[Excal]

Please download the Killbox.
Unzip it to the desktop


Please run Killbox.

• Select "Delete on Reboot".
• Copy the file names below to the clipboard by highlighting them and pressing Control-C:
  
  C:\WINDOWS\System32\winmon.sys
  C:\WINDOWS\Downloaded Program Files\RdxIE.dll
  
  
• Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
• Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
  
  If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..
  
• Let the system reboot.

After reboot

• Open HiJackThis
• Click on the configure button on the bottom right
• Click on the tab "Misc Tools"
• click on "delete an NT service"
• Copy and paste this in the box: AIM
• Click "ok", then reboot

DO that with these services also:


RpcClient
mousehs
Winkgk
Microsoft Locator Service


Let me know if its any better. If not please give me a detail description of whats going on with your system


Thanks,



Excal

Edited by Excal, 03 August 2005 - 09:00 AM.

[Advertisements]

I'm not sure I did the Killbox thing correctly... I downloaded it with no problem, but it would not let me paste into the field. I ended up right-clicking and hitting paste, and it worked, but I could only see the first line, so I wasn't sure if the second line was getting pasted. I hit delete and said yes, but then when it asked me if I wanted to reboot, I said no and pasted the second line only in there...then I said yes to reboot. At that point, I got a dialog box that said something about Pending Operations, but there was no yes or no option...only OK, so I clicked it. The PC did not reboot, so I did it manually. I went into Explorer to check if those files were there, and they were not. Please let me know if I should try this again.

On a better note, I did the "delete an NT service" in HJT just like you said. That went perfectly.

After that, I opened and closed various files on my hard drive and then logged on to the internet using both Netscape and IE. The PC did not seem to have any real problems. It seemed just a bit slower than it used to, but did not freeze up at all. I did that for about 45 minutes without any problem. I still have to log on to the internet manually (it will not bring up the dialup screen) on both browsers, and when I exit the browsers I still have to manually disconnect (I no longer get a prompt). During the last few weeks, when I have tried to manually disconnect (and sometimes just when I am surfing the web), the PC will usually not respond. After waiting 10 minutes or so, I simply have to hit the power switch and turn it off. The PC did NOT do this last night after I completed your latest step -- I surfed for 45 minutes, closed the browser, and hit disconnect, and it did right away. I ran Spybot and AdAware after all of this and they returned a handful of tracking cookies and one adware program. They both were able to clean everything. Lastly, when I shut the PC down it said it had to close "ShellIconWindow". I can't remember what program you said this was from, but I don't think I used that program last night.

Thanks - I think we're getting close!
Dimmae

[Dimmae]

I'm not sure I did the Killbox thing correctly... I downloaded it with no problem, but it would not let me paste into the field. I ended up right-clicking and hitting paste, and it worked, but I could only see the first line, so I wasn't sure if the second line was getting pasted. I hit delete and said yes, but then when it asked me if I wanted to reboot, I said no and pasted the second line only in there...then I said yes to reboot. At that point, I got a dialog box that said something about Pending Operations, but there was no yes or no option...only OK, so I clicked it. The PC did not reboot, so I did it manually. I went into Explorer to check if those files were there, and they were not. Please let me know if I should try this again.

On a better note, I did the "delete an NT service" in HJT just like you said. That went perfectly.

After that, I opened and closed various files on my hard drive and then logged on to the internet using both Netscape and IE. The PC did not seem to have any real problems. It seemed just a bit slower than it used to, but did not freeze up at all. I did that for about 45 minutes without any problem. I still have to log on to the internet manually (it will not bring up the dialup screen) on both browsers, and when I exit the browsers I still have to manually disconnect (I no longer get a prompt). During the last few weeks, when I have tried to manually disconnect (and sometimes just when I am surfing the web), the PC will usually not respond. After waiting 10 minutes or so, I simply have to hit the power switch and turn it off. The PC did NOT do this last night after I completed your latest step -- I surfed for 45 minutes, closed the browser, and hit disconnect, and it did right away. I ran Spybot and AdAware after all of this and they returned a handful of tracking cookies and one adware program. They both were able to clean everything. Lastly, when I shut the PC down it said it had to close "ShellIconWindow". I can't remember what program you said this was from, but I don't think I used that program last night.

Thanks - I think we're getting close!
Dimmae

[Excal]

I am glad its getting better, but we are running out of options on what to check...lol


Can I please see another HiJackthis log.


Thanks,



Excal

[Dimmae]

Still seems to be ok, Excal. The browsers still act funny -- this page not available, then try it again and it works fine... Here is the HJT log -- I plan to run the adware programs again tonite also:

Logfile of HijackThis v1.99.1
Scan saved at 10:55:19 PM, on 8/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\desktop\ewido\security suite\ewidoctrl.exe
C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SM1BG.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\MMDiag.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http:/www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.yahoo.com"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\zjx0h2km.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\zjx0h2km.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [MimBoot] C:\Program Files\MusicMatch\MusicMatch Jukebox\mimboot.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .qt: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.pandasoftware.com
O16 - DPF: {0DC0D258-FC70-456F-8F79-83D7DC20F0AC} (MPChWrapper.Util) - http://instantsuppor...MPChWrapper.CAB
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.subs...ve/makeover.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117517844765
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon....3.1/ttinst.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...rCabInstall.cab
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\desktop\ewido\security suite\ewidoctrl.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe

Thanks,
Dimmae

[Excal]

Ok this is what I need you to do.


Update to Sp2 thru windows Update.
Windows XP Service Pack 2. Click Here


Changed Browser to firefox and use that and see if problems still exisist.
Firefox


Excal

[Dimmae]

Things went south today, Excal. I've spent about 12 hours on this thing this weekend...I had to use IE to download Windows updates (or so it said...it would NOT do it in Netscape). I tried to download SP2, but the PC just kept hanging up and dying. It said your hotlink was not a valid site, but I finally manually got to Windows Update by going through the windows.com site and navigating. Finally, it allowed me to do a quick update and downloaded three pieces of software, but SP2 wasn't even on the list. I have not been able to find any menu that will let me select SP2 --- but when I look in Add/Remove Programs, I see lots of Hotfix files with SP2 on them -- do you think I have SP2 already? Then I ran Spybot and AdAware...and they found like 230 items...Spybot found Advertising.com, Avenue A, DoubleClick, EffectiveBandToolbar, ValueClick, FastClick, etc. Adaware found 180Solutiions, BargainBuddy, ClearSearch, DyFuCa, Possible Browser Hijack attempt, SahAgent, Windows, WinUpdate, VX2, etc. It has gotten worse and worse through the day - even with Netscape. I ran Spybot and Adaware about 5 times each today and tried to keep saving the logs, so I do have several of them. The PC said it encountered errors and it was doing a "System Shutdown" several times. The browsers encountered fatal errors and shut down over and over again. I've seen messages that "nail.exe is not a valid application" and also several dialog boxes about something called "sock.exe". The errors occurred mostly when I was in IE, but also in Netscape and also when I was not on the Web at all. No matter what I do, these spyware programs keep coming back --- it's mostly the same programs over and over, but again, Spybot is supposed to be immunizing against them, but they get in undetected time and time again... I think the IE thing allowed it to go hookup to a site and rebuild itself again this weekend, because it's as bad as it was in the beginning again... I also tried to download Firefox using Netscape, but it's just way too slow. I waited over a half an hour and it just sat there, but it says there is data going in and out... For what it's worth, Excal - here is my HJT log from about 20 minutes ago.

Logfile of HijackThis v1.99.1
Scan saved at 9:52:27 PM, on 8/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SM1BG.EXE
C:\windows\sp2update.exe
C:\WINDOWS\System32\qng84ho8.exe
C:\WINDOWS\System32\winssh.exe
C:\windows\system\xpsp2.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\MMDiag.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\desktop\ewido\security suite\ewidoctrl.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
c:\windows\system32\meeyakv.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\BVR\aurareco.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http:/www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.yahoo.com"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\zjx0h2km.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\zjx0h2km.slt\prefs.js)
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINDOWS\tct101.dll
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\WINDOWS\AuroraHandler.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {44BE0690-5429-47f0-85BB-3FFD8020233E} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [MimBoot] C:\Program Files\MusicMatch\MusicMatch Jukebox\mimboot.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [msresearch] C:\WINDOWS\msresearch.exe
O4 - HKLM\..\Run: [sp2update] C:\windows\sp2update.exe
O4 - HKLM\..\Run: [qng84ho8] C:\WINDOWS\System32\qng84ho8.exe
O4 - HKLM\..\Run: [Network Access] winssh.exe
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler] C:\windows\system\xpsp2.exe
O4 - HKLM\..\Run: [iecqde] c:\windows\system32\meeyakv.exe r
O4 - HKLM\..\RunServices: [Network Access] winssh.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .qt: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.lavasoft.de
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {0DC0D258-FC70-456F-8F79-83D7DC20F0AC} (MPChWrapper.Util) - http://instantsuppor...MPChWrapper.CAB
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.subs...ve/makeover.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123443159578
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123438002984
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon....3.1/ttinst.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...rCabInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D914E769-35D4-4FE0-BE77-36EEFB10E0C5}: NameServer = 198.6.100.140 198.6.1.140
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\desktop\ewido\security suite\ewidoctrl.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe

I have another two days and then I will be out of town for 10 days...hopefully you will stay with me and beat this thing. It will probably give me a chance to cool down for a few days anyway. Let me know what you think.

Thanks SO much,
Dimmae

[Excal]

O boy, you are indeed reinfected. Thats OK, hang in there. I have a few more ideas.

If you already have any of the programs I ask you to download, just make sure they are updated if applicable.


DOWNLOAD PROGRAMS

Please download ewido security suite it is a trial version of the program.

• Install ewido security suite
• When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will now go to the main screen

You will need to update ewido to the latest definition files.

• On the left hand side of the main screen click update
• Then click on Start Update

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates Do NOT run a scan yet. (if you already have, please just update)

Please download Nailfix from Here
please do NOT run it yet.

rdrivRem.zip

• Unzip it to your desktop.

Download and install CleanUp! Here*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.
We will use this program later.


THE FIX

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Go to Start->Run and type in services.msc and hit OK. Then look for AOL Instant Messanger (AIM) and double click on it. Click on the Stop button and under Startup type, choose Disabled.

5. Please double-click rdrivRem.bat to run the program - follow the instructions on the screen. After it's complete, rdriv.txt will be created in the rdrivRem folder.

6. Once in Safe Mode, please double-click on
Nailfix.exe on your desktop. Click next, then finished. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

7. Now open and run Ewido:

• Click on scanner
• Click Complete System Scan and the scan will begin.
• During the scan when it ask if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK
• When the scan is finished, look at the bottom of the screen and click the Save report button.
• Save the report to your desktop

Close Ewido

8. Close all browsers, windows and unneeded programs.

9. Open HiJack and do a scan.

10. Put a Check next to the following items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINDOWS\tct101.dll
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\WINDOWS\AuroraHandler.dll (file missing)
O3 - Toolbar: (no name) - {44BE0690-5429-47f0-85BB-3FFD8020233E} - (no file)
O4 - HKLM\..\Run: [msresearch] C:\WINDOWS\msresearch.exe
O4 - HKLM\..\Run: [sp2update] C:\windows\sp2update.exe
O4 - HKLM\..\Run: [qng84ho8] C:\WINDOWS\System32\qng84ho8.exe
O4 - HKLM\..\Run: [Network Access] winssh.exe
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler] C:\windows\system\xpsp2.exe
O4 - HKLM\..\Run: [iecqde] c:\windows\system32\meeyakv.exe r
O4 - HKLM\..\RunServices: [Network Access] winssh.exe
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...rCabInstall.cab
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe

11. click the Fix Checked box

12. Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\msresearch.exe
C:\windows\sp2update.exe
C:\WINDOWS\System32\qng84ho8.exe
C:\windows\system\xpsp2.exe
C:\WINDOWS\aim.exe
Use Start>search to find this one:
Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.
winssh.exe

13. Run the program CleanUp!

14. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

15. Delete Bad Service:

• Open HiJackThis
• Click on the configure button on the bottom right
• Click on the tab "Misc Tools"
• click on "delete an NT service"
• Copy and paste this in the box: AIM
• Click "ok", then reboot

16. Please post an Active scan log , rdriv.txt log from the rdrivRem folder Ewido Scan log and a fresh HiJackThis log. Let me know how your computer is running.

[Dimmae]

Hi, Excal. Just returned from out of town...I will finish those last instructions that you gave me and reply back to you as soon as I can.

Thanks,
Dimmae

[Excal]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.