Thread: I'm seriously gone mad with my BOX... Please help....
View Single Post
Old 25-05-2005, 06:15 PM   #9 (permalink)
swatkat
Human Spambot
 
swatkat's Avatar
 
Join Date: Mar 2004
Location: India
Posts: 2,033
Default
Download Ewido, CleanUp! and install them.

Right-Click on the empty spot of Desktop, choose "New" > "Text Document" to open NotePad. Copy the contents of the below "Code" box, and paste it in NotePad:-
Code:
@ECHO OFF
cd %windir%
Nail.exe /FULLREMOVE
sc config SvcProc start= disabled
sc stop SvcProc
sc delete SvcProc
attrib -s -r -h nail.exe
attrib -s -r -h svcproc.exe
del nail.exe
del svcproc.exe
exit
Go to File> Save As and type filename as Fix.bat and save it. Exit from NotePad.



Boot in SAFE mode.

Double-Click on Fix.bat, window opens up and closes-- this is normal.
Run Ewido and perform a FULL System scan using it.

Run HijackThis and click "Do only a system scan". Put a checkmark against these entries:-

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: (no name) - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - (no file)
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\system32\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [yvmjsz] C:\WINDOWS\yvmjsz.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\W
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels32.exe
O4 - HKLM\..\Run: [zbrvilo] c:\windows\system32\umnawac.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\system32\win32.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\system32\vxh8jkdq2.exe
O4 - HKCU\..\Run: [wfzf] C:\PROGRA~1\COMMON~1\wfzf\wfzfm.exe
O13 - DefaultPrefix: http://craftsmensearch.com/gall.php?url=
O13 - WWW Prefix: http://craftsmensearch.com/gall.php?url=
O13 - Home Prefix: http://craftsmensearch.com/gall.php?url=
O13 - Mosaic Prefix: http://craftsmensearch.com/gall.php?url=
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDT/ie/bridge-c7.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/...sb_regular.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O21 - SSODL: System - {AF44CE72-17C8-49DC-B8D9-4CD9E1D788AF} - vr_sys.dll (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe

Click "Fix Checked" and exit from HijackThis.



Delete these files:-
C:\WINDOWS\system32\cmd32.exe
C:\WINDOWS\system32\kernels32.exe
C:\PROGRA~1\COMMON~1\wfzf\wfzfm.exe
c:\windows\system32\umnawac.exe
C:\WINDOWS\system32\win32.exe
C:\WINDOWS\system32\vxgamet2.exe
C:\WINDOWS\zeta.exe
C:\WINDOWS\nem220.dll
C:\WINDOWS\SYSTEM\Loader.dll
c:\windows\system\BHOmod.dll
C:\WINDOWS\yvmjsz.exe
C:\W
C:\WINDOWS\system32\vxh8jkdq2.exe
C:\WINDOWS\isrvs\mfiltis.dll
C:\WINDOWS\zeta.exe

Run CleanUp! and click "Options", here move the slider to "Thorough" position and click OK to warning message and exit from Options. Click "CleanUp" and after cleaning click "Close" and reboot to Normal Mode and post a FRESH log
__________________
http://swatrant.blogspot.com/
swatkat is offline