Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Aurora Popups


  • This topic is locked This topic is locked

#1
Crash9789

Crash9789

    New Member

  • Member
  • Pip
  • 3 posts
I have run ad-aware and spy-bot, but I have not been able to get rid of these Aurora Popup ads. They popup every couple of minutes even when the internet is not open. Please take a look at the Hijack this logfile and tell me what to remove, as I am not familar with what should and what should not be there.




Logfile of HijackThis v1.99.1
Scan saved at 11:12:34 PM, on 5/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\efuaooi\gydnw.exe
C:\WINDOWS\system32\joprdv\jersfcw.exe
C:\WINDOWS\system32\nysp\erme.exe
C:\WINDOWS\system32\swgfxri\gkbh.exe
C:\WINDOWS\system32\ckplk\kuahlsni.exe
C:\WINDOWS\system32\flqa\khqw.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\qctaclf\fhetyaxt.exe
C:\WINDOWS\system32\xtbhlg\tqaq.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cwfc\bguxm.exe
C:\WINDOWS\system32\gfqk\silo.exe
C:\WINDOWS\system32\fjnru\urwki.exe
C:\WINDOWS\system32\tunb\smvpg.exe
C:\WINDOWS\system32\rvqdq\cxqkhow.exe
C:\WINDOWS\system32\sfauyj\vdeiq.exe
C:\WINDOWS\system32\tfihha\uxpusbs.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\system32\nubdaa\xagx.exe
C:\WINDOWS\system32\hmuijbbw\bgyhnl.exe
C:\WINDOWS\system32\yklfjv\aqcenpfk.exe
C:\WINDOWS\system32\kogk\idsi.exe
C:\WINDOWS\system32\nueqkput\adlixyl.exe
C:\WINDOWS\system32\jnfi\mytjnkk.exe
C:\WINDOWS\system32\svuos\cvblnwuo.exe
C:\WINDOWS\system32\knxdlwc\jauxacso.exe
C:\WINDOWS\system32\veohqa\objfcag.exe
C:\WINDOWS\system32\vvppayy\baevoe.exe
C:\WINDOWS\system32\tina\kpalfb.exe
C:\WINDOWS\system32\xymwww\vkkgm.exe
C:\WINDOWS\system32\bgyvssql\tobvf.exe
C:\WINDOWS\system32\ijcdkmf\wxfdhl.exe
C:\WINDOWS\system32\nfimue\wyohdeoy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\lwtfats\cqiqv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\uqyixqk\bmqecm.exe
C:\WINDOWS\system32\qdcoo\ohkgcfbi.exe
C:\WINDOWS\system32\bnwwwv\wrys.exe
C:\WINDOWS\system32\hmmcuno\qmdqhd.exe
C:\WINDOWS\system32\gndw\yfhd.exe
C:\WINDOWS\system32\vnuaoni\mhyw.exe
C:\WINDOWS\system32\ilsbiy\bqcoubc.exe
C:\WINDOWS\system32\kmkeu\gbfws.exe
C:\WINDOWS\system32\jgcf\ybvfai.exe
C:\WINDOWS\system32\vjyy\bikndou.exe
C:\WINDOWS\system32\suarh\feeqtmbw.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\jvoit\cuqi.exe
C:\WINDOWS\system32\ntvscr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Documents and Settings\Evan\Desktop\Cleaning Equipment\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ymbip] C:\WINDOWS\system32\qxpooqko\ymbip.exe
O4 - HKLM\..\Run: [hhbukh] C:\WINDOWS\system32\hiba\hhbukh.exe
O4 - HKLM\..\Run: [myxsx] C:\WINDOWS\system32\enba\myxsx.exe
O4 - HKLM\..\Run: [buqgacy] C:\WINDOWS\system32\ijfij\buqgacy.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [jersfcw] C:\WINDOWS\system32\joprdv\jersfcw.exe
O4 - HKLM\..\Run: [ikuhp] C:\WINDOWS\system32\crawmpqj\ikuhp.exe
O4 - HKLM\..\Run: [futd] C:\WINDOWS\system32\rjlpqgwe\futd.exe
O4 - HKLM\..\Run: [doulew] C:\WINDOWS\system32\wnpjrk\doulew.exe
O4 - HKLM\..\Run: [erme] C:\WINDOWS\system32\nysp\erme.exe
O4 - HKLM\..\Run: [gkbh] C:\WINDOWS\system32\swgfxri\gkbh.exe
O4 - HKLM\..\Run: [khqw] C:\WINDOWS\system32\flqa\khqw.exe
O4 - HKLM\..\Run: [jbrdy] C:\WINDOWS\system32\njlyipxa\jbrdy.exe
O4 - HKLM\..\Run: [tqaq] C:\WINDOWS\system32\xtbhlg\tqaq.exe
O4 - HKLM\..\Run: [bguxm] C:\WINDOWS\system32\cwfc\bguxm.exe
O4 - HKLM\..\Run: [silo] C:\WINDOWS\system32\gfqk\silo.exe
O4 - HKLM\..\Run: [urwki] C:\WINDOWS\system32\fjnru\urwki.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteidk32.exe
O4 - HKLM\..\Run: [smvpg] C:\WINDOWS\system32\tunb\smvpg.exe
O4 - HKLM\..\Run: [cxqkhow] C:\WINDOWS\system32\rvqdq\cxqkhow.exe
O4 - HKLM\..\Run: [vdeiq] C:\WINDOWS\system32\sfauyj\vdeiq.exe
O4 - HKLM\..\Run: [uxpusbs] C:\WINDOWS\system32\tfihha\uxpusbs.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [xagx] C:\WINDOWS\system32\nubdaa\xagx.exe
O4 - HKLM\..\Run: [bgyhnl] C:\WINDOWS\system32\hmuijbbw\bgyhnl.exe
O4 - HKLM\..\Run: [aqcenpfk] C:\WINDOWS\system32\yklfjv\aqcenpfk.exe
O4 - HKLM\..\Run: [idsi] C:\WINDOWS\system32\kogk\idsi.exe
O4 - HKLM\..\Run: [adlixyl] C:\WINDOWS\system32\nueqkput\adlixyl.exe
O4 - HKLM\..\Run: [mytjnkk] C:\WINDOWS\system32\jnfi\mytjnkk.exe
O4 - HKLM\..\Run: [cvblnwuo] C:\WINDOWS\system32\svuos\cvblnwuo.exe
O4 - HKLM\..\Run: [jauxacso] C:\WINDOWS\system32\knxdlwc\jauxacso.exe
O4 - HKLM\..\Run: [objfcag] C:\WINDOWS\system32\veohqa\objfcag.exe
O4 - HKLM\..\Run: [baevoe] C:\WINDOWS\system32\vvppayy\baevoe.exe
O4 - HKLM\..\Run: [kpalfb] C:\WINDOWS\system32\tina\kpalfb.exe
O4 - HKLM\..\Run: [vkkgm] C:\WINDOWS\system32\xymwww\vkkgm.exe
O4 - HKLM\..\Run: [tobvf] C:\WINDOWS\system32\bgyvssql\tobvf.exe
O4 - HKLM\..\Run: [wxfdhl] C:\WINDOWS\system32\ijcdkmf\wxfdhl.exe
O4 - HKLM\..\Run: [wyohdeoy] C:\WINDOWS\system32\nfimue\wyohdeoy.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [cqiqv] C:\WINDOWS\system32\lwtfats\cqiqv.exe
O4 - HKLM\..\Run: [bmqecm] C:\WINDOWS\system32\uqyixqk\bmqecm.exe
O4 - HKLM\..\Run: [ohkgcfbi] C:\WINDOWS\system32\qdcoo\ohkgcfbi.exe
O4 - HKLM\..\Run: [wrys] C:\WINDOWS\system32\bnwwwv\wrys.exe
O4 - HKLM\..\Run: [qmdqhd] C:\WINDOWS\system32\hmmcuno\qmdqhd.exe
O4 - HKLM\..\Run: [yfhd] C:\WINDOWS\system32\gndw\yfhd.exe
O4 - HKLM\..\Run: [mhyw] C:\WINDOWS\system32\vnuaoni\mhyw.exe
O4 - HKLM\..\Run: [gydnw] C:\WINDOWS\system32\efuaooi\gydnw.exe
O4 - HKLM\..\Run: [bqcoubc] C:\WINDOWS\system32\ilsbiy\bqcoubc.exe
O4 - HKLM\..\Run: [gbfws] C:\WINDOWS\system32\kmkeu\gbfws.exe
O4 - HKLM\..\Run: [ybvfai] C:\WINDOWS\system32\jgcf\ybvfai.exe
O4 - HKLM\..\Run: [bikndou] C:\WINDOWS\system32\vjyy\bikndou.exe
O4 - HKLM\..\Run: [kuahlsni] C:\WINDOWS\system32\ckplk\kuahlsni.exe
O4 - HKLM\..\Run: [feeqtmbw] C:\WINDOWS\system32\suarh\feeqtmbw.exe
O4 - HKLM\..\Run: [fhetyaxt] C:\WINDOWS\system32\qctaclf\fhetyaxt.exe
O4 - HKLM\..\Run: [cuqi] C:\WINDOWS\system32\jvoit\cuqi.exe
O4 - HKLM\..\Run: [oghgna] c:\windows\system32\fzojel.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ZBqFRQenh] ntvscr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

Advertisements


#2
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello Evan (Crash 9789) and welcome to Geeks to Go

As an introduction, please note that I am not Superman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am fallible also. I am not paid to do this; I am a volunteer, giving my time freely.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix will require you to be in Safe Mode, which may not allow you to access the internet, or my instructions!

You certainly have got a lot of malware on your PC, letís just hope it isnít obstinate in our attempts to remove it.

I note that you are running HijackThis from Desktop; please create a new folder for it (for example C:\Program Files\Hijackthis\Hijackthis.exe) and move the programme into it. It is very important you do this before anything else since backup files can be deleted if they are not within their own folder!

Firstly could you please disable Norton Autoprotect from running during the fix, it may just hinder our attempts to change anything.

To start please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

CWShredder (the download icon is on the right-hand side of the page)
CCleaner
Ewido Security Suite
Hoster
Nail Fix

Please open the trial version of Ewido Security Suite, and update the definitions to the newest files. Do NOT run a scan yet.

Please install Nailfix, unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:

Safe Mode

Once in Safe Mode, please double-click on Nailfix.bat. Your desktop and icons will disappear and reappear, and a window should open and close very quickly, this is normal.

Install Ewido Security Suite (it is a 14-day trial version of the programme).
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The programme will prompt you to update click the OK button
  • The programme will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.
Once the updates are installed do the following:
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the programme scan the machine
While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop and include it in your reply.
Now please install CWShredder, and run it. Click Check For Update, then Fix and then OK followed by Next, let it fix everything it asks about

Please run Hoster (just double click it to open). Choose the Restore Original Hosts button and press OK.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [ymbip] C:\WINDOWS\system32\qxpooqko\ymbip.exe
O4 - HKLM\..\Run: [hhbukh] C:\WINDOWS\system32\hiba\hhbukh.exe
O4 - HKLM\..\Run: [myxsx] C:\WINDOWS\system32\enba\myxsx.exe
O4 - HKLM\..\Run: [buqgacy] C:\WINDOWS\system32\ijfij\buqgacy.exe
O4 - HKLM\..\Run: [jersfcw] C:\WINDOWS\system32\joprdv\jersfcw.exe
O4 - HKLM\..\Run: [ikuhp] C:\WINDOWS\system32\crawmpqj\ikuhp.exe
O4 - HKLM\..\Run: [futd] C:\WINDOWS\system32\rjlpqgwe\futd.exe
O4 - HKLM\..\Run: [doulew] C:\WINDOWS\system32\wnpjrk\doulew.exe
O4 - HKLM\..\Run: [erme] C:\WINDOWS\system32\nysp\erme.exe
O4 - HKLM\..\Run: [gkbh] C:\WINDOWS\system32\swgfxri\gkbh.exe
O4 - HKLM\..\Run: [khqw] C:\WINDOWS\system32\flqa\khqw.exe
O4 - HKLM\..\Run: [jbrdy] C:\WINDOWS\system32\njlyipxa\jbrdy.exe
O4 - HKLM\..\Run: [tqaq] C:\WINDOWS\system32\xtbhlg\tqaq.exe
O4 - HKLM\..\Run: [bguxm] C:\WINDOWS\system32\cwfc\bguxm.exe
O4 - HKLM\..\Run: [silo] C:\WINDOWS\system32\gfqk\silo.exe
O4 - HKLM\..\Run: [urwki] C:\WINDOWS\system32\fjnru\urwki.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteidk32.exe
O4 - HKLM\..\Run: [smvpg] C:\WINDOWS\system32\tunb\smvpg.exe
O4 - HKLM\..\Run: [cxqkhow] C:\WINDOWS\system32\rvqdq\cxqkhow.exe
O4 - HKLM\..\Run: [vdeiq] C:\WINDOWS\system32\sfauyj\vdeiq.exe
O4 - HKLM\..\Run: [uxpusbs] C:\WINDOWS\system32\tfihha\uxpusbs.exe
O4 - HKLM\..\Run: [xagx] C:\WINDOWS\system32\nubdaa\xagx.exe
O4 - HKLM\..\Run: [bgyhnl] C:\WINDOWS\system32\hmuijbbw\bgyhnl.exe
O4 - HKLM\..\Run: [aqcenpfk] C:\WINDOWS\system32\yklfjv\aqcenpfk.exe
O4 - HKLM\..\Run: [idsi] C:\WINDOWS\system32\kogk\idsi.exe
O4 - HKLM\..\Run: [adlixyl] C:\WINDOWS\system32\nueqkput\adlixyl.exe
O4 - HKLM\..\Run: [mytjnkk] C:\WINDOWS\system32\jnfi\mytjnkk.exe
O4 - HKLM\..\Run: [cvblnwuo] C:\WINDOWS\system32\svuos\cvblnwuo.exe
O4 - HKLM\..\Run: [jauxacso] C:\WINDOWS\system32\knxdlwc\jauxacso.exe
O4 - HKLM\..\Run: [objfcag] C:\WINDOWS\system32\veohqa\objfcag.exe
O4 - HKLM\..\Run: [baevoe] C:\WINDOWS\system32\vvppayy\baevoe.exe
O4 - HKLM\..\Run: [kpalfb] C:\WINDOWS\system32\tina\kpalfb.exe
O4 - HKLM\..\Run: [vkkgm] C:\WINDOWS\system32\xymwww\vkkgm.exe
O4 - HKLM\..\Run: [tobvf] C:\WINDOWS\system32\bgyvssql\tobvf.exe
O4 - HKLM\..\Run: [wxfdhl] C:\WINDOWS\system32\ijcdkmf\wxfdhl.exe
O4 - HKLM\..\Run: [wyohdeoy] C:\WINDOWS\system32\nfimue\wyohdeoy.exe
O4 - HKLM\..\Run: [cqiqv] C:\WINDOWS\system32\lwtfats\cqiqv.exe
O4 - HKLM\..\Run: [bmqecm] C:\WINDOWS\system32\uqyixqk\bmqecm.exe
O4 - HKLM\..\Run: [ohkgcfbi] C:\WINDOWS\system32\qdcoo\ohkgcfbi.exe
O4 - HKLM\..\Run: [wrys] C:\WINDOWS\system32\bnwwwv\wrys.exe
O4 - HKLM\..\Run: [qmdqhd] C:\WINDOWS\system32\hmmcuno\qmdqhd.exe
O4 - HKLM\..\Run: [yfhd] C:\WINDOWS\system32\gndw\yfhd.exe
O4 - HKLM\..\Run: [mhyw] C:\WINDOWS\system32\vnuaoni\mhyw.exe
O4 - HKLM\..\Run: [gydnw] C:\WINDOWS\system32\efuaooi\gydnw.exe
O4 - HKLM\..\Run: [bqcoubc] C:\WINDOWS\system32\ilsbiy\bqcoubc.exe
O4 - HKLM\..\Run: [gbfws] C:\WINDOWS\system32\kmkeu\gbfws.exe
O4 - HKLM\..\Run: [ybvfai] C:\WINDOWS\system32\jgcf\ybvfai.exe
O4 - HKLM\..\Run: [bikndou] C:\WINDOWS\system32\vjyy\bikndou.exe
O4 - HKLM\..\Run: [kuahlsni] C:\WINDOWS\system32\ckplk\kuahlsni.exe
O4 - HKLM\..\Run: [feeqtmbw] C:\WINDOWS\system32\suarh\feeqtmbw.exe
O4 - HKLM\..\Run: [fhetyaxt] C:\WINDOWS\system32\qctaclf\fhetyaxt.exe
O4 - HKLM\..\Run: [cuqi] C:\WINDOWS\system32\jvoit\cuqi.exe
O4 - HKLM\..\Run: [oghgna] c:\windows\system32\fzojel.exe
O4 - HKCU\..\Run: [ZBqFRQenh] ntvscr.exe

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot into safe mode. Here's how:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should appear where you will be given the option to enter Safe Mode.

Please set your system to show all files; please see here if you're unsure how to do this.

Please delete these folders (if present) using Windows Explorer:

C:\WINDOWS\system32\efuaooi\
C:\WINDOWS\system32\joprdv\
C:\WINDOWS\system32\nysp\
C:\WINDOWS\system32\swgfxri\
C:\WINDOWS\system32\ckplk\
C:\WINDOWS\system32\flqa\
C:\WINDOWS\system32\qctaclf\
C:\WINDOWS\system32\xtbhlg\
C:\WINDOWS\system32\cwfc\
C:\WINDOWS\system32\gfqk\
C:\WINDOWS\system32\fjnru\
C:\WINDOWS\system32\tunb\
C:\WINDOWS\system32\rvqdq\
C:\WINDOWS\system32\sfauyj\
C:\WINDOWS\system32\tfihha\
C:\WINDOWS\system32\nubdaa\
C:\WINDOWS\system32\hmuijbbw\
C:\WINDOWS\system32\yklfjv\
C:\WINDOWS\system32\kogk\
C:\WINDOWS\system32\nueqkput\
C:\WINDOWS\system32\jnfi\
C:\WINDOWS\system32\svuos\
C:\WINDOWS\system32\knxdlwc\
C:\WINDOWS\system32\veohqa\
C:\WINDOWS\system32\vvppayy\
C:\WINDOWS\system32\tina\
C:\WINDOWS\system32\xymwww\
C:\WINDOWS\system32\bgyvssql\
C:\WINDOWS\system32\ijcdkmf\
C:\WINDOWS\system32\nfimue\
C:\WINDOWS\system32\lwtfats\
C:\WINDOWS\system32\uqyixqk\
C:\WINDOWS\system32\bnwwwv\
C:\WINDOWS\system32\hmmcuno\
C:\WINDOWS\system32\gndw\
C:\WINDOWS\system32\vnuaoni\
C:\WINDOWS\system32\ilsbiy\
C:\WINDOWS\system32\kmkeu\
C:\WINDOWS\system32\jgcf\
C:\WINDOWS\system32\vjyy\
C:\WINDOWS\system32\suarh\
C:\WINDOWS\system32\jvoit\
C:\WINDOWS\system32\qxpooqko\
C:\WINDOWS\system32\hiba\
C:\WINDOWS\system32\enba\
C:\WINDOWS\system32\ijfij\
C:\WINDOWS\system32\crawmpqj\
C:\WINDOWS\system32\rjlpqgwe\
C:\WINDOWS\system32\wnpjrk\
C:\WINDOWS\system32\njlyipxa\
C:\WINDOWS\system32\qdcoo\

Please delete these files (if present) using Windows Explorer:

C:\WINDOWS\Nail.exe
C:\windows\system32\eliteidk32.exe
c:\windows\system32\fzojel.exe
C:\WINDOWS\system32\ntvscr.exe

Close Windows Explorer and Reboot normally

Now we must hide the files we revealed earlier by reversing the process, this is an important safeguard to stop important system files being deleted by accident.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, update it, check the default setting in the left-hand pane, Analyze, Run Cleaner. You may be fairly surprised by how much it finds.

Post back a fresh HijackThis log and also an Uninstall Log:

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click Save List (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

and I will take another look.

Please ensure you post all of the 3 logs requested
  • 0

#3
Crash9789

Crash9789

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Sorry about the slow response time. This is actually on my friend's computer and I was not able to work on it until now due to finals.

The ewido security suite errored before it finished the first time, so I was not able to get a log even though it did fix some files. I ran it again and that is the log I will give you.

I haven't gotten any popups yet, so I think it all worked. The only thing that I noticed was that when I reboot the computer I get an error that it can not find "nail.exe".

Here are the logs you requested:

Logfile of HijackThis v1.99.1
Scan saved at 2:16:08 AM, on 5/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Spyware Removers\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ZBqFRQenh] ntvscr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:29:35 AM, 5/30/2005
+ Report-Checksum: D59ECF67

+ Date of database: 5/30/2005
+ Version of scan engine: v3.0

+ Duration: 71 min
+ Scanned Files: 123379
+ Speed: 28.89 Files/Second
+ Infected files: 28
+ Removed files: 28
+ Files put in quarantine: 28
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\WINDOWS\system32\qctaclf\fhetyaxt.exe -> TrojanDownloader.Agent.lg -> Cleaned with backup
C:\WINDOWS\system32\qdcoo\ohkgcfbi.exe -> TrojanDownloader.Agent.lg -> Cleaned with backup
C:\WINDOWS\system32\qvvpd.exe -> TrojanDownloader.Agent.lg -> Cleaned with backup
C:\WINDOWS\system32\qxpooqko\ymbip.exe -> TrojanDownloader.Agent.nw -> Cleaned with backup
C:\WINDOWS\system32\rcbhm.exe -> TrojanDownloader.Agent.lg -> Cleaned with backup
C:\WINDOWS\system32\rjlpqgwe\futd.exe -> TrojanDownloader.Agent.mw -> Cleaned with backup
C:\WINDOWS\system32\rvqdq\cxqkhow.exe -> TrojanDownloader.Agent.lg -> Cleaned with backup
C:\WINDOWS\system32\sfauyj\vdeiq.exe -> TrojanDownloader.Agent.lg -> Cleaned with backup
C:\WINDOWS\system32\suarh\feeqtmbw.exe -> TrojanDownloader.Agent.lg -> Cleaned with backup
C:\WINDOWS\system32\svuos\cvblnwuo.exe -> TrojanDownloader.Agent.nw -> Cleaned with backup
C:\WINDOWS\system32\swgfxri\gkbh.exe -> TrojanDownloader.Agent.nw -> Cleaned with backup
C:\WINDOWS\system32\swppcb.exe -> TrojanDownloader.Agent.lg -> Cleaned with backup
C:\WINDOWS\system32\temperror32.dat -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\tfihha\uxpusbs.exe -> TrojanDownloader.Agent.nw -> Cleaned with backup
C:\WINDOWS\system32\tina\kpalfb.exe -> TrojanDownloader.Agent.nw -> Cleaned with backup
C:\WINDOWS\system32\tunb\smvpg.exe -> TrojanDownloader.Agent.nw -> Cleaned with backup
C:\WINDOWS\system32\uqyixqk\bmqecm.exe -> TrojanDownloader.Agent.mw -> Cleaned with backup
C:\WINDOWS\system32\veohqa\objfcag.exe -> TrojanDownloader.Agent.mw -> Cleaned with backup
C:\WINDOWS\system32\vjyy\bikndou.exe -> TrojanDownloader.Agent.lg -> Cleaned with backup
C:\WINDOWS\system32\vnuaoni\mhyw.exe -> TrojanDownloader.Agent.nw -> Cleaned with backup
C:\WINDOWS\system32\vvppayy\baevoe.exe -> TrojanDownloader.Agent.lg -> Cleaned with backup
C:\WINDOWS\system32\wnpjrk\doulew.exe -> TrojanDownloader.Agent.lg -> Cleaned with backup
C:\WINDOWS\system32\wycw.exe -> TrojanDownloader.Agent.lg -> Cleaned with backup
C:\WINDOWS\system32\xtbhlg\tqaq.exe -> TrojanDownloader.Agent.lg -> Cleaned with backup
C:\WINDOWS\system32\xymwww\vkkgm.exe -> TrojanDownloader.Agent.nw -> Cleaned with backup
C:\WINDOWS\system32\yklfjv\aqcenpfk.exe -> TrojanDownloader.Agent.mw -> Cleaned with backup
C:\WINDOWS\tsxturlmmda.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\urygqmlh.exe -> Spyware.BookedSpace.e -> Cleaned with backup


::Report End




Ad-Aware SE Personal
Adobe Acrobat 4.0
AIM Toolbar
American Idol - Carrie Screen Saver
American Idol Carrie Screen Saver
AOL Instant Messenger
ArcSoft PhotoImpression 3.0
Ares 1.8.1
BellSouth FastAccess DSL Help Center
CC_ccProxyExt
ccCommon
CCleaner (remove only)
ccPxyCore
Chicken Invaders 2 demo v2.60
Conexant HSF V92 56K Data Fax PCI Modem
Dell ResourceCD
Deskanker 1.5
Easy CD Creator 5 Basic
EPSON Copy Utility
EPSON Online Reference Guide
EPSON Printer Software
EPSON Smart Panel
EPSON TWAIN FB
ewido security suite
Google Toolbar for Internet Explorer
HijackThis 1.99.1
idolonfox Screen Saver
InterActual Player
iTunes
J2SE Runtime Environment 5.0 Update 1
Learn2 Player (Uninstall Only)
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft Data Access Components KB870669
Microsoft Office Small Business Edition 2003
Microsoft Picture It! Photo 2002
Mozilla Firefox (1.0.3)
MSN Music Assistant
MSRedist
Napoleon Dynamite Screen Saver
Norton AntiSpam
Norton AntiSpam
Norton AntiVirus 2005
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security 2005 (Symantec Corporation)
Norton WMI Update
Norton WMI Update
NVIDIA Windows 2000/XP Display Drivers
PhoneTools
PowerDVD
QuickTime
RealPlayer
Shareaza version 2.1.0.0
Shockwave Player
SideWinder Precision 2
SPBBC
Spybot - Search & Destroy 1.3
SpywareBlaster v3.3
Symantec Script Blocking Installer
SymNet
The ABI Network- A Division of Direct Revenue
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
XviD MPEG-4 Video Codec
Yahoo! Install Manager
  • 0

#4
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix will require you to be in Safe Mode, which may not allow you to access the internet, or my instructions!

Most of the infections have gone but Aurora still remains in part. Letís hit it again slightly differently and see if that does it.

To start please download the following programme, we will run it later. Please save it to a place that you will remember, I suggest the Desktop:

Killbox by Option^Explicit

Please open the trial version of Ewido Security Suite, and update the definitions to the latest files. Do NOT run a scan yet.

Please install Nailfix, unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:

Safe Mode

Once in Safe Mode, please double-click on Nailfix.bat. Your desktop and icons will disappear and reappear, and a window should open and close very quickly, this is normal.

Install Ewido Security Suite (it is a 14-day trial version of the programme).
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The programme will prompt you to update click the OK button
  • The programme will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.
Once the updates are installed do the following:
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the programme scan the machine
While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop and include it in your reply.
Now please open CWShredder, and run it. Click Check For Update, then Fix and then OK followed by Next, let it fix everything it asks about

Please run Hoster (just double click it to open). Choose the Restore Original Hosts button and press OK.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKCU\..\Run: [ZBqFRQenh] ntvscr.exe

Now close all windows other than HiJackThis, then click Fix Checked.

Please remove these entries from Add/Remove Programs in the Control Panel (if present):(click Start>Settings>Control Panel)

InterActual Player
Viewpoint Media Player

Please install Killbox by Option^Explicit.

*Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.
*In the Killbox programme, select the Delete on Reboot option.
* Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\Nail.exe
ntvscr.exe


*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.

Post back a fresh HijackThis log and I will take another look.




"Edit,
As there has been no reply from the original poster this topic is now closed,
Should you have any further problems please create a new Topic,

Thanks "

Edited by Crustyoldbloke, 09 June 2005 - 04:08 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP