Spyware Challenge!

[madvideos]

that is what it was, I am no noob when it comes to a tight clean running system and nothing is worse than spyware. I USED to be really good at removing spyware like:
MSCONFIG
system.ini
win.ini
regedit > run and run once
and use all of the hip spyware tools and junk.. my life has become stained with this mess.
YES IN SAFE MODE!!! Even in safe mode the nail.exe recreates itself in the c:\windows dir. even done the nail.exe remove /all in the command prompt.

It kills the task manager, not in safe mode though
it kills the msconfig and regedit also, you can not access it. If you try it blinks and away it goes.

Now I have something all new.. google returned answers that turned out to be someone jumping the gun thinking they had it fixed but turns out they was not as smart as they thought. Let me tell you of a few things about thisa situation, files related are
msconfig32.exe
nail.exe
VX2 in spyware scans and also aurora transponder.

if you know please shoot me a link before I format. tia

[madvideos]

btw, just some more notes on this as I back my drives up...
I will make a short problems list, these are things I KNEW were related because I just done a format a couple days before, I am almost sure it was a p2p ap. I am used to the normal stuff that happened from p2p spyware, but folks this is way different. I know it embeds itself in the system explorers which explains it recreating itself while the folder is open, also the same for any window. Now the microsoft anti spyware scanner found it and killed IE's ability to work online, so opening msn will prompt you to open IE and choose try again to go online. When you do this, yeah.. msn works great, but you triggered the spyware again, and now you allowed it to communicate with it's server..lol.

thinking of more stuff that happenes.....

[madvideos]

cute ftp hangs, and other programs stall. Sometimes the system locks. Twice it has happened when I had three folders open and opened cute ftp and it hung forever, I then opened a forth folder and BAM.. el freezo.

[madvideos]

I shot a video of the nail.exe getting deleted and coming back over and over again.. lol. Even in safe mode, which is mind boggling.

[madvideos]

so not using IE is not going to help you. Firefox is now starting to get hammered by pop ups and malware.
Does anyone ever click and buy from these ads? Just curious. lol

[ricardouk]

try Abiremover

http://forum.hijackthis.de/showthread.php?t=3172

[Faustus]

wait so from a command line nail.exe /FullRemove did nothing?

Also I'm not expert but a hijack this log might help out a ton since this one seems kinda slick.

[madvideos]

wait so from a command line nail.exe /FullRemove did nothing?

Also I'm not expert but a hijack this log might help out a ton since this one seems kinda slick.

nothing, even in safe mode, I am going to try the method in the link from ricardouk. I will let you know.

This is a real nasty one. I thought it was welchia or even a strain of blaster, I have been backing up my drives for 9 hours.. so I am going to format but want to see if this can be beat. btw.. when nail.exe shows in hijack this, I try to FIX selected items.. how about this booger jumps back in on every scan.

I have not run anti virus in years, I thought I knew all the start up methods by heart.

I will try to clear the master boot record on my next attempt, I am really busy backing up years of pictures and videos of my family. I will let you guys know what method works. I still want find out what kills it.
thanks guys for the links.

[INFRATOM]

Spamware or viruses have several files in different locations, if it doesn't sense the presence of nail.exe forexample it will install it.
1- try microsoft anti-spamware
2- find definition and file list and delete all of those files, remember to disable your file restore first (maybe that is your original problem).
3- the sur way is to reformat and reinstall everything and run MS anti-spyware first. or adware

[Faustus]

I think the nail program is a trojan that installing the spyware onto the system. Your gonna have to get it all in one shot to get rid of it.

[madvideos]

I think the nail program is a trojan that installing the spyware onto the system. Your gonna have to get it all in one shot to get rid of it.

yeah I knew it was several files, msconfig32 is another that is in on the joke on me..lol. But never fear, I just finished formatting and totally clearing off my 100 gig drive and now.. the fun part... installing all of my software.. omgaaaaaaaaaaaaaaaaaaaaaaaaad.. it usually takes about 7 hours to get my system up to standards.

thanks anyways guys, it would be best to format with this one.. there are too many triggers to kickstart the spyware.

[madvideos]

I will update you guys, I scanned the documents and settings folder from the previous version of winxp because it is still on my other drive, I deleted the windows dir , sorry, just thought of this, I will post the names of the files I found , they may all be related...
looks like website injection through java...

Scan type: Manual Scan
Event: Virus Found!
Virus name: Trojan.ByteVerify
File: C:\Documents and Settings\Billy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Du mmy.class-4e92308d-17438256.class
Location: Quarantine
Computer: BILLY-5-2005
User: Billy
Action taken: Clean failed : Quarantine succeeded :
Date found: Wed May 25 02:00:12 2005

Scan type: Manual Scan
Event: Virus Found!
Virus name: Trojan.Alwayup
File: C:\Documents and Settings\Billy\Local Settings\Temp\toc_0036.exe
Location: Quarantine
Computer: BILLY-5-2005
User: Billy
Action taken: Clean failed : Quarantine succeeded :
Date found: Wed May 25 02:00:38 2005

if that is the case, then Firefox is useless!!

[madvideos]

I was right..

ByteVerify is a vulnerability exploit. It is not categorized as a virus, worm or Trojan.

ByteVerify allows an attacker to run malicious code by exploiting a vulnerability in Microsoft Virtual Machine(Microsoft VM).

This virtual machine incororates a component that checks for malicious code when a Java Applet is loaded. However, due to this vulnerability, the component does not perform this check, and therefore an attacker could run a malicious Java Applet when a user visits a web page that contains it.

[madvideos]

Trojan.Alwayup is a Trojan horse that attempts to steal system information. The Trojan also downloads and executes the latest version of itself it on the compromised computer.

[madvideos]

that would be nail.exe which was sparked off by the other two up there ^

I tell ya man, this is getting silly!

[DereX888]

Oh boy ...
1 - Dont use IE. At least not until msoft releases some patched-up IE7 version... (which probably will be buggy and full of holes as all previous versions)
2 - Install Opera, Mozilla or FireFox browser. Set it up as default browser. In browser's options disable any automatic software installations, java, flash or any other macromedia shit that runs automatically by deafult, set it to be always asked for permission if browser has this ability and you have a bit of knowledge, or if you dont know jack - just disallow anything you dont know. Most of it you don't need, and if you don't know how to set their options it means you shouldnt use them If you can't drive you don't buy a car either, right?
Anyway unless you play online web games, I see no reason for having any of this junk running. Flash basically serves as web advertising hubs in 90% cases of its web use. Java applets give some nifty little things on some websites - but almost in all cases theyre unneccessary.

Read more tips on safety configuration of your web browser (any browser but IE, it can't be configured to be safe at all at present), your operating system's environment and all of your installed software.
I.e. you don't need Java to be able to load and cache any software from the web... its nice if youre on a dialup, but who is on a dialup nowaday? You don't need flash plugin to be able to operate your microphone and your webcam (if attached to your computer) etc etc., while unfortunately it is set like this by deafult! Personally I consider flash web plugins as nasty spies - with little tweaking anyone can use flash applet to listen and watch your mic/cam whenever you visit their website rwith such modified flash applet, and it can be done without your knowledge whatsoever (because deafult settings of flash plugin allow it, unless it was finally changed to deny, which I doubt, most likely it is still on 'enable' or 'ask' - which can be hacked too... go check your flash plugin's settings HERE and amuse yourself

Do you kbow won't need antivirus if you know what youre doing and what is allowed what not on your system?
But if youre not-so knowledgeable, install (and upate often) antivirii software and some trojan detector/remover (i.e. free SpyBot, or WebRoot's WebSpy), however IMO these are just half-baked ideas, because they are as good as their newest updates only - which means hackers/pirates/viruses/trojans are *always* one step ahead of them. The antivirus/trojan remover company must get an actual virus/trojan, add its 'fingerprints' to its virus/trojan database, release updated library of viruses/trojans for its software, and in the end *you* must download and install this updated library on your comp to be protected against newest virus/trojan. With most of the antivirus programs set by default to update itself once a week (! Ive seen some set by deafult to biweekly updates even!) it means your comp may be infected for the entire week until your antivirus software updates itself and finally recognizes this already week-old threat. You could have spread virus/trojan to entire world in such long time...
All antivirus software are just nice to your eye, but false sense of security.
It would have served you better if you have had spent 7 hours on educating yourself on how the viruses and trojans get spread and enter your system, and how to protect yourself against them instead of wasting this time on trying to find what have already infected your system. Im rather sure it happened because of the fact that you were fooled by your false sense of security with your antivirus software... In 99.99% cases of systems being compromised or infected is always the user himself who willingly allowed the virus or trojan to be installed. Its just that you didnt see it as a threat at all - afterall you had your antivirus on that supposed to "protect" you...


BTW - it is common to EDIT your own last post instead of replying to yourself in any thread, on any board

[bugster]

In 99.99% cases of systems being compromised or infected is always the user himself who willingly allowed the virus or trojan to be installed. Its just that you didnt see it as a threat at all - afterall you had your antivirus on that supposed to "protect" you...

I have not run anti virus in years

@DereX888, you should read the whole thread a bit more thoroughly

[VenGeanCe]

@mad as far as ur trojan prob goes on microsoft VM there r security patches officially released on the official microsoft site u can d/l em

[DereX888]

@bugster
Youre right. I missed that important part!
However I still stand by my words about java/macromedia/browser plugins etc.
I have antivirus on my laptop (as required by my workplace to be able to plug it to our intranet), but personally I haven't use antivirus software on my windows desktop PCs ever - and I never got any trojan or virus problem. Router/firewall + most important: sanity (to-know-what-are-you-doing) is all one need.

@VenGeanCe
The best patch for microsoft's crooked java (aka msoft VM) is never to install it in first place...

[erdons]

You coulda tried counterspy.

[INFRATOM]

Now that you have formated your drive (best decision) when you installed everything or the minimum stuff make an image of your drive so in these cases you just backup your data and restore the image. With some of these spywares they write a file to your temp folder or else were with a different format that your windows either cannot see or cannot delete and the only way is to reformat the hard drive. Have you installed some trial software and no matter what you do or clean it knows you installed it previously, they use a hidden file sometimes in a format not detectable by windows.

[madvideos]

I have to believe you hit that right on the head.
The only thing that ticks me off is the boot option screen, it still has all my previous installs as a boot option. Really weird. How in tarnation do I clear that option from showing up?

TIA.

[madvideos]

oh I also keep getting this warning from AV, I have only been to my banks website and my site and here. Google is no help.. the numbers behind the TFTP are usually different. Strange, so that proves there are some hidden files somewhere.

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: W32.Spybot.Worm
File: D:\WINDOWS\system32\TFTP408
Location: Quarantine
Computer: BILLY-5-2005
User: SYSTEM
Action taken: Clean failed : Quarantine succeeded : Access denied
Date found: Thu May 26 12:05:06 2005

[madvideos]

W32.Spybot.Worm is a detection for a family of worms that spreads using KaZaA file sharing and mIRC. This worm can also spread to computers that are infected with common back door Trojan horses and network shares that make use of weak passwords.

W32.Spybot.Worm can perform different back door type functions by connecting to a configurable IRC server and joining a specific channel to listen for instructions. Newer variants may also spread by exploiting the following vulnerabilities:

[madvideos]

great.. so some script kiddie or ad company is checking me out. I am flattered. hehehehe

[bugster]

The only thing that ticks me off is the boot option screen, it still has all my previous installs as a boot option. Really weird. TIA.

It looks to me as if you have not re-formatted your HD, simply installed a new copy of windows on the existing disk. In that case you could still be infected.

Reformat before re-intstall is the only 100% sure fire why of removing everything possible, the install XP from a CD that include SP2 in the install routine so you are as protected as possible before 1st going on the net.

You didn't do that, you got hacked/infected straight away.

Scary isn't it!

[madvideos]

dood.. I did format. lol
I just did'nt format the c drive which is my other drive.. My d is now my winders drive, I did delete the windows folder on the c drive. And the junk in the documents and settings.

[madvideos]

I just un installed norton.. best thing I could have done, which is why I don't run av. Too messy, junky, and cluttery.
Problem seems to be solve.
Thanks everyone for jumping in and helping me out.

[lumis]

I have to believe you hit that right on the head.
The only thing that ticks me off is the boot option screen, it still has all my previous installs as a boot option. Really weird. How in tarnation do I clear that option from showing up?

TIA.

there is a file called boot.ini in the root of the c: drive, you'll have to tell windows to show you protected system files in order to see it in the file browser.

it should look like this;

Code:

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

yours will probably have additional stuff, get rid of it.. save & reboot. it wont show the o/s selection screen anymore.

[pfh]

madvideos- FYI, I use CA's EZ-anti virus very low system overhead cause I can't stand Norton and Macafee- way too much extra junk/bloat.