Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Abi, aurora, microsoft explorer


  • Please log in to reply

#1
maryb63

maryb63

    Member

  • Member
  • PipPip
  • 19 posts
Please help, my computer has been taken over by the abi network, aurora pop ups and the microsoft exlorer pop ups, I ran a scan in Hijackthis. I tried to download ewido, it just pops on my screen for a split second and disappears. I ran a cleanup it said I had 200+ errors, I didn;t know if I should subscribe to clean it up. I downloaded spybot, Tried to go to updates, but I kept getting an error saying I times out. I tried to look up the error and it started talking about proxy settings... I have no idea what they were talking about, I am a bit technically challenged! Here is my HiJackThis log

Attached Files


Edited by maryb63, 12 June 2005 - 03:57 PM.

  • 0

Advertisements


#2
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
HI and welcome
Need you to do a few things here please, You have quite a few issues here,

First download this LSPFix unzip it to your Desktop, Don't do anything with it.


Go to Add/Remove programs and remove the following please (If found )

New.Net
WinTools
NaviSearch
BullsEye Network
Internet Optimizer
WeirdOnTheWeb
Toolbar
updmgr
GMT
CMEII
EliteToolBar
SurfSideKick




If you can not connect to the Internet after removing New.net, Please run the LSP-Fix program I had you download earlier, and click on the finish button. Reboot and you should be able to get back on.

Next

Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it hjt
Move HJT into this new folder please,

Post back a fresh log when done please
  • 0

#3
maryb63

maryb63

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Don77

Thank you for helping me out. I did remove all items but updmgr,GMT, & CMEII
I could not find them. I also saw the ABI network on the program, I tried to remove it, but it said I must go to pctuneup.com. I wasn't quite sure if I should do that. I really appreciate your help. Here is my new log, from HiJackThis

Attached Files


  • 0

#4
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts

I tried to remove it, but it said I must go to pctuneup.com. I wasn't quite sure if I should do that.

We prefer you didn't

We can get you cleaned up here,

You should probably print out or copy the following instructions to notepad so you have access to them,



Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from here:
http://www.noidea.us...050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml


Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Next please run HijackThis, click Scan, and check:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50249
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50249
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50249
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\avajda.dat
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKLM\..\Run: [dllftp] C:\WINDOWS\Cursors\dllftp.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [*keyac] C:\WINDOWS\Web\printers\keyac.exe
O4 - HKLM\..\Run: [*keyweb] C:\WINDOWS\AppPatch\keyweb.exe
O4 - HKLM\..\Run: [*bininet] C:\WINDOWS\security\Database\bininet.exe
O4 - HKLM\..\Run: [*mainmsvc] C:\WINDOWS\mainmsvc.exe
O4 - HKLM\..\Run: [*binwave] C:\WINDOWS\Registration\binwave.exe
O4 - HKLM\..\Run: [*svctask] C:\WINDOWS\system\svctask.exe
O4 - HKLM\..\Run: [*javasvc] C:\WINDOWS\Microsoft.NET\javasvc.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [pwfwwec] C:\WINDOWS\System32\pwfwwec.exe
O4 - HKLM\..\Run: [vnvadb] c:\windows\system32\hbkqpbr.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [suil] C:\WINDOWS\System32\suil.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\nvprnv.exe reg_run
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [sjvmujc] C:\WINDOWS\System32\sjvmujc.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [qvpxvyo] C:\WINDOWS\System32\qvpxvyo.exe
O4 - HKLM\..\Run: [nyhzk] C:\WINDOWS\System32\nyhzk.exe
O4 - HKLM\..\Run: [tempx] C:\WINDOWS\System32\tempx.exe
O4 - HKLM\..\Run: [jsthufn] C:\WINDOWS\System32\jsthufn.exe
O4 - HKLM\..\Run: [bggyetn] C:\WINDOWS\System32\bggyetn.exe
O4 - HKLM\..\Run: [viulfm] C:\WINDOWS\System32\viulfm.exe
O4 - HKLM\..\Run: [hxgohq] C:\WINDOWS\System32\hxgohq.exe
O4 - HKLM\..\Run: [psgjxa] C:\WINDOWS\System32\psgjxa.exe
O4 - HKLM\..\Run: [wxundcb] C:\WINDOWS\System32\wxundcb.exe
O4 - HKLM\..\Run: [ksllj] C:\WINDOWS\System32\ksllj.exe
O4 - HKLM\..\Run: [xya] C:\WINDOWS\System32\xya.exe
O4 - HKLM\..\Run: [wxab] C:\WINDOWS\System32\wxab.exe
O4 - HKLM\..\Run: [mtuks] C:\WINDOWS\System32\mtuks.exe
O4 - HKLM\..\Run: [tagbmdq] C:\WINDOWS\System32\tagbmdq.exe
O4 - HKLM\..\Run: [yvx] C:\WINDOWS\System32\yvx.exe
O4 - HKLM\..\Run: [ctwitq] c:\windows\system32\yxiuke.exe r
O4 - HKLM\..\Run: [dkrf] C:\WINDOWS\System32\dkrf.exe
O4 - HKLM\..\Run: [xsqlccz] C:\WINDOWS\System32\xsqlccz.exe
O4 - HKLM\..\Run: [xjpnxm] C:\WINDOWS\System32\xjpnxm.exe
O4 - HKLM\..\Run: [bktexzj] C:\WINDOWS\System32\bktexzj.exe
O4 - HKLM\..\RunOnce: [*adjava] C:\WINDOWS\Registration\adjava.exe rerun
O4 - HKLM\..\RunOnce: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe /boot
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - HKCU\..\Run: [tsscka] C:\WINDOWS\System32\tsscka.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://mn103.coolsav...oad/cscmv5X.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O20 - Winlogon Notify: adjava - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\avajda.dat
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe


Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
  • 0

#5
maryb63

maryb63

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Don77

I can't download the ewido, or the noidea, i just get the hour glass, and then tons of pop ups, I tried several times, I did download ewido yesterday, but it went to my desktop and when i try to call it, something comes up for a split second then disappears. What else should I try?
  • 0

#6
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Continue on with the instruction minus the Ewido scan,
Post back a fresh HJT log when done please
Try the link below

http://www.noidea.us...050515010747824
  • 0

#7
maryb63

maryb63

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Don77

I'm not quite sure I did anything with nailfix. I wasn't sure if I unziped to the desktop properly, I tried several times, I was just getting files and when I double clicked nothing really happened. But I did check most of the items on my HiJack This and fixed and ran a new scan.

Attached Files


Edited by maryb63, 14 June 2005 - 04:06 PM.

  • 0

#8
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Lets try and see if we can get this cleaned up a bit more using some programs,

http://www.kaspersky...oduct=161744315

Run the above online scan and have it remove what it finds,


Next
Please download Download CCleaner and install.

Please run CCleaner to assist in this process.
(Setup: go to >options > settings > Uncheck "Only delete files in Windows Temp folders older than 48 hours" for cleaning malware files!)

* C:\Windows\Temp\
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <- This will delete all your cached internet content including cookies.
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
* Empty your "Recycle Bin".






Next

Download Ad-Aware SE
Check Here on how setup and use it - please make sure you update it first.

Run Ad-aware and have it fix all it finds,

Reboot your computer, Restart HJT and post back a fresh log please
  • 0

#9
maryb63

maryb63

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Don77

I went to Kaspersky.com beta site, I ran a scan, came up with alot of viruses.
( over 50 ) but I did not see an area where I could remove what it found. It just was saved to text. Was I suppose to go to a different area on Kaspersky?

Maryb63
  • 0

#10
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Could you post a fresh HJT log please
  • 0

Advertisements


#11
maryb63

maryb63

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Don77

Here is a fresh HJT log.

Thanks
Maryb63

Attached Files

  • Attached File  hjt7.txt   11.5KB   127 downloads

  • 0

#12
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi Mary this is proving to be a tough one !!
This will take some work, But we can get it sorted for you, Something is blocking us from making the necessary repairs, Lets do a couple things here,

First
Download the following tool please
http://securityrespo...er/FixVundo.exe
Save it somewhere accessable like your desk top,

Double-click the FixVundo.exe file to start the removal tool

Click Start to begin the process, and then allow the tool to run

Restart the computer.

Run the removal tool again to ensure that the system is clean.


Next
In my sig is a link for CWShredder,
Please download and install it
Check for updates, Be sure and click on the "Fix" button and let it run please,

After you have run those please see if you can get Ewido to run please,
Please run it in safe mode,
If it allows you to, Please post back a log from it and a fresh HJT log please
  • 0

#13
maryb63

maryb63

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Don77

I did the shredder, I was able to run ewido, I had alot of trojans, but I was not able to save a log, I ran it twice, it just stops running and goes back to my desktop
when it is about 85% done. I keep getting Ewido Infected File Found on my screen
with several spyware infections. I did a new hijack this log.

Mary

Attached Files

  • Attached File  hjt9.txt   10.47KB   137 downloads

  • 0

#14
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
OK Mary now were making some head way !

Lets give this another shot,


Please download Nailfix from here:
http://www.noidea.us...050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml


Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Next please run HijackThis, click Scan, and check:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50249
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50249
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50249
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll (file missing)
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\avajda.dat
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [mmipdwq] c:\windows\system32\uqsoji.exe r
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [tempx] C:\WINDOWS\System32\tempx.exe
O4 - HKLM\..\RunOnce: [*adjava] C:\WINDOWS\Registration\adjava.exe rerun
O4 - HKLM\..\RunOnce: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe /boot
O4 - HKCU\..\Run: [tsscka] C:\WINDOWS\System32\tsscka.exe
O15 - Trusted Zone: http://www.neededware.com
O20 - Winlogon Notify: adjava - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\avajda.dat
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
  • 0

#15
maryb63

maryb63

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Don

I went to the nailfix download, but it said no file found, So I went to the download area and download nailfix, but when I double clicked it on my desktop
it said corrupted file, and that was it. I am not quite sure what unzip to desktop means. But I did have a nail fix download from last time. I double clicked to folder and extracted the files to it. ( I did this in safe mode ) but when I double clicked the icons did not disappear I just went to the folder and then a message said something about running this in safe mode and windows and losing some work and not working properly. so I thought I would ask you what I am doing wrong before I continued. Sorry, I really need to learn more about my computer!

MaryB63
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP