TechSpot

Aurora and Nails problem

By CkY SkOOpS
Jun 26, 2005
  1. I think I may be infected with the Aurora and Nail.exe virus.

    Heres my log, any help would be greately appreciated.
     
  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Move HJT to its OWN directory, not in Temp or Desktop
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe

    Boot in Safe Mode.
    Switch System restore OFF.
    Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:

    GameDrvr.exe
    rjrnma.exe
    Nail.exe
    GameChannel.exe
    Netsurf.exe
    vngC.exe
    KHost.exe
    unip.exe
    cewvusd.exe
    adwarealert.Exe
    oiljzlp.exe
    winser32.exe
    ycld3x40.exe

    Next, click on Start/Run and type in nail.exe /FullRemove’ and click OK. Leave the command session.

    Next, try to UNinstall anything to do with (not delete yet!):
    C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
    C:\Program Files\Optimum Online\Netsurf.exe
    C:\WINDOWS\kdx\KHost.exe
    C:\Program Files\AdwareAlert\adwarealert.Exe
    C:\Program Files\AOL Toolbar\toolbar.dl

    Next, run a HJT scan and place a tick-mark in the little square before (if still there):
    ...................................................................................................
    C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
    C:\WINDOWS\System32\rjrnma.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
    O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
    O4 - HKLM\..\Run: [Optimum Online] C:\Program Files\Optimum Online\Netsurf.exe -tray
    O4 - HKLM\..\Run: [vngC] C:\documents and settings\owner\local settings\temp\vngC.exe
    O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
    O4 - HKLM\..\Run: [unip] C:\WINDOWS\Fonts\unip.exe
    O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
    O4 - HKLM\..\Run: [v72O39P] cewvusd.exe
    O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\adwarealert.Exe -boot
    O4 - HKLM\..\Run: [ptkzux] c:\windows\system32\oiljzlp.exe r
    O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rjrnma.exe reg_run
    O4 - HKLM\..\RunServices: [Windows32 Serivces] winser32.exe
    O4 - HKCU\..\Run: [ewtERVjsg] ycld3x40.exe
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O15 - Trusted Zone: *.musicmatch.com
    O15 - Trusted Zone: *.musicmatch.com (HKLM)
    Fix ALL your O16 - DPF: entries
    Fix this O17 if it is not an IP-address from your ISP
    O17 - HKLM\System\CCS\Services\Tcpip\..\{27717353-5445-4135-8A1C-2EFA9018700D}: NameServer = 205.188.146.145
    O23 - Service: Srv32 - Unknown owner - C:\WINDOWS\system32\srv32.exe (file missing)
    ...................................................................................................
    Now click on the Fix Checked button in HJT.

    When done, from between the dotted lines, delete the highlighted bold files.
    When a \directory-name\ is bold, delete everything in it, including that directory itself.
    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Boot normal. When all OK, switch System Restore back on.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...