Home | Community | Message Board


SoulSpeciosa Kratom
Please support our sponsors.

General Interest >> Science and Technology

Welcome to the Shroomery Message Board! You are experiencing a small sample of what the site has to offer. Please login or register to post messages and view our exclusive members-only content. You'll gain access to additional forums, file attachments, board customizations, encrypted private messages, and much more!

Jump to first unread post. Pages: 1
Invisiblez@z.com
Libertarian
Registered: 10/13/02
Posts: 2,876
Loc: ATL
Worst adware I have ever dealt with. Nail.exe
    #4065883 - 04/17/05 05:56 PM (11 years, 10 months ago)

I am having serious problems with some adware. The problem is popup windows titled "Aurora". There is a process running under a seemingly random name (right now it is bjbbwgv.exe) and when I kill it it comes right back with a different name. It even does this in safe mode. It has also modified the registry entry HKLM\software\microsoft\Windows NT\currentversion\winlogon\shell with the value "explorer.exe c:\windows\nail.exe". Everytime I remove the c:\windows\nail.exe portion of the entry it come back instantly and when I use software to block changes to the registry that I don't make it still comes back on the next reboot. I can't seem to be rid of this fucking thing. I have tried every spyware removal tool I can find and they find it and remove it, but it just comes right back. Anyone have any ideas?


--------------------
"Of all tyrannies, a tyranny exercised for the good of its victims may be the most oppressive. It may be better to live under robber barons than under omnipotent moral busybodies. The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for our own good will torment us without end, for they do so with the approval of their own conscience." - C.S. Lewis

"I would rather be exposed to the inconveniencies attending too much liberty than to those attending too small a degree of it." - Thomas Jefferson


Edited by z@z.com (04/17/05 06:05 PM)


Post Extras: Print Post  Remind Me! Notify Moderator
OfflineKodath
strangerThan

Registered: 03/30/05
Posts: 295
Last seen: 7 years, 6 months
Re: Worst adware I have ever dealt with. Nail.exe [Re: z@z.com]
    #4066041 - 04/17/05 07:09 PM (11 years, 10 months ago)

Yeah this is a tough one to get rid of. It will load itself automatically when Windows boots, so first you have to turn off the system startup service. First you'll need to download a program called HijackThis.

Type "services.msc" into the Run box, look for the service named SvcProc (or System Startup Service) and press "Stop Service", then disable it by setting the startup type to "Disabled". You may need to use Hijack This to delete the service entirely here if the spyware still comes back after doing the rest of the things I'm about to mention.

After this open a command prompt and navigate to the windows directory (c:\windows), then type in "nail.exe /FullRemove"

Now open Hijack This again and have it do a scan. If any of these things show up put a check beside them and press "Fix checked":

O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\nsi25.dll

O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\system32\gah95on6.exe
O4 - HKLM\..\Run: [ecqidbh] c:\windows\system32\kuwrli.exe

Don't check anything else, HijackThis lists legit processes too, so unless you know what you're deleting you may end up deleting vital system files.

Then reboot. It might work, or it might not, this particular piece of spyware seems to be very hard to get rid of.


--------------------


Life: Main event at the MGM Grand. Murphy's fighting Occam, and you're in the stands.


Edited by Kodath (04/17/05 07:14 PM)


Post Extras: Print Post  Remind Me! Notify Moderator
Invisiblez@z.com
Libertarian
Registered: 10/13/02
Posts: 2,876
Loc: ATL
Re: Worst adware I have ever dealt with. Nail.exe [Re: Kodath]
    #4066144 - 04/17/05 07:50 PM (11 years, 10 months ago)

Thanks for the help, but the problem is still here.
Quote:

Kodath said:
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\nsi25.dll

O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\system32\gah95on6.exe
O4 - HKLM\..\Run: [ecqidbh] c:\windows\system32\kuwrli.exe



None of those things exist and the problem is still here. Everything hijackthis displays seems to be legitimate.
Quote:


Logfile of HijackThis v1.99.1
Scan saved at 7:46:13 PM, on 4/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\windows\system32\cvihln.exe<----there the bastard is.
C:\Program Files\eXeem Lite\eXeem.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\mpc\mplayerc.exe
C:\Program Files\Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [awxDTools] rundll32 C:\PROGRA~1\arniWORX\AWXDTO~1\awxDTools.dll,awxRegisterDll /r /s
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [qyznijh] c:\windows\system32\kfchtd.exe<---bastard popped right back up.
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /play
O4 - Startup: Shortcut to AsusProb.lnk = C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - Startup: Shortcut to TeaTimer.lnk = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - <a href="res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000" target="_blank">res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000</a>
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) - <a href="file://Z:\components\hidinputmonitorx.ocx" target="_blank">file://Z:\components\hidinputmonitorx.ocx</a>
O16 - DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} (A9Helper.A9) - <a href="file://G:\components\A9.ocx" target="_blank">file://G:\components\A9.ocx</a>
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5...b?1106025117570
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15010/CTPID.cab
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe




*edited a few things out of the log


--------------------
"Of all tyrannies, a tyranny exercised for the good of its victims may be the most oppressive. It may be better to live under robber barons than under omnipotent moral busybodies. The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for our own good will torment us without end, for they do so with the approval of their own conscience." - C.S. Lewis

"I would rather be exposed to the inconveniencies attending too much liberty than to those attending too small a degree of it." - Thomas Jefferson


Edited by z@z.com (04/17/05 07:51 PM)


Post Extras: Print Post  Remind Me! Notify Moderator
OfflineKodath
strangerThan

Registered: 03/30/05
Posts: 295
Last seen: 7 years, 6 months
Re: Worst adware I have ever dealt with. Nail.exe [Re: z@z.com]
    #4066288 - 04/17/05 08:55 PM (11 years, 10 months ago)

I did a little reading up in this thing, there's a hidden file somewhere that will regenerate all the program's executables whenever they're deleted. This tool should find these hidden files for you, download and run it. Copy the log and post it here.


--------------------


Life: Main event at the MGM Grand. Murphy's fighting Occam, and you're in the stands.


Post Extras: Print Post  Remind Me! Notify Moderator
OfflineKodath
strangerThan

Registered: 03/30/05
Posts: 295
Last seen: 7 years, 6 months
Re: Worst adware I have ever dealt with. Nail.exe [Re: Kodath]
    #4066336 - 04/17/05 09:10 PM (11 years, 10 months ago)

Actually I found a thread that explains it all very well. The actual removal of it starts on post 10, just replace the filenames with the ones that tool I gave you finds.

Link


--------------------


Life: Main event at the MGM Grand. Murphy's fighting Occam, and you're in the stands.


Post Extras: Print Post  Remind Me! Notify Moderator
Invisiblenofind_um
Explorer ofEarth
 User Gallery

Registered: 06/30/03
Posts: 933
Loc: At work, at school, at my...
Re: Worst adware I have ever dealt with. Nail.exe [Re: Kodath]
    #4066360 - 04/17/05 09:22 PM (11 years, 10 months ago)

Turn off system restore first and foremost.
Then run Hijack this. Most adware/spyware
takes up home on the restore volume.. I think at least
I'm no expert though.. I always turn it off before running
Hijack this....I think it's even in the program instructions.
Also you should have all unnecessary progs. closed out, system
should be unhooked from the internet/lan whatever you have set up...

Get a better browser like Mozilla or Opera and use it as
your primary Browser.. I still keep IE 6.0ish on my system for updates
and other stuff... I prefer Opera but to get the full version you need to buy it... $40.00.. Good luck....


--------------------
My hunting partner is gone, I miss her so!


Post Extras: Print Post  Remind Me! Notify Moderator
Invisiblez@z.com
Libertarian
Registered: 10/13/02
Posts: 2,876
Loc: ATL
Re: Worst adware I have ever dealt with. Nail.exe [Re: Kodath]
    #4066405 - 04/17/05 09:36 PM (11 years, 10 months ago)

Thanks a ton. I finally got rid of it using find-it and kill box.


--------------------
"Of all tyrannies, a tyranny exercised for the good of its victims may be the most oppressive. It may be better to live under robber barons than under omnipotent moral busybodies. The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for our own good will torment us without end, for they do so with the approval of their own conscience." - C.S. Lewis

"I would rather be exposed to the inconveniencies attending too much liberty than to those attending too small a degree of it." - Thomas Jefferson


Post Extras: Print Post  Remind Me! Notify Moderator
OfflineKodath
strangerThan

Registered: 03/30/05
Posts: 295
Last seen: 7 years, 6 months
Re: Worst adware I have ever dealt with. Nail.exe [Re: z@z.com]
    #4066422 - 04/17/05 09:43 PM (11 years, 10 months ago)

No problem, Kill Box is a great little program =)

Like nofind said you should switch to a different browser. Opera is great, it's what I use. Firefox is very good too. IE can let in a TON of spyware that Opera and Firefox don't, plus both come with popup blockers.


--------------------


Life: Main event at the MGM Grand. Murphy's fighting Occam, and you're in the stands.


Post Extras: Print Post  Remind Me! Notify Moderator
Invisiblez@z.com
Libertarian
Registered: 10/13/02
Posts: 2,876
Loc: ATL
Re: Worst adware I have ever dealt with. Nail.exe [Re: Kodath]
    #4066437 - 04/17/05 09:47 PM (11 years, 10 months ago)

I do use firefox. And the damn adware came back. It was gone for about 5 minutes then it popped right back up and the randomly named processes came back.


--------------------
"Of all tyrannies, a tyranny exercised for the good of its victims may be the most oppressive. It may be better to live under robber barons than under omnipotent moral busybodies. The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for our own good will torment us without end, for they do so with the approval of their own conscience." - C.S. Lewis

"I would rather be exposed to the inconveniencies attending too much liberty than to those attending too small a degree of it." - Thomas Jefferson


Post Extras: Print Post  Remind Me! Notify Moderator
OfflineKodath
strangerThan

Registered: 03/30/05
Posts: 295
Last seen: 7 years, 6 months
Re: Worst adware I have ever dealt with. Nail.exe [Re: z@z.com]
    #4066455 - 04/17/05 09:52 PM (11 years, 10 months ago)

Hmm, it's probably sitting in your temporary internet files or something. Turn off system restore first, then delete everything in your temp. internet folder, as well as any stuff in C:Documents&Settings\Local Settings\Application Data\...\Temp\ that looks like it doesn't belong. Then run a normal Find and look for these files:

Nail.exe
Bolger.dll
svcproc.exe
aurora.exe

If any of them are anywhere but the System or Windows folder delete those too. Then run through those steps again. If that doesn't get rid of it completely then I'm as stumped as you =/


--------------------


Life: Main event at the MGM Grand. Murphy's fighting Occam, and you're in the stands.


Post Extras: Print Post  Remind Me! Notify Moderator
Jump to top. Pages: 1

General Interest >> Science and Technology

Similar ThreadsPosterViewsRepliesLast post
* How to remove adware without shutting down kazaa? Jellric 1,593 16 11/03/03 12:58 PM
by T0aD
* Firefox 2.0.0.2 installing adware??? EDIT: False Positive
THE KRAT BARON
1,021 8 02/24/07 02:16 PM
by THE KRAT BARON
* Please help removing those fucking adware shits T0aD 1,493 5 10/25/03 05:56 PM
by TinMan
* What adware removers do you use? LouiseLouise 586 5 01/19/08 01:16 AM
by skiihigh
* Worst technological disasters in recent history
( 1 2 3 all )
PjS 6,329 51 09/13/03 12:11 AM
by SHiZNO
* The Scientifically Engineered Worst Song in the World Baby_Hitler 901 17 02/26/09 07:08 PM
by Diploid
* The 25 worst tech products of all time
RandalFlagg
723 7 05/29/06 11:18 AM
by OJK
* agh... fucked up night almost getting nailed. Anonymous 1,705 12 10/19/02 11:23 PM
by baraka

Extra information
You cannot start new topics / You cannot reply to topics
HTML is disabled / BBCode is enabled
Moderator: Lana, trendal, Diploid, automan
3,587 topic views. 0 members, 5 guests and 0 web crawlers are browsing this forum.
[ Toggle Favorite | Print Topic | Stats ]
Search this thread:
MRCA Tyroler Gluckspilze
Please support our sponsors.

Copyright 1997-2017 Mind Media. Some rights reserved.

Generated in 0.058 seconds spending 0.002 seconds on 14 queries.