Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Aurora pup ups![RESOLVED]


  • This topic is locked This topic is locked

#1
CBsed

CBsed

    New Member

  • Member
  • Pip
  • 5 posts
I keep getting these pop-ups that are under the name "aurora" and I can't get rid of it no matter what, please help!

-Thanks


Logfile of HijackThis v1.99.1
Scan saved at 5:48:23 PM, on 4/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\System32\nvsvc32.exe
F:\WINDOWS\System32\alg.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Java\jre1.5.0\bin\jusched.exe
F:\WINDOWS\system32\rundll32.exe
F:\WINDOWS\system32\sizarund.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\WINDOWS\system32\wscntfy.exe
f:\windows\system32\mzkbewp.exe
F:\WINDOWS\system32\nsvsvc\nsvsvc.exe
F:\WINDOWS\system32\picsvr\picsvr.exe
F:\WINDOWS\system32\tbctray.exe
F:\Program Files\AIM\aim.exe
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\WINDOWS\explorer.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Documents and Settings\Da Bozby\Desktop\HijackThis.exe
F:\WINDOWS\servhhljwy.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.formula1.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R3 - URLSearchHook: IncrediFindBHO Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - F:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
F2 - REG:system.ini: Shell=Explorer.exe F:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {00000000-DD60-0064-6EC2-6E0100000000} - (no file)
O2 - BHO: NavErrRedir Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - F:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0D077821-BFE2-B83A-BD1C-BDEEF9F2BDE9} - F:\WINDOWS\system32\ycgkwjge.dll
O2 - BHO: (no name) - {0D43D44B-DF7D-FD82-FCDF-3B6699DC4275} - F:\WINDOWS\system32\zidsrsdm.dll
O2 - BHO: (no name) - {2D407CE9-E1FE-FF78-5879-C63B3BFC9CDA} - F:\WINDOWS\system32\ymflvwwd.dll
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - F:\WINDOWS\Bolger.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {AD0D9FE1-B24C-014A-EBAD-258A81D3DB0B} - F:\WINDOWS\apivt32.dll (file missing)
O2 - BHO: (no name) - {E3C5C36E-090C-6851-DB81-4416E695076D} - F:\WINDOWS\system32\mjilvdnm.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VBouncer] F:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [5002c.exe] 5002c.exe
O4 - HKLM\..\Run: [iTunesHelper] F:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run
O4 - HKLM\..\Run: [SearchUpgrader] F:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
O4 - HKLM\..\Run: [uawxflfxkzvk] F:\WINDOWS\system32\kypenfk.exe
O4 - HKLM\..\Run: [sizarund] F:\WINDOWS\system32\sizarund.exe
O4 - HKLM\..\Run: [firlnin] F:\Documents and Settings\Da Bozby\Local Settings\Temporary Internet Files\Content.IE5\NJX379CW\delf061225[1].exe
O4 - HKLM\..\Run: [Nsv] F:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] F:\WINDOWS\system32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [agilkef] f:\windows\system32\mzkbewp.exe
O4 - HKLM\..\Run: [TraySantaCruz] F:\WINDOWS\system32\tbctray.exe
O4 - HKLM\..\RunOnce: [AAW] "F:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [AIM] F:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Ulmdlqv] F:\WINDOWS\System32\?hkdsk.exe
O4 - HKCU\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run
O4 - Startup: AdDestroyer.lnk = F:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://f:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://f:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://f:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {F2570A0D-001D-477D-93D1-D05EF5EB95CD} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://F:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelg...in/cortvrml.cab
O16 - DPF: {AD688740-5246-40C3-AF27-090006046834} - http://www.xpehbam.biz/a4/load.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3C31719-EB08-4473-A800-766DEA1AC429}: NameServer = 209.47.15.118,64.157.143.38,68.2.16.30,68.2.16.25
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISEXEng - Unknown owner - F:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\System32\nvsvc32.exe
O23 - Service: avzrkbjwcuom (rcitjnvi6) - Unknown owner - F:\WINDOWS\system32\oxztsram6.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - F:\WINDOWS\svcproc.exe

Edited by CBsed, 23 April 2005 - 06:53 PM.

  • 0

Advertisements


#2
stallionsims

stallionsims

    Member

  • Member
  • PipPip
  • 77 posts
If you want to post help in the Malware Removal forum here at GTG, you need to be a staff member. Click here to join Geek U.

ScHwErV :tazz:

Edited by Geek U Moderator

Edited by ScHwErV, 23 April 2005 - 08:00 PM.

  • 0

#3
ScHwErV

ScHwErV

    Member 5k

  • Retired Staff
  • 21,285 posts
  • MVP
CBsed

Hello and welcome to Geeks To Go.

You have a number of different problems that I can see. Lets start out with some general scans and see if we cant clean things up a little.

Please download Spybot Search & Destroy and AdAware.

Follow all the instructions on this website to run a scan with both of these softwares.

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

After that, I will need to see two different logs from HiJackThis. The first is the normal log like you posted here. To get the other one, follow these directions.

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Post back with those logs and we can continue from there.

Good Luck

ScHwErV :tazz:

Edited by ScHwErV, 23 April 2005 - 08:01 PM.

  • 0

#4
CBsed

CBsed

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thanks for the help! First off, I'm having trouble with the on-line scanners. Something keeps closing them everytime I try to run their programs.
Here's the first HijackThis scan:
Logfile of HijackThis v1.99.1
Scan saved at 2:14:29 AM, on 4/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\System32\nvsvc32.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Java\jre1.5.0\bin\jusched.exe
F:\WINDOWS\system32\rundll32.exe
F:\WINDOWS\system32\sizarund.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\WINDOWS\System32\alg.exe
F:\WINDOWS\system32\wscntfy.exe
F:\WINDOWS\system32\rundll32.exe
F:\WINDOWS\system32\nsvsvc\nsvsvc.exe
F:\WINDOWS\system32\picsvr\picsvr.exe
F:\WINDOWS\system32\tbctray.exe
f:\windows\system32\biwrljd.exe
F:\WINDOWS\System32\wbem\wmiprvse.exe
F:\WINDOWS\explorer.exe
F:\WINDOWS\system32\?hkdsk.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Documents and Settings\Da Bozby\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.formula1.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R3 - URLSearchHook: IncrediFindBHO Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - F:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: NavErrRedir Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - F:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0D077821-BFE2-B83A-BD1C-BDEEF9F2BDE9} - F:\WINDOWS\system32\ycgkwjge.dll
O2 - BHO: (no name) - {0D43D44B-DF7D-FD82-FCDF-3B6699DC4275} - F:\WINDOWS\system32\zidsrsdm.dll
O2 - BHO: (no name) - {2D407CE9-E1FE-FF78-5879-C63B3BFC9CDA} - F:\WINDOWS\system32\ymflvwwd.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {AD0D9FE1-B24C-014A-EBAD-258A81D3DB0B} - F:\WINDOWS\apivt32.dll (file missing)
O2 - BHO: (no name) - {E3C5C36E-090C-6851-DB81-4416E695076D} - F:\WINDOWS\system32\mjilvdnm.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VBouncer] F:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [5002c.exe] 5002c.exe
O4 - HKLM\..\Run: [iTunesHelper] F:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run
O4 - HKLM\..\Run: [SearchUpgrader] F:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
O4 - HKLM\..\Run: [sizarund] F:\WINDOWS\system32\sizarund.exe
O4 - HKLM\..\Run: [firlnin] F:\Documents and Settings\Da Bozby\Local Settings\Temporary Internet Files\Content.IE5\NJX379CW\delf061225[1].exe
O4 - HKLM\..\Run: [Nsv] F:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] F:\WINDOWS\system32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [elrxkrt] f:\windows\system32\biwrljd.exe
O4 - HKLM\..\Run: [TraySantaCruz] F:\WINDOWS\system32\tbctray.exe
O4 - HKLM\..\RunOnce: [AAW] "F:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [AIM] F:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Ulmdlqv] F:\WINDOWS\System32\?hkdsk.exe
O4 - HKCU\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://f:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://f:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://f:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {F2570A0D-001D-477D-93D1-D05EF5EB95CD} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://F:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelg...in/cortvrml.cab
O16 - DPF: {AD688740-5246-40C3-AF27-090006046834} - http://www.xpehbam.biz/a4/load.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3C31719-EB08-4473-A800-766DEA1AC429}: NameServer = 209.47.15.118,64.157.143.38,68.2.16.30,68.2.16.25
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\System32\nvsvc32.exe
O23 - Service: avzrkbjwcuom (rcitjnvi6) - Unknown owner - F:\WINDOWS\system32\oxztsram6.exe

Heres the second:
d-Aware SE Personal
Adobe Download Manager 2.0 (Remove Only)
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 7.0
AOL Instant Messenger
Display Utility
DivX
DivX Player
Doom 3
DVD Shrink 3.2
Ebates Moe Money Maker
Google Toolbar for Internet Explorer
HijackThis 1.99.1
Incredifind
InterActual Player
iPod Updater 2004-10-20
iTunes
J2SE Runtime Environment 5.0
Macromedia Shockwave Player
Mozilla Firefox (1.0)
Mozilla Firefox (1.0.1)
NVIDIA Drivers
QuickTime
RealPlayer
Spybot - Search & Destroy 1.3
Turtle Beach Santa Cruz Driver
Viewpoint Media Player
WebSpecials
Windows Installer 3.1 (KB893803)
Windows SR 3.0
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
  • 0

#5
ScHwErV

ScHwErV

    Member 5k

  • Retired Staff
  • 21,285 posts
  • MVP
You probably have some malware in there thats stopping you from being able to run those online scans. After you do all the following, try the KAV scan again.

Right click Here and select Save As to download WinHelp2002's DelDomains.inf. Please save the file somewhere you can find it like on the desktop. To run the inf file, right click on it and select Install.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R3 - URLSearchHook: IncrediFindBHO Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - F:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: NavErrRedir Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - F:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {0D077821-BFE2-B83A-BD1C-BDEEF9F2BDE9} - F:\WINDOWS\system32\ycgkwjge.dll
O2 - BHO: (no name) - {0D43D44B-DF7D-FD82-FCDF-3B6699DC4275} - F:\WINDOWS\system32\zidsrsdm.dll
O2 - BHO: (no name) - {2D407CE9-E1FE-FF78-5879-C63B3BFC9CDA} - F:\WINDOWS\system32\ymflvwwd.dll
O2 - BHO: (no name) - {AD0D9FE1-B24C-014A-EBAD-258A81D3DB0B} - F:\WINDOWS\apivt32.dll (file missing)
O2 - BHO: (no name) - {E3C5C36E-090C-6851-DB81-4416E695076D} - F:\WINDOWS\system32\mjilvdnm.dll (file missing)
O4 - HKLM\..\Run: [VBouncer] F:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [5002c.exe] 5002c.exe
O4 - HKLM\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run
O4 - HKLM\..\Run: [SearchUpgrader] F:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
O4 - HKLM\..\Run: [sizarund] F:\WINDOWS\system32\sizarund.exe
O4 - HKLM\..\Run: [firlnin] F:\Documents and Settings\Da Bozby\Local Settings\Temporary Internet Files\Content.IE5\NJX379CW\delf061225[1].exe
O4 - HKLM\..\Run: [Nsv] F:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] F:\WINDOWS\system32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [elrxkrt] f:\windows\system32\biwrljd.exe
O4 - HKCU\..\Run: [Ulmdlqv] F:\WINDOWS\System32\?hkdsk.exe
O4 - HKCU\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run
O9 - Extra button: (no name) - {F2570A0D-001D-477D-93D1-D05EF5EB95CD} - (no file)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab

Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please remove these entries from Add/Remove Programs in the Control Panel(if present):

Ebates Moe Money Maker
WebSpecials

Please delete these folders using Windows Explorer(if present):

F:\Program Files\VBouncer
C:\Program Files\WebSpecials
F:\Program Files\IncrediFind
F:\Program Files\Common files\SearchUpgrader

Please delete these files using Windows Explorer(if present):

F:\WINDOWS\system32\sizarund.exe
F:\WINDOWS\system32\nsvsvc\nsvsvc.exe
F:\WINDOWS\system32\picsvr\picsvr.exe
F:\Windows\system32\biwrljd.exe
F:\WINDOWS\System32\?hkdsk.exe

Please search for and delete

5002c.exe

After that, Reboot.

After all that, report back with how things went and a fresh HiJackThis log.

ScHwErV :tazz:

Edited by ScHwErV, 24 April 2005 - 08:58 AM.

  • 0

#6
CBsed

CBsed

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Ok I found and deleted the following:
C:\Program Files\Web Specials
F:\Program Files\incredifind
F:\Program Files\Common Files\SearchUpgrader
F:\WINDOWS\system32\sizarund.exe

I did not find the following:
F:\Program Files\VBouncer
F:\WINDOWS\nsvsvc\nsvsvc.exe (I found a file called nvsc32.exe, but did not delete it)
F:\WINDOWS\picsvr\picsvr.exe
F:\WINDOWS\biwrljd.exe
F:\WINDOWS\?hkdsk.exe
or 5002c.exe

Here's the latests HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 12:31:38 PM, on 4/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\System32\nvsvc32.exe
F:\WINDOWS\system32\oxztsram6.exe
F:\WINDOWS\system32\userinit.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Java\jre1.5.0\bin\jusched.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\WINDOWS\system32\wscntfy.exe
F:\WINDOWS\system32\tbctray.exe
f:\windows\system32\sixrcem.exe
F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
F:\Documents and Settings\Da Bozby\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.formula1.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0D43D44B-DF7D-FD82-FCDF-3B6699DC4275} - (no file)
O2 - BHO: (no name) - {2D407CE9-E1FE-FF78-5879-C63B3BFC9CDA} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {E3C5C36E-090C-6851-DB81-4416E695076D} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] F:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [firlnin] F:\Documents and Settings\Da Bozby\Local Settings\Temporary Internet Files\Content.IE5\NJX379CW\delf061225[1].exe
O4 - HKLM\..\Run: [ctygsl] f:\windows\system32\sixrcem.exe
O4 - HKLM\..\Run: [TraySantaCruz] F:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [AIM] F:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://f:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://f:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://f:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://F:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelg...in/cortvrml.cab
O16 - DPF: {AD688740-5246-40C3-AF27-090006046834} - http://www.xpehbam.biz/a4/load.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3C31719-EB08-4473-A800-766DEA1AC429}: NameServer = 209.47.15.118,64.157.143.38,68.2.16.30,68.2.16.25
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\System32\nvsvc32.exe
O23 - Service: avzrkbjwcuom (rcitjnvi6) - Unknown owner - F:\WINDOWS\system32\oxztsram6.exe
  • 0

#7
ScHwErV

ScHwErV

    Member 5k

  • Retired Staff
  • 21,285 posts
  • MVP
We still have a little more cleanup to do.

Re-open HiJackThis and click scan. Check these entries.

O4 - HKLM\..\Run: [firlnin] F:\Documents and Settings\Da Bozby\Local Settings\Temporary Internet Files\Content.IE5\NJX379CW\delf061225[1].exe
O4 - HKLM\..\Run: [ctygsl] f:\windows\system32\sixrcem.exe
O4 - HKCU\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://F:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O23 - Service: avzrkbjwcuom (rcitjnvi6) - Unknown owner - F:\WINDOWS\system32\oxztsram6.exe

Close all open windows and click Fix Checked. Then reboot into safe mode.

Delete the following files.[b]

f:\windows\system32\sixrcem.exe
F:\WINDOWS\system32\oxztsram6.exe

Then reboot into normal windows.

Try to run the online virus scans again and then report back with how things are running and with a new HiJackThis log.

ScHwErV :tazz:
  • 0

#8
CBsed

CBsed

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
OK Here's the Virus report:

Attention, your computer is infected.
The following infected files/objects were found during the scan:



F:\Documents ...bc3a-44f9839a.zip Trojan....ssLoader.z send delete

F:\Documents ...6c70-77fca93c.zip Trojan....ssLoader.z send delete

F:\Documents ...3371-722d67d9.zip Trojan....ssLoader.z send delete

F:\Documents ...c9cd-532a4b7f.zip Exploit....Bytverify send delete

F:\Documents ...bc80-51f27b61.zip Trojan.Java.Binny.a send delete

F:\Documents ...14fb-4f779a7e.zip Trojan....ssLoader.z send delete

F:\Documents ...a68c-5bb80f8e.zip Trojan....ssLoader.c send delete

F:\Documents ...a68e-11cb4db1.zip Trojan....ssLoader.c send delete

F:\Documents ...8f75-45234768.zip Trojan....ssLoader.c send delete

F:\Documents ...c93d-67e48b00.zip Trojan....ssLoader.c send delete

F:\Documents ...aa50-5d112954.zip Trojan....ssLoader.c send delete

F:\Documents ...cf54-2905f9db.zip Trojan....ssLoader.c send delete

F:\Documents ...c386-5a841231.zip Trojan....ssLoader.c send delete

F:\Documents ...c9df-59348a07.zip Trojan....ssLoader.j send delete

F:\Documents ...a0f1-4c5e0a1f.zip Trojan....er.Dummy.a send delete

F:\Documents ...6701-5d82bea8.zip Trojan-...enStream.t send delete

F:\Documents ...24-115711-320.dll Trojan....32.Golid.f send delete

F:\Documents ...24-115711-890.dll Trojan-...2.Agent.fu send delete

F:\Documents ...emp\AT_us_new.exe Trojan-...2.Mudrop.o send delete

F:\Documents ...gs\Temp\etool.exe Trojan....LowZones.y send delete

F:\Documents ...p\Incredifind.exe Trojan-....Keenval.n send delete

F:\Documents ...\mediatickets.exe Trojan-...32.Agent.h send delete

F:\Documents ...ngs\Temp\senh.exe Trojan-...n32.Delf.z send delete

F:\Documents ...simpletraffic.exe Trojan-...2.Small.nm send delete

F:\Documents ...W\IconDrop[1].exe Trojan-...32.Agent.y send delete

F:\Documents ...W\IconDrop[2].exe Trojan-...32.Agent.y send delete

F:\Documents ...W\IconDrop[3].exe Trojan-...32.Agent.y send delete

F:\Documents ...\setup-6-b[1].exe Trojan-...2.Agent.ic send delete

F:\Documents ...\setup-6-b[2].exe Trojan-...2.Agent.ic send delete

F:\Documents ...GH6R\o_2_0[1].txt Trojan-...2.Agent.cy send delete

F:\Documents ...T2BO9YZ\hh[1].exe Trojan-...32.Spung.a send delete

F:\Documents ...\installer[1].htm Trojan-...JS.Small.d send delete

F:\Documents ...9YZ\prompt[1].htm Trojan-...S.IstBar.a send delete

F:\Documents ...WZ1NEE35\1[2].htm Exploit.HTML.Mht send delete

F:\Documents ...Another World.mp3 Passwor...tected-EXE send delete

F:\Documents ...OL4Z\a_6_0[1].txt Trojan-...2.Agent.fu send delete

F:\Documents ...EF87\c_2_0[1].txt Trojan-...32.Agent.l send delete

F:\Program Fi...comedy-planet.exe Trojan....2.Agent.aw send delete

F:\WINDOWS\system32\asdf Trojan....2.Small.aj send delete

F:\WINDOWS\system32\cp.exe Trojan-...2.Agent.ic send delete

F:\WINDOWS\system32\d15.exe Trojan-....Small.akj send delete

F:\WINDOWS\system32\drivers\.sys Trojan....2.Agent.aw send delete

F:\WINDOWS\sy...vers\nqitygri.sys Trojan....2.Agent.aw send delete

F:\WINDOWS\system32\etool.exe Trojan....LowZones.f send delete

F:\WINDOWS\system32\fpcmidr.exe Trojan....2.Agent.cp send delete

F:\WINDOWS\system32\in10b6s.dll Trojan-....Keenval.a

F:\WINDOWS\system32\jfesdwus.exe Trojan-...32.Agent.l
e
F:\WINDOWS\sy...picsvr\picsvr.exe Trojan-...2.Delmed.b

F:\WINDOWS\sy...eInstaller_p1.exe Trojan-....Keenval.o

F:\WINDOWS\system32\tsbeklen.exe Trojan-...32.Agent.l

F:\WINDOWS\Wrapper.exe


Here's the new HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 3:56:09 PM, on 4/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\System32\nvsvc32.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Java\jre1.5.0\bin\jusched.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\WINDOWS\system32\wscntfy.exe
F:\WINDOWS\system32\tbctray.exe
f:\windows\system32\fpcmidr.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Documents and Settings\Da Bozby\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.formula1.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0D43D44B-DF7D-FD82-FCDF-3B6699DC4275} - (no file)
O2 - BHO: (no name) - {2D407CE9-E1FE-FF78-5879-C63B3BFC9CDA} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {E3C5C36E-090C-6851-DB81-4416E695076D} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] F:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [firlnin] F:\Documents and Settings\Da Bozby\Local Settings\Temporary Internet Files\Content.IE5\NJX379CW\delf061225[1].exe
O4 - HKLM\..\Run: [xujnfxk] f:\windows\system32\fpcmidr.exe
O4 - HKLM\..\Run: [TraySantaCruz] F:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [AIM] F:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://f:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://f:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://f:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelg...in/cortvrml.cab
O16 - DPF: {AD688740-5246-40C3-AF27-090006046834} - http://www.xpehbam.biz/a4/load.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3C31719-EB08-4473-A800-766DEA1AC429}: NameServer = 209.47.15.118,64.157.143.38,68.2.16.30,68.2.16.25
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\System32\nvsvc32.exe
O23 - Service: avzrkbjwcuom (rcitjnvi6) - Unknown owner - F:\WINDOWS\system32\oxztsram6.exe (file missing)
  • 0

#9
ScHwErV

ScHwErV

    Member 5k

  • Retired Staff
  • 21,285 posts
  • MVP
Well done! Your log is clean. How are things running?

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

ScHwErV :tazz:
  • 0

#10
CBsed

CBsed

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Things are running better now, and no more stupid aurora pop up! So the virus scan came back negative? Thanks again for all the help, I wouldn't of been able to do it without your help!
  • 0

#11
ScHwErV

ScHwErV

    Member 5k

  • Retired Staff
  • 21,285 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP