if you're a "gambler", and are willing to try something out (as forum "guinea pig") , it's possible that the new/updated VX2-cleaner add-on for Ad-Aware MIGHT be able to help you... see here for more the information:
you must create a separate folder and place it there.... people commonly use C:\HJT. Note: Please do *NOT* use a TEMP (temporary) folder, *NOR* your DESKTOP, as HJT will be generating log files and backup files in the folder from which it is run... you risk accidentally losing these if you use a TEMP folder, and you will generate extreme clutter if you use your DESKTOP.
The file above comes as a compressed .ZIP file... you have to UNzip it (hopefully, you have an UNzip utility built into your Windows Explorer. If for any reason, you're unable to UNzip it, you can download the already-unzipped .EXE file from http://downloads.malwareremoval.com/HijackThis.exe )
After Unzipping, double click on HiJackThis.EXE
Click on Do a System Scan and Save a LogFile
This will automatically open NotePad
Copy the entire file from NotePad: EDIT/SelectAll, EDIT/Copy
Then go to the new forum dedicated for HiJack This logs (**NOT** back here), and PASTE the results there:
Be sure to include a detailed description of any problems/errors/warnings you are encountering.
Hopefully, one of the HJT experts will get to it as quickly as possible.
WARNING: HiJack This is a VERY POWERFUL tool. Do *NOT* do anything else (in particular, do NOT use it to delete any entries) until you are advised to do so!! Improper use of this tool can severely damage your system.
Supplemental note: The procedure as worded above has been carefully edited over time, so as to expedite the process of helping people. Nevertheless, it seems that many individuals try to be "creative", and make some variations. It really would be to your benefit if you follow these directions EXACTLY as stated... because certain changes on your part can result in slowing-down the help process.
Specifically, the following are 3 very common BAD deviations which will cause delays:
a)
BAD:
using an older/outdated version of HiJackThis...
The experts only work with the current version. So if you make a post with an older version, you'll simply be advised to get the latest version, re-run it, and re-post your log.
b)
BAD:
using a TEMP directory or your DESKTOP for HJT....
Some experts may insist you move HJT before they'll begin working with you. Others will start the repair process, advising you to move HJT as one of the very first steps.
Failure to do so can result in losing potentially critical information. So please, just use the suggested
C:\HJT directory, rather than try to be creative.
c)
BAD:
posting your log in the wrong forum...
if you post your log back here, in the Virus/SpyWare forum, it will "sit idly", either until the forum moderator gets around to move it for you... or until you decide to repost your log... in the HiJackThis forum.
Ky331, thank you for taking the time to answer my question. I have Ad-Aware 6.0 with ref. file 01R34726.10.2004 and core application 6.181 personal on my computer now. I just tried to download twice the VX2 cleaner 2.0 from Lavasoft. Both times after unzipping the two files into the plug-in folder, and opening Ad-Adware plug-ins, I see "Bad Entrypoint"!!!! Any ideas on this problem? Thank you, Bart
ad-aware 6 is
COMPLETELY OBSOLETE at this point... it has been replaced by ad-aware
SE, build 1.06 (and the current definition file is
1R62 17.08.2005 )
Install the program. if memory serves me, as part of the installation, it will advise you that you already have an older version of ad-aware installed, and it will ask (advise) you to allow it to be removed. DO SO!.
then, search for updates, to get the latest definition file installed.
from the status screen, after you hit the START button, make sure you have a
RED X in front of "Search for negligible risk entries" (if you see a GREEN CHECK, then CLICK on it, to change it to the RED X.
then hit NEXT. (I'll leave it to you to see what other settings you might want to adjust/tweak)
I would not be surprised if you find HUNDREDS of new entries, since you're obsolete version was 10 months old.
After you run the "regular" scan, try again to download/install/run the VX2 (2.0) cleaner...
Ky331, I will follow your instructions with Ad-Aware SE, and "keep you in the loop" with details. Is the VX2 cleaner a self extracting zip file, or where do I manualy have to extract / install it??? Also is there a downside to trying to get rid of this trojan using Ad-Aware, as you say "guinea pig"!!!! Thank you again for the help, advice, and information. Bart
Message Edited by Bartman163 on 08-22-2005 06:07 AM
all of the directions are on the vx2 add-on download page. in case you missed them, and to answer your specific question: the Vx2 add-on files have to be extracted into the Plugins subdirectory of your Ad-Aware program... assuming your machine installed things the same as mine, the full specification would be: C:\Program Files\Lavasoft\Ad-Aware SE Personal\Plugins
I manually extracted things to be sure things got placed exactly where I needed them.
The reason why I said "guinea pig", and said if you're a "gambler", is that the VX2 cleaner is a brand-new release, and I have no first-hand knowledge of anyone who has tested it. The fact that Lavasoft has been a reliable, reputable company over the years, with Ad-Aware being well-received and highly recommended, is certainly a plus --- I would never suggest someone "gamble" with a "no-name" company.
they claim the new, 2.0 update of Vx2 cleaner is a "breakthrough solution to clean NAIL.EXE"... and it is my understanding that this is another name/feature of the Aurora malware that you say you have. (Have you seen the name NAIL come up at all??)
CAN something go wrong? I guess it's possible. Which is why I indicated, if you want to take the "safer" route, you can go with HiJackThis. In fact, even if the xv2 cleaner fixes all you popups (and any other symptoms you might have noted from Aurora), it might be a prudent move for you to still follow-up things with HiJackThis, just to be sure you don't have additional malware lurking in your system.
ky331, I followed your instructions and downloaded Ad-Aware SE and VX2 cleaner. Cleaner found new VX2 variant, I clicked clean button and message stated the first phase completed please reboot ant perform a smart scan with Ad-Aware. I did a complete shut down and ran smart scan. Found: VX2 (29 objects), 1 regkey, 1 file (VX2 Malware), 11 VX2, 4 possible, 12 tracking (data miner). Rebooted second time and let Ad-Aware run upon reboot. Found: 2 negligible objects: MRU list. Ran VX2 cleaner second time
: System Clean! Used internet with minimal popups. Ran Ad-Aware again with full system scan, found: Tracking/ IECache/ Data Miner/ cookie and Sahagent/ file?? (What is this?) I searched for following files: DrPMon.dill, svcproc.exe, Poller.exe, aurora.exe, DDJHJM.ini, abiuninst.htm, all not found. Only found Nail.exe under: nail.exe-00088443.pf in folder C:\Windows\Prefetch! Can I delete this??? In the beginning, I believe I was infected with Aurora.exe, svcproc.exe, and nail.exe. Please advise me if I am in the process of solving my problem. I hope that my information can help you help others. If you need any other information, please advise. I will continue to give you results throughout the week. Whatever the outcome, I thank you for making a tough task a little easier. Thanks for everything......Bart
Message Edited by Bartman163 on 08-23-2005 06:20 AM
Definitely sounds like you've made significant progress :smileyvery-happy:
let's get the easy stuff out of the way first:
1) Simply ignore any
"negligible objects": MRU list. MRU=
Most
Recently
Used. Most programs retain a memory of the files you've recently accessed, on the assumption that you might want to work with the same one(s) again... and they'll indicate them in their FILE menu, to make it easier for you to find/access. Many of these can also be quickly accessed via the START menu, under DOCUMENTS. So for the individual PC user,
this is a convenience feature... and if you remove some/all of the MRU-list items, these "short-cuts" will be erased, and you'll have to explicitly type-in the names of files each time you want to access them.
However, if you're running the machine in a work environment, and/or are sharing that particular PC with other people [even at home], then these MRU listings can allow the other people [including your boss &etc] to find out what files you've been accessing... that is, allow them to "spy" on you. That's the probable explanation as to why Ad-Aware is even searching for these items.
Please note that, in the above directions I gave you for Ad-aware, I had indicated the way to IGNORE the MRUs... to quote that part of my instructions:
from the status screen, after you hit the START button, make sure you have a RED X in front of "Search for negligible risk entries" (if you see a GREEN CHECK, then CLICK on it, to change it to the RED X. then hit NEXT.
2) In general, I'd also suggest you can ignore (or delete) most of the tracking cookies that Ad-Aware finds... but if you delete them, don't be surprised to see them come back. A more detailed explanation:
tracking cookies are not necessarily bad.... most sites you go to (including your bank, for example) may place a "cookie" on your machine... sometimes, this allows you to re-access the site without having to log-in again... which can be helpful. so you WANT 'good' cookies. the problem is that some cookies collect information from you at one site, but then share the information with other sites. unfortunately, 'bad' cookies have a way of coming back, over and over again. if you wish to permanently stop them:
in Internet Explorer, click on TOOLS
INTERNET OPTIONS
PRIVACY
EDIT (web sites)
[in Win XP, I believe this simply says SITES]
and then type-in and BLOCK the 'bad' cookies you want to keep away (e.g., DOUBLECLICK.NET )
when done, click on OK
Just be careful not to block any "good" sites (like your bank/brokerage, or sites you intentionally log-into regularly, like Yahoo or HotMail).
********************
3) Concerning popups (in general --- to be distinguished from the extra-mean popups, like Aurora):
Are you running a popup blocker?
Unless I missed it, you didn't mention what operating system you have... if it happens to be
XP SP2, there's a
built-in popup blocker option available there.... just make sure you've turned it on.
Alternatively, there are several free popup blocker programs available, including the following:
a) Yahoo Toolbar offers a popup blocker (either with, or without, the yahoo anti-spyware program)
note: this is a free popup blocker... you do NOT have to buy their entire suite.
You don't need all of these; any one should work.
*********************
4) finally, for the (potentially) more serious matter:
SAHagent is "a Winsock 2 Layered Service Provider that redirects visits to merchant sites in order to take the affiliate fees from them automatically". This is SPYWARE. And should be removed.
HOWEVER, be advised that removal of LSP's (Layered Service Providers) is NOT a simple matter... and if done IMproperly, can result in severing your Internet Connection!
So at this point (specifically for the LSP issue, but also to determine any additional malware that might still be lurking around your system), I suggest you now
follow the HiJackThis directions I posted earlier in this thread.
[The experts there will also be in a better position to advise you concenring your question about removal of the Nail-related file in your Prefetch folder.] When you post your log in that forum, I will no longer be assisting you... but I'll try to keep an eye on what's happening there.
ky331, I am happy to hear that I am on the right track in solving my problem. FYI I am running XP Pro w/SP2. I do have pop up blocker on medium setting. The pop up's I am getting are not normal ones! In my last post I asked if I could safely delete: nail.exe-00088443.pf in folder C:\Prefetch? I also saw some nasty stuff in C:\ quarantine Can I also safely delete these items, or do you need a description of each one? An example is: svcproc.exe. Vir numbered Vir0 thru Vir34??????? Thanx again for the help and advice. Bart
Message Edited by Bartman163 on 08-24-2005 09:57 PM
"Quarantine" is like a jail-cell: Viruses placed there are "in prison" --- they can't do any [more] harm to your system, and so there's no need to worry about them. If you're concerned about taking up (i.e., wasting) disk space, you can TRY to delete them. Depending on the particular virus [and perhaps the anti-virus program you're using], you may or may not be allowed to delete it. If you can delete it, fine... and if you can't, as just explained, there's no need for concern.
Yes, I saw your question about the nail-related file in your pre-fetch folder, and intentionally side-stepped it, by suggesting you inquire about it when you post a HiJackThis log. The reason why I did so is that the
pre-fetch folder concept is new to Windows XP... and while i've recently gained regular access to an XP system, until now, I've done almost all of my work on win98SE and winME. Since you've re-asked the question, I've located the following information:
The purpose of the "windows\prefetch" folder is to speed up the loading (and starting) of applications: Windows XP monitors the files that are used when the computer boots-up, and also as you start your particular choices of applications. By monitoring these files [over a period of your 8 most recent sessions], Windows XP detects your usage patterns, and can "prefetch" them. Prefetching data is the process whereby data that is expected [by Windows, based on what it senses to be your usage patterns] is read ahead into the cache. Prefetching boot files [drivers, services and the shell] and anticipated applications before they are actually needed decreases the time needed to start Windows XP and to start those particular applications.
pre-fetch is a continually-ongoing process: XP will rebuild the prefetch files as you use Windows. That being the case, there is no real concern about deleting any pre-fetch files... the worst that can happen --- if you delete "good" files" --- is that things will run slower for a while [presumably, 8 sessions] until the pre-fetch folder is rebuilt. So, on this basis, it would seem you CAN (and should) remove the nail-related file from your pre-fetch folder.
As I indicated in my previous reply, since you have both the problem with SAHagent, as well as ongoing "abnormal" pop-ups, i strongly suggest you follow the instructions I gave for HiJackThis.
glad to hear that it worked for you... you're the 5th (or 6th) person to report back to me with positive results.
please keep in mind that the vx2 cleaner only looks for some very specific types of infections (such as NAIL)... as such, I strongly recommend you now follow the HiJackThis directions I posted earlier in this thread, to determine whether or not you still have other forms of malware lurking on your PC.
I would advise anyone who has had the 'nail' infection to post a hijackthis log (in the HJT board - not this one) for a checkout after running the ad-aware pluggin.
We are advising that other tools such as an ewido scan are done also.
This infection rarely arrives without bring other infections with it, so even though the nail infection may be gone the others may remain.
=======================
I might also try to downplay my status, I am the owner of Malware Removal forum with it's University, but we have 9 teachers and lots of other support staff.
I am just one cog in the big wheel, and not of all the anti-malware forums, just the one or two.
=======================
Regarding the ad-aware pluggin, several other 'experts' from the forums (plural - not just MWR) are reporting success with it, just one is reporting a problem, and with that he is not sure if the problem is between the seat and keyboard, instead of between the keyboard and the screen.
A second topic with a problem has been found and complication of other infections is reinstalling the nail one, so not a good test of the pluggin. The ad-aware pluggin requires the reboot of the system twice which makes use of the runonce key in the registry, this other infection clears that whole key each time, stopping ad-aware doing its job properly.
I followed the steps outlined by ky331 on how to use VX2-cleaner and it worked. I had to reboot several times, but at the end I got rid of it, hoefully forever.
ky331
3 Apprentice
•
15.6K Posts
0
August 21st, 2005 12:00
if you're a "gambler", and are willing to try something out (as forum "guinea pig") , it's possible that the new/updated VX2-cleaner add-on for Ad-Aware MIGHT be able to help you... see here for more the information:
http://forums.us.dell.com/supportforums/board/message?board.id=si_virus&message.id=42456
IF you decide to take this approach, please be kind enough to report back on the results (good or bad).
however, if you want to take the "safer" approach, you should do the following:
http://majorgeeks.com/download3155.html
you must create a separate folder and place it there.... people commonly use C:\HJT. Note: Please do *NOT* use a TEMP (temporary) folder, *NOR* your DESKTOP, as HJT will be generating log files and backup files in the folder from which it is run... you risk accidentally losing these if you use a TEMP folder, and you will generate extreme clutter if you use your DESKTOP.
The file above comes as a compressed .ZIP file... you have to UNzip it (hopefully, you have an UNzip utility built into your Windows Explorer. If for any reason, you're unable to UNzip it, you can download the already-unzipped .EXE file from http://downloads.malwareremoval.com/HijackThis.exe )
After Unzipping, double click on HiJackThis.EXE
Click on Do a System Scan and Save a LogFile
This will automatically open NotePad
Copy the entire file from NotePad: EDIT/SelectAll, EDIT/Copy
Then go to the new forum dedicated for HiJack This logs (**NOT** back here), and PASTE the results there:
http://forums.us.dell.com/supportforums/board?board.id=si_hijack
Be sure to include a detailed description of any problems/errors/warnings you are encountering.
Hopefully, one of the HJT experts will get to it as quickly as possible.
Message Edited by ky331 on 08-21-2005 10:06 AM
Bartman163
23 Posts
0
August 21st, 2005 13:00
ky331
3 Apprentice
•
15.6K Posts
0
August 21st, 2005 21:00
Bartman163
23 Posts
0
August 22nd, 2005 09:00
Message Edited by Bartman163 on 08-22-2005 06:07 AM
ky331
3 Apprentice
•
15.6K Posts
0
August 22nd, 2005 11:00
Bart,
all of the directions are on the vx2 add-on download page. in case you missed them, and to answer your specific question: the Vx2 add-on files have to be extracted into the Plugins subdirectory of your Ad-Aware program... assuming your machine installed things the same as mine, the full specification would be: C:\Program Files\Lavasoft\Ad-Aware SE Personal\Plugins
I manually extracted things to be sure things got placed exactly where I needed them.
The reason why I said "guinea pig", and said if you're a "gambler", is that the VX2 cleaner is a brand-new release, and I have no first-hand knowledge of anyone who has tested it. The fact that Lavasoft has been a reliable, reputable company over the years, with Ad-Aware being well-received and highly recommended, is certainly a plus --- I would never suggest someone "gamble" with a "no-name" company.
they claim the new, 2.0 update of Vx2 cleaner is a "breakthrough solution to clean NAIL.EXE"... and it is my understanding that this is another name/feature of the Aurora malware that you say you have. (Have you seen the name NAIL come up at all??)
CAN something go wrong? I guess it's possible. Which is why I indicated, if you want to take the "safer" route, you can go with HiJackThis. In fact, even if the xv2 cleaner fixes all you popups (and any other symptoms you might have noted from Aurora), it might be a prudent move for you to still follow-up things with HiJackThis, just to be sure you don't have additional malware lurking in your system.
ky331
3 Apprentice
•
15.6K Posts
0
August 22nd, 2005 22:00
ChrisRLG, the head of Malware Removal School, has just now reported favorable/successful results in using the VX2 cleaner to remove NAIL.
His commments have been appended to my aforementioned thread http://forums.us.dell.com/supportforums/board/message?board.id=si_virus&message.id=42525
so you'd be proceeding on "tested' grounds now...
Bartman163
23 Posts
0
August 23rd, 2005 02:00
Message Edited by Bartman163 on 08-23-2005 06:20 AM
ky331
3 Apprentice
•
15.6K Posts
0
August 23rd, 2005 12:00
Message Edited by ky331 on 08-23-2005 10:46 AM
Bartman163
23 Posts
0
August 25th, 2005 01:00
Message Edited by Bartman163 on 08-24-2005 09:57 PM
ky331
3 Apprentice
•
15.6K Posts
0
August 25th, 2005 12:00
The purpose of the "windows\prefetch" folder is to speed up the loading (and starting) of applications: Windows XP monitors the files that are used when the computer boots-up, and also as you start your particular choices of applications. By monitoring these files [over a period of your 8 most recent sessions], Windows XP detects your usage patterns, and can "prefetch" them. Prefetching data is the process whereby data that is expected [by Windows, based on what it senses to be your usage patterns] is read ahead into the cache. Prefetching boot files [drivers, services and the shell] and anticipated applications before they are actually needed decreases the time needed to start Windows XP and to start those particular applications.
pre-fetch is a continually-ongoing process: XP will rebuild the prefetch files as you use Windows. That being the case, there is no real concern about deleting any pre-fetch files... the worst that can happen --- if you delete "good" files" --- is that things will run slower for a while [presumably, 8 sessions] until the pre-fetch folder is rebuilt. So, on this basis, it would seem you CAN (and should) remove the nail-related file from your pre-fetch folder.
[The above information on Pre-fetch was summarized from http://www.infocellar.com/winxp/pretetch.htm ]
Hope this all helps.
As I indicated in my previous reply, since you have both the problem with SAHagent, as well as ongoing "abnormal" pop-ups, i strongly suggest you follow the instructions I gave for HiJackThis.
Pharoah42
1 Message
0
August 25th, 2005 13:00
I just wanted to pop in here to say thank you for the information.
I had this same problem that just wouldn't go away. Did a Google search on svcproc and found your solution.
Installed the VX2-cleaner add-on and so far so good. I have not seen a reoccurence of Nail or the svcproc.exe.
Thanks again!
Mike
ky331
3 Apprentice
•
15.6K Posts
0
August 25th, 2005 14:00
ChrisRLG
3.9K Posts
0
August 25th, 2005 15:00
truepharaoh
2 Posts
0
October 8th, 2005 05:00