E4-C44B-0E4828E154DC} - (no file)
O2 - BHO: (no name) - {7777AE19-A488-D2B4-3F4B-A224B03CA128} - (no file)
O2 - BHO: Starware - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - C:\Program
Files\Starware\bin\Starware.dll
O2 - BHO: PosHelp - {CDEEC43D-3572-4E95-A2A5-F519D29F00C0} -
C:\PROGRA~1\ADVANC~1\ADVANC~1.DLL (file missing)
O3 - Toolbar: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} -
C:\PROGRA~1\ADVANC~1\advancedsearchbar.dll (file missing)
O3 - Toolbar: Starware - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - C:\Program
Files\Starware\bin\Starware.dll
O4 - HKLM\..\Run: [72ao9l71] C:\WINDOWS\System32\72ao9l71.exe
O4 - HKLM\..\Run: [Nvvnr] C:\Program Files\Shgiucy\Unufon.exe
O4 - HKLM\..\Run: [WinFixer 2005] C:\Program Files\WinFixer 2005\wfx5.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe

O9 - Extra button: Advanced Searchbar -
{57F02779-3D88-4958-8AD3-83C12D86ADC7} -
C:\PROGRA~1\ADVANC~1\advancedsearchbar.dll (file missing)
O9 - Extra 'Tools' menuitem: Advanced Searchbar -
{57F02779-3D88-4958-8AD3-83C12D86ADC7} -
C:\PROGRA~1\ADVANC~1\advancedsearchbar.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL


--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com

Here is the log from hijack this.

Logfile of HijackThis v1.99.1
Scan saved at 8:41:49 PM, on 8/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe

 

[R. McCarty]

Another damn HJT log -
PCButts, if you want to fix these issues for posters then do
XP-Gen a favor and offer to do a Remote Assistance session
for the OP and just fix their issue(s) quickly without subjecting
all of us to your analysis.

Rolling threads are one thing - but HJT (1), then HJT (2)...

We (participants) are all impressed that you really, really know
how to analyze these logs, but personally I do not wish to see
them. Thanks

 

[Guest]

Let me know where to post these and I will. I didn't know everyone else seen
these unless they went into that specific thread.

 

[R. McCarty]

Newsgroups are like public email. You only followed his directions
to post the log. Generally newsgroups, are plain text and posting any
binaries or attachments is discouraged. Mr. Butts seems very eager
to help. In another thread, he indicated his future offerings for help
on analyzing logs would be via email and not through this group.

There are dedicated web sites that will assist in analyzing HJT logs,
which you can locate with Google. Besides that, many other tools
such as MS Antispyware and others can locate and resolve these
types of issues without manual interpretation.

 

[pcbutts1]

Please download ewido security suite it is a free version of the program.
http://www.pcbutts1.com/downloads/ewidosetup.exe
Install ewido security suite
When installing, under "Additional Options" uncheck..
Install background guard
Install scan via context menu
Launch ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run ewido for the first time, you will get a warning "Database
could not be found!". Click OK. We will fix this in a moment.
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update.
Then click on Start Update.
The update will start and a progress bar will show the updates being
installed.
(the status bar at the bottom will display "Update successful")
Exit ewido. DO NOT SCAN YET.

Download CCleaner and install it, but do not run it yet.
http://www.pcbutts1.com/downloads/ccsetup122.exe

Please download this file: Revised Installer for the Nailfix Utility
http://www.pcbutts1.com/downloads/nailfix1.exe
Save it to your desktop.
DO NOT RUN IT YET.

Next, please reboot your computer in SafeMode by doing the following:
Restart your computer.After hearing your computer beep once during startup,
but before the Windows icon appears, press F8.Instead of Windows loading as
normal, a menu should appear
Select the first option, to run Windows in Safe Mode.
Once in Safe Mode, please double-click on nailfix.exe.
Click "Next" in the setup
Make sure "Run Nailfix" is checked and click "Finish".
Your desktop and icons will disappear and reappear, and a window should open
and close very quickly --- this is normal.

Now open ewido and do a scan of your system.
Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.**
You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the
action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now as the action.
Once the scan has completed, there will be a button located on the bottom of
the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find
it easily.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere
and the game "Risk")

Now run HijackThis, click Scan, and place a checkmark next to each of the
following items:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HJT, then click the Fix Checked button.
Close HJT.

Locate and delete the following File
C:\WINDOWS\Nail.exe

Now run CCleaner
Uncheck "Cookies" under "Internet Explorer".
If running Firefox: click on the "Applications" tab and uncheck "Cookies"
under "Firefox".
Click on Run Cleaner in the lower right-hand corner. This can take quite a
while to run.

Finally, restart your computer in normal mode and please post a new
HijackThis log, as well as the report log from the Ewido scan by using Add
Reply.

You said IE is not working, the links I gave you are direct download links
and should work. If they don't then paste them into another browser or
explorer window. If you have no other browser then email me with a valid
email address and I will send you one. We will fix IE after all the spyware
is gone.



--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com

I did all that you said to do. I am not sure if nail.fix worked or not.
When
I rebooted there was a message that windows couldn'd find or start
nail.fix.
Also, now internet explorer will not run. When started it goes directly to
the internet options box. Anyway, here is the newest log from HijackThis.
Logfile of HijackThis v1.99.1
Scan saved at 1:58:35 PM, on 8/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Gord\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.google.ca/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program
Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program
Files\MSN
Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -
C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program
Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient
Class) -
http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} -
http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c9.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload
Tool) -
http://spaces.msn.com/PhotoUpload/MsnPUpld.cab?10,0,910,0
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
(MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl
Class)
- http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O18 - Protocol: OWC11.mso-offdap -
{32505114-5902-49B2-880A-1F7738E5A384} -
C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\fwe.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik
GmbH -
C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner -
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH,
Germany
- C:\Program Files\AVPersonal\AVWUPSRV.EXE

Have hijackthis fix the following lines they are all spyware/malware and
needs to be removed. You are aslo infected with Aurora/Nail.exe malware.
Fix
those lines first then download and run the nail fix from here.
http://www.pcbutts1.com/downloads/nailfix.exe After you run the nail fix
then reboot in safe mode and run the nail fix again. After that run
hijackthis again and post the log again so I can see if it is all gone.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://as.starware.com/dp/search?x=...bKjfFLhwlVVFeGr+zinMnyfJeXMdpAkKgpL9oGPjBZQ==
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: DownloadRedirect Class -
{00000000-6CB0-410C-8C3D-8FA8D2011D0A} -
C:\Program Files\iMesh\iMesh5\iMeshBHO.dll
O2 - BHO: (no name) - {46991200-292B-233C-FC00-80F3F0FC626E} - (no file)
O2 - BHO: AuroraHandlerObj Class -
{4AA870AC-8427-42a4-B92E-ECD956197489} -
C:\WINDOWS\AuroraHandler.dll (file missing)
O2 - BHO: (no name) - {7744AA1E-00D3-62E4-C44B-0E4828E154DC} - (no file)
O2 - BHO: (no name) - {7777AE19-A488-D2B4-3F4B-A224B03CA128} - (no file)
O2 - BHO: Starware - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - C:\Program
Files\Starware\bin\Starware.dll
O2 - BHO: PosHelp - {CDEEC43D-3572-4E95-A2A5-F519D29F00C0} -
C:\PROGRA~1\ADVANC~1\ADVANC~1.DLL (file missing)
O3 - Toolbar: Advanced Searchbar -
{57F02779-3D88-4958-8AD3-83C12D86ADC7} -
C:\PROGRA~1\ADVANC~1\advancedsearchbar.dll (file missing)
O3 - Toolbar: Starware - {D49E9D35-254C-4c6a-9D17-95018D228FF5} -
C:\Program
Files\Starware\bin\Starware.dll
O4 - HKLM\..\Run: [72ao9l71] C:\WINDOWS\System32\72ao9l71.exe
O4 - HKLM\..\Run: [Nvvnr] C:\Program Files\Shgiucy\Unufon.exe
O4 - HKLM\..\Run: [WinFixer 2005] C:\Program Files\WinFixer 2005\wfx5.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe

O9 - Extra button: Advanced Searchbar -
{57F02779-3D88-4958-8AD3-83C12D86ADC7} -
C:\PROGRA~1\ADVANC~1\advancedsearchbar.dll (file missing)
O9 - Extra 'Tools' menuitem: Advanced Searchbar -
{57F02779-3D88-4958-8AD3-83C12D86ADC7} -
C:\PROGRA~1\ADVANC~1\advancedsearchbar.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL


--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com

Here is the log from hijack this.

Logfile of HijackThis v1.99.1
Scan saved at 8:41:49 PM, on 8/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe

 

[pcbutts1]

Then don't read them. Problem solved.

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com

 

[pcbutts1]

Look up the word Troll in Google, you may learn something. I have never
asked anyone to email me HJT logs and I never will. I do not help with HJT
through email so I would appreciate it if you would not suggest it. if you
don't want to see it then don't click on it. Nobody is forcing you to.

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com

 

[Guest]

Well here it is again
The post is too long so I will post the ewido on a new thread
Logfile of HijackThis v1.99.1
Scan saved at 12:41:15 PM, on 8/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Gord\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.google.ca/
O2 - BHO: iMeshBar BHO - {5345A7A1-805A-4923-B505-86B2FEBA3FE0} - C:\Program
Files\iMeshBar\bar\2.bin\IMESHBAR.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program
Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN
Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -
C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program
Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: iMeshBar - {5345A7A9-805A-4923-B505-86B2FEBA3FE0} - C:\Program
Files\iMeshBar\bar\2.bin\IMESHBAR.DLL
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient
Class) -
http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} -
http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c9.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
http://spaces.msn.com/PhotoUpload/MsnPUpld.cab?10,0,910,0
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
(MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class)
- http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O18 - Protocol: OWC11.mso-offdap - {32505114-5902-49B2-880A-1F7738E5A384} -
C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\midex.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH -
C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner -
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany
- C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program
Files\ewido\security suite\ewidoctrl.exe

Please download ewido security suite it is a free version of the program.
http://www.pcbutts1.com/downloads/ewidosetup.exe
Install ewido security suite
When installing, under "Additional Options" uncheck..
Install background guard
Install scan via context menu
Launch ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run ewido for the first time, you will get a warning "Database
could not be found!". Click OK. We will fix this in a moment.
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update.
Then click on Start Update.
The update will start and a progress bar will show the updates being
installed.
(the status bar at the bottom will display "Update successful")
Exit ewido. DO NOT SCAN YET.

Download CCleaner and install it, but do not run it yet.
http://www.pcbutts1.com/downloads/ccsetup122.exe

Please download this file: Revised Installer for the Nailfix Utility
http://www.pcbutts1.com/downloads/nailfix1.exe
Save it to your desktop.
DO NOT RUN IT YET.

Next, please reboot your computer in SafeMode by doing the following:
Restart your computer.After hearing your computer beep once during startup,
but before the Windows icon appears, press F8.Instead of Windows loading as
normal, a menu should appear
Select the first option, to run Windows in Safe Mode.
Once in Safe Mode, please double-click on nailfix.exe.
Click "Next" in the setup
Make sure "Run Nailfix" is checked and click "Finish".
Your desktop and icons will disappear and reappear, and a window should open
and close very quickly --- this is normal.

Now open ewido and do a scan of your system.
Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.**
You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the
action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now as the action.
Once the scan has completed, there will be a button located on the bottom of
the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find
it easily.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere
and the game "Risk")

Now run HijackThis, click Scan, and place a checkmark next to each of the
following items:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HJT, then click the Fix Checked button.
Close HJT.

Locate and delete the following File
C:\WINDOWS\Nail.exe

Now run CCleaner
Uncheck "Cookies" under "Internet Explorer".
If running Firefox: click on the "Applications" tab and uncheck "Cookies"
under "Firefox".
Click on Run Cleaner in the lower right-hand corner. This can take quite a
while to run.

Finally, restart your computer in normal mode and please post a new
HijackThis log, as well as the report log from the Ewido scan by using Add
Reply.

You said IE is not working, the links I gave you are direct download links
and should work. If they don't then paste them into another browser or
explorer window. If you have no other browser then email me with a valid
email address and I will send you one. We will fix IE after all the spyware
is gone.



--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com

I did all that you said to do. I am not sure if nail.fix worked or not.
When
I rebooted there was a message that windows couldn'd find or start
nail.fix.
Also, now internet explorer will not run. When started it goes directly to
the internet options box. Anyway, here is the newest log from HijackThis.
Logfile of HijackThis v1.99.1
Scan saved at 1:58:35 PM, on 8/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Gord\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.google.ca/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program
Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program
Files\MSN
Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -
C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program
Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient
Class) -
http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} -
http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c9.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload
Tool) -
http://spaces.msn.com/PhotoUpload/MsnPUpld.cab?10,0,910,0
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
(MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl
Class)
- http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O18 - Protocol: OWC11.mso-offdap -
{32505114-5902-49B2-880A-1F7738E5A384} -
C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\fwe.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik
GmbH -
C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner -
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH,
Germany
- C:\Program Files\AVPersonal\AVWUPSRV.EXE

Have hijackthis fix the following lines they are all spyware/malware and
needs to be removed. You are aslo infected with Aurora/Nail.exe malware.
Fix
those lines first then download and run the nail fix from here.
http://www.pcbutts1.com/downloads/nailfix.exe After you run the nail fix
then reboot in safe mode and run the nail fix again. After that run
hijackthis again and post the log again so I can see if it is all gone.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://as.starware.com/dp/search?x=...bKjfFLhwlVVFeGr+zinMnyfJeXMdpAkKgpL9oGPjBZQ==
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: DownloadRedirect Class -
{00000000-6CB0-410C-8C3D-8FA8D2011D0A} -
C:\Program Files\iMesh\iMesh5\iMeshBHO.dll
O2 - BHO: (no name) - {46991200-292B-233C-FC00-80F3F0FC626E} - (no file)
O2 - BHO: AuroraHandlerObj Class -
{4AA870AC-8427-42a4-B92E-ECD956197489} -
C:\WINDOWS\AuroraHandler.dll (file missing)
O2 - BHO: (no name) - {7744AA1E-00D3-62E4-C44B-0E4828E154DC} - (no file)
O2 - BHO: (no name) - {7777AE19-A488-D2B4-3F4B-A224B03CA128} - (no file)
O2 - BHO: Starware - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - C:\Program
Files\Starware\bin\Starware.dll
O2 - BHO: PosHelp - {CDEEC43D-3572-4E95-A2A5-F519D29F00C0} -
C:\PROGRA~1\ADVANC~1\ADVANC~1.DLL (file missing)
O3 - Toolbar: Advanced Searchbar -
{57F02779-3D88-4958-8AD3-83C12D86ADC7} -
C:\PROGRA~1\ADVANC~1\advancedsearchbar.dll (file missing)
O3 - Toolbar: Starware - {D49E9D35-254C-4c6a-9D17-95018D228FF5} -
C:\Program
Files\Starware\bin\Starware.dll
O4 - HKLM\..\Run: [72ao9l71] C:\WINDOWS\System32\72ao9l71.exe
O4 - HKLM\..\Run: [Nvvnr] C:\Program Files\Shgiucy\Unufon.exe
O4 - HKLM\..\Run: [WinFixer 2005] C:\Program Files\WinFixer 2005\wfx5.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe

O9 - Extra button: Advanced Searchbar -
{57F02779-3D88-4958-8AD3-83C12D86ADC7} -
C:\PROGRA~1\ADVANC~1\advancedsearchbar.dll (file missing)
O9 - Extra 'Tools' menuitem: Advanced Searchbar -
{57F02779-3D88-4958-8AD3-83C12D86ADC7} -
C:\PROGRA~1\ADVANC~1\advancedsearchbar.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL


--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com



Here is the log from hijack this.

Logfile of HijackThis v1.99.1
Scan saved at 8:41:49 PM, on 8/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe

 

[pcbutts1]

Ok I am assuming by the logs that you ran Ewido after you ran the hjt log.
The final steps is to remove a few more files and fix IE6. Download Killbox
from here, unzip it then run it.
http://www.pcbutts1.com/downloads/killbox.zip Copy these to paths to the
clipboard and then from killbox select file>copy from clipboard, that will
paste those paths in the box. Then select delete on reboot and click the
delete files button(red circle X) exit killbox.

C:\WINDOWS\system32\midex.dll
C:\WINDOWS\system32\acl71.dll

Next download these 2 files http://www.pcbutts1.com/downloads/installie.reg
and http://www.pcbutts1.com/downloads/ie6setup.exe run the first file by
double clicking on it to merge it into the registry, this will allow you to
re-install IE6. Reboot then run the IE6setup.exe to re-install IE6. Once IE
is re-installed then go to windows update and get all the patches. You
system should now be clean of all spyware and that nasty nail infection.

Good Luck


--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com

 

[pcbutts1]

Also instead of using imesh, which is spyware, use Limewire
http://www.limewire.com

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com

 

[Guest]

Thanks. I'm not sure if it all worked. It seems to have, except, I'm still
getting popups and I can't get onto this site on their computer. It keeps
saying error on page.

 

[pcbutts1]

Run hijackthis again. There where some BHO's on the last one that I assumed
would get deleted by Ewido. Post the log.

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com

 

[Guest]

Here it is.

Logfile of HijackThis v1.99.1
Scan saved at 9:11:23 PM, on 8/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Gord\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.google.ca/
O2 - BHO: iMeshBar BHO - {5345A7A1-805A-4923-B505-86B2FEBA3FE0} - C:\Program
Files\iMeshBar\bar\2.bin\IMESHBAR.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program
Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN
Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -
C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program
Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: iMeshBar - {5345A7A9-805A-4923-B505-86B2FEBA3FE0} - C:\Program
Files\iMeshBar\bar\2.bin\IMESHBAR.DLL
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient
Class) -
http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} -
http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c9.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
http://spaces.msn.com/PhotoUpload/MsnPUpld.cab?10,0,910,0
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123189619661
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
(MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class)
- http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O18 - Protocol: OWC11.mso-offdap - {32505114-5902-49B2-880A-1F7738E5A384} -
C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\midex.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH -
C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner -
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany
- C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program
Files\ewido\security suite\ewidoctrl.exe

 

[pcbutts1]

Have hijackthis fix these lines

O2 - BHO: iMeshBar BHO - {5345A7A1-805A-4923-B505-86B2FEBA3FE0} - C:\Program
Files\iMeshBar\bar\2.bin\IMESHBAR.DLL

O3 - Toolbar: iMeshBar - {5345A7A9-805A-4923-B505-86B2FEBA3FE0} - C:\Program
Files\iMeshBar\bar\2.bin\IMESHBAR.DLL

O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\midex.dll



--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com

 

[Guest]

My son had just removed Imesh so the first 2 lines you wanted removed weren't
there. I fixed the other one. Hopefully that does it. Thanks very much. Maybe
in the near future I will get you to go through mine and see if there is
anything that needs to be done.