Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

System infected [CLOSED]

Started by Flamethrower , Aug 30 2005 07:24 AM

  • This topic is locked This topic is locked

#1
Flamethrower
Posted 30 August 2005 - 07:24 AM

Flamethrower

    New Member

  • Member
  • Pip
  • 5 posts
Sorry, I posted this in the wrong location earlier

I have a home system that is used by my wife and teenage boys. While I do the typical spy-bot and ad-aware scans when they tell me its running too slow, It is now at the point where using it in anything but Safe mode is imposibly slow. I do know that I see aurora popups, in addition most user log-ins end within 15 mins with the blue screen of death. Any help would be truly appreciated. The Hijackthis logfile is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 7:39:23 AM, on 8/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Judy.POST-GMX297UL8F\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.sho...h.cgi?uid=&id=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.sho...h.cgi?uid=&id=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.sho...h.cgi?uid=&id=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.sho...h.cgi?uid=&id=0
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.sho...d=11440340&id=0
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.sho...d=11440340&id=0
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.shopnav.com/q.cgi?q=
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: Band Class - {00027925-0017-4faf-9539-90E4AC0B9EC5} - C:\WINDOWS\eltt.dll
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\WINDOWS\AuroraHandler.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {F7BC2A26-E8E2-EA6B-BE8A-E49B12A83A99} - C:\WINDOWS\System32\plsbjz.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Windows Logon Procedure] SVCHOSTA.EXE
O4 - HKLM\..\Run: [epowa] C:\WINDOWS\System32\ghtims\epowa.exe
O4 - HKLM\..\Run: [hwdaa] C:\WINDOWS\System32\iuvuho\hwdaa.exe
O4 - HKLM\..\Run: [bsyrvana] C:\WINDOWS\System32\isbvivp\bsyrvana.exe
O4 - HKLM\..\Run: [jkwfimsk] C:\WINDOWS\System32\bpkcw\jkwfimsk.exe
O4 - HKLM\..\Run: [xnladqcx] C:\WINDOWS\System32\dwcj\xnladqcx.exe
O4 - HKLM\..\Run: [eqsad] C:\WINDOWS\System32\mqocpm\eqsad.exe
O4 - HKLM\..\Run: [lqoy] C:\WINDOWS\System32\mtvnbeqo\lqoy.exe
O4 - HKLM\..\Run: [tqpltl] C:\WINDOWS\System32\eicyvx\tqpltl.exe
O4 - HKLM\..\Run: [olxhjo] C:\WINDOWS\System32\eywso\olxhjo.exe
O4 - HKLM\..\Run: [wkyvdkhk] C:\WINDOWS\System32\isgov\wkyvdkhk.exe
O4 - HKLM\..\Run: [wqcjxv] C:\WINDOWS\System32\uipydq\wqcjxv.exe
O4 - HKLM\..\Run: [kyajwv] C:\WINDOWS\System32\oefbh\kyajwv.exe
O4 - HKLM\..\Run: [vxpkd] C:\WINDOWS\System32\fxopnrs\vxpkd.exe
O4 - HKLM\..\Run: [uaeuqgi] C:\WINDOWS\System32\gcehiilc\uaeuqgi.exe
O4 - HKLM\..\Run: [bmipjjn] C:\WINDOWS\System32\tbcmeq\bmipjjn.exe
O4 - HKLM\..\Run: [xumhcx] C:\WINDOWS\System32\dlauf\xumhcx.exe
O4 - HKLM\..\Run: [cpkjy] C:\WINDOWS\System32\pqttg\cpkjy.exe
O4 - HKLM\..\Run: [C:\WINDOWS\ozwbgfy.exe] C:\WINDOWS\ozwbgfy.exe
O4 - HKLM\..\Run: [Makarzy] C:\WINDOWS\nyei.exe
O4 - HKLM\..\Run: [tvsfevj] C:\WINDOWS\System32\fvaeckoh\tvsfevj.exe
O4 - HKLM\..\Run: [eitho] C:\WINDOWS\System32\qlrrlof\eitho.exe
O4 - HKLM\..\Run: [jilmfnj] C:\WINDOWS\System32\iurdgve\jilmfnj.exe
O4 - HKLM\..\Run: [yxqvjshy] C:\WINDOWS\System32\cimiwplg\yxqvjshy.exe
O4 - HKLM\..\Run: [pphbn] C:\WINDOWS\System32\dmkjca\pphbn.exe
O4 - HKLM\..\Run: [qlxj] C:\WINDOWS\System32\xutiwcl\qlxj.exe
O4 - HKLM\..\Run: [ggqwqii] C:\WINDOWS\System32\eoyuf\ggqwqii.exe
O4 - HKLM\..\Run: [pwdadbvi] C:\WINDOWS\System32\abixfjr\pwdadbvi.exe
O4 - HKLM\..\Run: [vnrwx] C:\WINDOWS\System32\stin\vnrwx.exe
O4 - HKLM\..\Run: [buisgjh] C:\WINDOWS\System32\emhdx\buisgjh.exe
O4 - HKLM\..\Run: [ibahaa] C:\WINDOWS\System32\mycatpua\ibahaa.exe
O4 - HKLM\..\Run: [jrxwp] C:\WINDOWS\System32\koagn\jrxwp.exe
O4 - HKLM\..\Run: [xtlqjv] C:\WINDOWS\System32\uytj\xtlqjv.exe
O4 - HKLM\..\Run: [bpar] C:\WINDOWS\System32\lstr\bpar.exe
O4 - HKLM\..\Run: [ulcw] C:\WINDOWS\System32\xxgevdi\ulcw.exe
O4 - HKLM\..\Run: [wkgfg] C:\WINDOWS\System32\uecbqio\wkgfg.exe
O4 - HKLM\..\Run: [buyvtbf] C:\WINDOWS\System32\sfgxgcl\buyvtbf.exe
O4 - HKLM\..\Run: [ulctny] C:\WINDOWS\System32\ftvjjyxg\ulctny.exe
O4 - HKLM\..\Run: [sqfrq] C:\WINDOWS\System32\isgf\sqfrq.exe
O4 - HKLM\..\Run: [lsxeeg] C:\WINDOWS\System32\lrbsgii\lsxeeg.exe
O4 - HKLM\..\Run: [xyihauyb] C:\WINDOWS\System32\rjkex\xyihauyb.exe
O4 - HKLM\..\Run: [cfit] C:\WINDOWS\System32\ehcotefs\cfit.exe
O4 - HKLM\..\Run: [xornaymt] C:\WINDOWS\System32\unchswb\xornaymt.exe
O4 - HKLM\..\Run: [kybyaenj] C:\WINDOWS\System32\ayqpnv\kybyaenj.exe
O4 - HKLM\..\Run: [bvqaiwat] C:\WINDOWS\System32\asxna\bvqaiwat.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [cbvehiid] C:\WINDOWS\System32\swxgcts\cbvehiid.exe
O4 - HKLM\..\Run: [yqglp] C:\WINDOWS\System32\hqfgsf\yqglp.exe
O4 - HKLM\..\Run: [fidufydp] C:\WINDOWS\System32\jeur\fidufydp.exe
O4 - HKLM\..\Run: [lvtsff] C:\WINDOWS\System32\qpbhukp\lvtsff.exe
O4 - HKLM\..\Run: [xdfuedoo] C:\WINDOWS\System32\yhunfifm\xdfuedoo.exe
O4 - HKLM\..\Run: [tmkvldar] C:\WINDOWS\System32\xuhbsnp\tmkvldar.exe
O4 - HKLM\..\Run: [jgca] C:\WINDOWS\System32\mnmc\jgca.exe
O4 - HKLM\..\Run: [ywkpq] C:\WINDOWS\System32\hfxko\ywkpq.exe
O4 - HKLM\..\Run: [hcfarc] C:\WINDOWS\System32\bxgsl\hcfarc.exe
O4 - HKLM\..\Run: [irxqecoj] C:\WINDOWS\System32\iqfgrdpg\irxqecoj.exe
O4 - HKLM\..\Run: [gtarhx] C:\WINDOWS\System32\otikfkpc\gtarhx.exe
O4 - HKLM\..\Run: [tvll] C:\WINDOWS\System32\uqmh\tvll.exe
O4 - HKLM\..\Run: [ndhy] C:\WINDOWS\System32\egfjcnql\ndhy.exe
O4 - HKLM\..\Run: [prdj] C:\WINDOWS\System32\wskoi\prdj.exe
O4 - HKLM\..\Run: [lkrj] C:\WINDOWS\System32\otvmi\lkrj.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitesla32.exe
O4 - HKLM\..\Run: [SkyH2] C:\DOCUME~1\NATE~1.POS\LOCALS~1\Temp\mfel.exe
O4 - HKLM\..\Run: [ejpjx] C:\WINDOWS\system32\argaf\ejpjx.exe
O4 - HKLM\..\Run: [qkjtcro] C:\WINDOWS\system32\pwafqce\qkjtcro.exe
O4 - HKLM\..\Run: [qokvpfb] C:\WINDOWS\system32\lqepp\qokvpfb.exe
O4 - HKLM\..\Run: [ybpahhrw] C:\WINDOWS\system32\makkfqi\ybpahhrw.exe
O4 - HKLM\..\Run: [xnbme] C:\WINDOWS\system32\fddw\xnbme.exe
O4 - HKLM\..\Run: [fekhais] C:\WINDOWS\system32\sysuojij\fekhais.exe
O4 - HKLM\..\Run: [yjignxdi] C:\WINDOWS\system32\vdemwk\yjignxdi.exe
O4 - HKLM\..\Run: [dxjovs] C:\WINDOWS\system32\hyosju\dxjovs.exe
O4 - HKLM\..\Run: [lqfvjus] C:\WINDOWS\system32\rmadjfu\lqfvjus.exe
O4 - HKLM\..\Run: [xohpeet] C:\WINDOWS\system32\kiiu\xohpeet.exe
O4 - HKLM\..\Run: [fkfben] C:\WINDOWS\system32\noboqu\fkfben.exe
O4 - HKLM\..\Run: [jljcxxi] C:\WINDOWS\system32\lmfbw\jljcxxi.exe
O4 - HKLM\..\Run: [yqxcxo] C:\WINDOWS\system32\vwfxcr\yqxcxo.exe
O4 - HKLM\..\Run: [cxtjqao] C:\WINDOWS\system32\rdwdp\cxtjqao.exe
O4 - HKLM\..\Run: [ndafrfsl] C:\WINDOWS\system32\hwdmc\ndafrfsl.exe
O4 - HKLM\..\Run: [xvyr] C:\WINDOWS\system32\athd\xvyr.exe
O4 - HKLM\..\Run: [nnna] C:\WINDOWS\system32\rxsfkq\nnna.exe
O4 - HKLM\..\Run: [ehhoqj] C:\WINDOWS\system32\rwio\ehhoqj.exe
O4 - HKLM\..\Run: [nfgj] C:\WINDOWS\system32\yjjb\nfgj.exe
O4 - HKLM\..\Run: [kjwpc] C:\WINDOWS\system32\fxhlw\kjwpc.exe
O4 - HKLM\..\Run: [ndbsrabp] C:\WINDOWS\system32\nioebemk\ndbsrabp.exe
O4 - HKLM\..\Run: [rsudyx] C:\WINDOWS\system32\hdwvdw\rsudyx.exe
O4 - HKLM\..\Run: [kieistyj] C:\WINDOWS\system32\eemabluk\kieistyj.exe
O4 - HKLM\..\Run: [rfgvxuge] C:\WINDOWS\system32\cjgdhgn\rfgvxuge.exe
O4 - HKLM\..\Run: [vyoeht] C:\WINDOWS\system32\aahswa\vyoeht.exe
O4 - HKLM\..\Run: [evbn] C:\WINDOWS\system32\idhobsxx\evbn.exe
O4 - HKLM\..\Run: [wchug] C:\WINDOWS\system32\bnlnadb\wchug.exe
O4 - HKLM\..\Run: [nsmiba] C:\WINDOWS\system32\witqdby\nsmiba.exe
O4 - HKLM\..\Run: [iwwrgmpo] C:\WINDOWS\system32\eipyxk\iwwrgmpo.exe
O4 - HKLM\..\Run: [dakninn] C:\WINDOWS\system32\wdjypn\dakninn.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [sh32upt] C:\WINDOWS\sh32upt.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [baelehe] C:\WINDOWS\system32\pnmvefvj\baelehe.exe
O4 - HKLM\..\Run: [tjkfymuk] C:\WINDOWS\system32\itfiafud\tjkfymuk.exe
O4 - HKLM\..\Run: [mwcg] C:\WINDOWS\system32\gsktm\mwcg.exe
O4 - HKLM\..\Run: [ucbb] C:\WINDOWS\system32\ybhsbhg\ucbb.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [cbuad] C:\WINDOWS\system32\leijrml\cbuad.exe
O4 - HKLM\..\Run: [rgvx] C:\WINDOWS\system32\qiltbgq\rgvx.exe
O4 - HKLM\..\Run: [bhlioy] C:\WINDOWS\system32\hhah\bhlioy.exe
O4 - HKLM\..\Run: [jrqtxaxd] C:\WINDOWS\system32\ocefvg\jrqtxaxd.exe
O4 - HKLM\..\Run: [ymrwyx] C:\WINDOWS\system32\fgkonmtr\ymrwyx.exe
O4 - HKLM\..\Run: [duaypl] C:\WINDOWS\System32\tofumfve\duaypl.exe
O4 - HKLM\..\Run: [baqc] C:\WINDOWS\system32\cyxmum\baqc.exe
O4 - HKLM\..\Run: [zjguol] C:\WINDOWS\system32\hnrqid.exe r
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [wmmf] C:\PROGRA~1\COMMON~1\wmmf\wmmfm.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - HKCU\..\Run: [Aif] C:\WINDOWS\system32\??stem\winword.exe
O4 - HKCU\..\Run: [Aida] C:\Program Files\rdso\eetu.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZRYYYYYYYYUS
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/...nnerInstall.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: akpkrapjwcrx - Unknown owner - C:\WINDOWS\system32\rapjwcrx\akpk.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: greenstdsystem32 - Unknown owner - C:\WINDOWS\system32\greenstd.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: s3gnb - Unknown owner - C:\WINDOWS\system32\s3gnb.exe (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Thank you,
Tom Dubois
  • 0

Advertisements

#2
tampabelle
Posted 30 August 2005 - 08:32 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
  • Exit ewido. DO NOT scan yet.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Download CleanUp
Install the program, dont run it yet, we will later.

Please download this file: Nailfix Utility
Save it to your desktop.
DO NOT run it yet.

Download dsrfix.zip
Save it to your desktop.
  • Unzip dsrfix.zip and extract it to your desktop.
  • This will create a new folder on your desktop named dsrfix.
  • Do Not open that folder yet.
Click on Start ---> Run. Type Services.msc and hit enter. Locate the item - s3gnb. Right click on it and then click on properties. In the Startup Type choose the option Disable. Close the window.

Similarly disable the following services -
akpkrapjwcrx
greenstdsystem32

To reboot into SafeMode with Windows XP, you can follow these steps from Microsoft:

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, start tapping press F8 key.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Once in Safe Mode, please double-click on nailfix.exe.
Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish".
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Now open ewido and do a scan of your system.
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Now scan with HJT and place a checkmark next to each of the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.sho...h.cgi?uid=&id=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.sho...h.cgi?uid=&id=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.sho...h.cgi?uid=&id=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.sho...h.cgi?uid=&id=0
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.sho...d=11440340&id=0
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.sho...d=11440340&id=0
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.shopnav.com/q.cgi?q=
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: Band Class - {00027925-0017-4faf-9539-90E4AC0B9EC5} - C:\WINDOWS\eltt.dll
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\WINDOWS\AuroraHandler.dll (file missing)
O2 - BHO: (no name) - {F7BC2A26-E8E2-EA6B-BE8A-E49B12A83A99} - C:\WINDOWS\System32\plsbjz.dll
O4 - HKLM\..\Run: [Windows Logon Procedure] SVCHOSTA.EXE
O4 - HKLM\..\Run: [epowa] C:\WINDOWS\System32\ghtims\epowa.exe
O4 - HKLM\..\Run: [hwdaa] C:\WINDOWS\System32\iuvuho\hwdaa.exe
O4 - HKLM\..\Run: [bsyrvana] C:\WINDOWS\System32\isbvivp\bsyrvana.exe
O4 - HKLM\..\Run: [jkwfimsk] C:\WINDOWS\System32\bpkcw\jkwfimsk.exe
O4 - HKLM\..\Run: [xnladqcx] C:\WINDOWS\System32\dwcj\xnladqcx.exe
O4 - HKLM\..\Run: [eqsad] C:\WINDOWS\System32\mqocpm\eqsad.exe
O4 - HKLM\..\Run: [lqoy] C:\WINDOWS\System32\mtvnbeqo\lqoy.exe
O4 - HKLM\..\Run: [tqpltl] C:\WINDOWS\System32\eicyvx\tqpltl.exe
O4 - HKLM\..\Run: [olxhjo] C:\WINDOWS\System32\eywso\olxhjo.exe
O4 - HKLM\..\Run: [wkyvdkhk] C:\WINDOWS\System32\isgov\wkyvdkhk.exe
O4 - HKLM\..\Run: [wqcjxv] C:\WINDOWS\System32\uipydq\wqcjxv.exe
O4 - HKLM\..\Run: [kyajwv] C:\WINDOWS\System32\oefbh\kyajwv.exe
O4 - HKLM\..\Run: [vxpkd] C:\WINDOWS\System32\fxopnrs\vxpkd.exe
O4 - HKLM\..\Run: [uaeuqgi] C:\WINDOWS\System32\gcehiilc\uaeuqgi.exe
O4 - HKLM\..\Run: [bmipjjn] C:\WINDOWS\System32\tbcmeq\bmipjjn.exe
O4 - HKLM\..\Run: [xumhcx] C:\WINDOWS\System32\dlauf\xumhcx.exe
O4 - HKLM\..\Run: [cpkjy] C:\WINDOWS\System32\pqttg\cpkjy.exe
O4 - HKLM\..\Run: [C:\WINDOWS\ozwbgfy.exe] C:\WINDOWS\ozwbgfy.exe
O4 - HKLM\..\Run: [Makarzy] C:\WINDOWS\nyei.exe
O4 - HKLM\..\Run: [tvsfevj] C:\WINDOWS\System32\fvaeckoh\tvsfevj.exe
O4 - HKLM\..\Run: [eitho] C:\WINDOWS\System32\qlrrlof\eitho.exe
O4 - HKLM\..\Run: [jilmfnj] C:\WINDOWS\System32\iurdgve\jilmfnj.exe
O4 - HKLM\..\Run: [yxqvjshy] C:\WINDOWS\System32\cimiwplg\yxqvjshy.exe
O4 - HKLM\..\Run: [pphbn] C:\WINDOWS\System32\dmkjca\pphbn.exe
O4 - HKLM\..\Run: [qlxj] C:\WINDOWS\System32\xutiwcl\qlxj.exe
O4 - HKLM\..\Run: [ggqwqii] C:\WINDOWS\System32\eoyuf\ggqwqii.exe
O4 - HKLM\..\Run: [pwdadbvi] C:\WINDOWS\System32\abixfjr\pwdadbvi.exe
O4 - HKLM\..\Run: [vnrwx] C:\WINDOWS\System32\stin\vnrwx.exe
O4 - HKLM\..\Run: [buisgjh] C:\WINDOWS\System32\emhdx\buisgjh.exe
O4 - HKLM\..\Run: [ibahaa] C:\WINDOWS\System32\mycatpua\ibahaa.exe
O4 - HKLM\..\Run: [jrxwp] C:\WINDOWS\System32\koagn\jrxwp.exe
O4 - HKLM\..\Run: [xtlqjv] C:\WINDOWS\System32\uytj\xtlqjv.exe
O4 - HKLM\..\Run: [bpar] C:\WINDOWS\System32\lstr\bpar.exe
O4 - HKLM\..\Run: [ulcw] C:\WINDOWS\System32\xxgevdi\ulcw.exe
O4 - HKLM\..\Run: [wkgfg] C:\WINDOWS\System32\uecbqio\wkgfg.exe
O4 - HKLM\..\Run: [buyvtbf] C:\WINDOWS\System32\sfgxgcl\buyvtbf.exe
O4 - HKLM\..\Run: [ulctny] C:\WINDOWS\System32\ftvjjyxg\ulctny.exe
O4 - HKLM\..\Run: [sqfrq] C:\WINDOWS\System32\isgf\sqfrq.exe
O4 - HKLM\..\Run: [lsxeeg] C:\WINDOWS\System32\lrbsgii\lsxeeg.exe
O4 - HKLM\..\Run: [xyihauyb] C:\WINDOWS\System32\rjkex\xyihauyb.exe
O4 - HKLM\..\Run: [cfit] C:\WINDOWS\System32\ehcotefs\cfit.exe
O4 - HKLM\..\Run: [xornaymt] C:\WINDOWS\System32\unchswb\xornaymt.exe
O4 - HKLM\..\Run: [kybyaenj] C:\WINDOWS\System32\ayqpnv\kybyaenj.exe
O4 - HKLM\..\Run: [bvqaiwat] C:\WINDOWS\System32\asxna\bvqaiwat.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [cbvehiid] C:\WINDOWS\System32\swxgcts\cbvehiid.exe
O4 - HKLM\..\Run: [yqglp] C:\WINDOWS\System32\hqfgsf\yqglp.exe
O4 - HKLM\..\Run: [fidufydp] C:\WINDOWS\System32\jeur\fidufydp.exe
O4 - HKLM\..\Run: [lvtsff] C:\WINDOWS\System32\qpbhukp\lvtsff.exe
O4 - HKLM\..\Run: [xdfuedoo] C:\WINDOWS\System32\yhunfifm\xdfuedoo.exe
O4 - HKLM\..\Run: [tmkvldar] C:\WINDOWS\System32\xuhbsnp\tmkvldar.exe
O4 - HKLM\..\Run: [jgca] C:\WINDOWS\System32\mnmc\jgca.exe
O4 - HKLM\..\Run: [ywkpq] C:\WINDOWS\System32\hfxko\ywkpq.exe
O4 - HKLM\..\Run: [hcfarc] C:\WINDOWS\System32\bxgsl\hcfarc.exe
O4 - HKLM\..\Run: [irxqecoj] C:\WINDOWS\System32\iqfgrdpg\irxqecoj.exe
O4 - HKLM\..\Run: [gtarhx] C:\WINDOWS\System32\otikfkpc\gtarhx.exe
O4 - HKLM\..\Run: [tvll] C:\WINDOWS\System32\uqmh\tvll.exe
O4 - HKLM\..\Run: [ndhy] C:\WINDOWS\System32\egfjcnql\ndhy.exe
O4 - HKLM\..\Run: [prdj] C:\WINDOWS\System32\wskoi\prdj.exe
O4 - HKLM\..\Run: [lkrj] C:\WINDOWS\System32\otvmi\lkrj.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitesla32.exe
O4 - HKLM\..\Run: [SkyH2] C:\DOCUME~1\NATE~1.POS\LOCALS~1\Temp\mfel.exe
O4 - HKLM\..\Run: [ejpjx] C:\WINDOWS\system32\argaf\ejpjx.exe
O4 - HKLM\..\Run: [qkjtcro] C:\WINDOWS\system32\pwafqce\qkjtcro.exe
O4 - HKLM\..\Run: [qokvpfb] C:\WINDOWS\system32\lqepp\qokvpfb.exe
O4 - HKLM\..\Run: [ybpahhrw] C:\WINDOWS\system32\makkfqi\ybpahhrw.exe
O4 - HKLM\..\Run: [xnbme] C:\WINDOWS\system32\fddw\xnbme.exe
O4 - HKLM\..\Run: [fekhais] C:\WINDOWS\system32\sysuojij\fekhais.exe
O4 - HKLM\..\Run: [yjignxdi] C:\WINDOWS\system32\vdemwk\yjignxdi.exe
O4 - HKLM\..\Run: [dxjovs] C:\WINDOWS\system32\hyosju\dxjovs.exe
O4 - HKLM\..\Run: [lqfvjus] C:\WINDOWS\system32\rmadjfu\lqfvjus.exe
O4 - HKLM\..\Run: [xohpeet] C:\WINDOWS\system32\kiiu\xohpeet.exe
O4 - HKLM\..\Run: [fkfben] C:\WINDOWS\system32\noboqu\fkfben.exe
O4 - HKLM\..\Run: [jljcxxi] C:\WINDOWS\system32\lmfbw\jljcxxi.exe
O4 - HKLM\..\Run: [yqxcxo] C:\WINDOWS\system32\vwfxcr\yqxcxo.exe
O4 - HKLM\..\Run: [cxtjqao] C:\WINDOWS\system32\rdwdp\cxtjqao.exe
O4 - HKLM\..\Run: [ndafrfsl] C:\WINDOWS\system32\hwdmc\ndafrfsl.exe
O4 - HKLM\..\Run: [xvyr] C:\WINDOWS\system32\athd\xvyr.exe
O4 - HKLM\..\Run: [nnna] C:\WINDOWS\system32\rxsfkq\nnna.exe
O4 - HKLM\..\Run: [ehhoqj] C:\WINDOWS\system32\rwio\ehhoqj.exe
O4 - HKLM\..\Run: [nfgj] C:\WINDOWS\system32\yjjb\nfgj.exe
O4 - HKLM\..\Run: [kjwpc] C:\WINDOWS\system32\fxhlw\kjwpc.exe
O4 - HKLM\..\Run: [ndbsrabp] C:\WINDOWS\system32\nioebemk\ndbsrabp.exe
O4 - HKLM\..\Run: [rsudyx] C:\WINDOWS\system32\hdwvdw\rsudyx.exe
O4 - HKLM\..\Run: [kieistyj] C:\WINDOWS\system32\eemabluk\kieistyj.exe
O4 - HKLM\..\Run: [rfgvxuge] C:\WINDOWS\system32\cjgdhgn\rfgvxuge.exe
O4 - HKLM\..\Run: [vyoeht] C:\WINDOWS\system32\aahswa\vyoeht.exe
O4 - HKLM\..\Run: [evbn] C:\WINDOWS\system32\idhobsxx\evbn.exe
O4 - HKLM\..\Run: [wchug] C:\WINDOWS\system32\bnlnadb\wchug.exe
O4 - HKLM\..\Run: [nsmiba] C:\WINDOWS\system32\witqdby\nsmiba.exe
O4 - HKLM\..\Run: [iwwrgmpo] C:\WINDOWS\system32\eipyxk\iwwrgmpo.exe
O4 - HKLM\..\Run: [dakninn] C:\WINDOWS\system32\wdjypn\dakninn.exe
O4 - HKLM\..\Run: [sh32upt] C:\WINDOWS\sh32upt.exe
O4 - HKLM\..\Run: [baelehe] C:\WINDOWS\system32\pnmvefvj\baelehe.exe
O4 - HKLM\..\Run: [tjkfymuk] C:\WINDOWS\system32\itfiafud\tjkfymuk.exe
O4 - HKLM\..\Run: [mwcg] C:\WINDOWS\system32\gsktm\mwcg.exe
O4 - HKLM\..\Run: [ucbb] C:\WINDOWS\system32\ybhsbhg\ucbb.exe
O4 - HKLM\..\Run: [cbuad] C:\WINDOWS\system32\leijrml\cbuad.exe
O4 - HKLM\..\Run: [rgvx] C:\WINDOWS\system32\qiltbgq\rgvx.exe
O4 - HKLM\..\Run: [bhlioy] C:\WINDOWS\system32\hhah\bhlioy.exe
O4 - HKLM\..\Run: [jrqtxaxd] C:\WINDOWS\system32\ocefvg\jrqtxaxd.exe
O4 - HKLM\..\Run: [ymrwyx] C:\WINDOWS\system32\fgkonmtr\ymrwyx.exe
O4 - HKLM\..\Run: [duaypl] C:\WINDOWS\System32\tofumfve\duaypl.exe
O4 - HKLM\..\Run: [baqc] C:\WINDOWS\system32\cyxmum\baqc.exe
O4 - HKLM\..\Run: [zjguol] C:\WINDOWS\system32\hnrqid.exe r
O4 - HKCU\..\Run: [wmmf] C:\PROGRA~1\COMMON~1\wmmf\wmmfm.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - HKCU\..\Run: [Aif] C:\WINDOWS\system32\??stem\winword.exe
O4 - HKCU\..\Run: [Aida] C:\Program Files\rdso\eetu.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZRYYYYYYYYUS

Close all open windows except for HJT, then click the Fix Checked button. Close HJT.

Now open the folder dsrfix on your desktop.
  • Double-Click on dsrfix.bat
  • A window will pop up briefly then close, this is normal.
Enable show hidden files and folders:

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK

Now run the CleanUp program:

*IMPORTANT NOTE*
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

Running CleanUp
  • Start CleanUp by double-clicking the icon on your desktop (or from the Start > All Programs menu).
  • When CleanUp starts go to the Options button (right side of CleanUp screen)
  • Move the arrow down to "Custom CleanUp!"
  • Now place a checkmark next to the following (Make sure nothing else is checked!):
    • Delete Cookies
      This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea
    • Empty Recycle Bins
    • Delete Prefetch files
    • Cleanup! All Users
  • Click OK
  • Then click on the CleanUp button. This will take a short while, let it do its thing.
  • When asked to reboot system select No
  • Close CleanUp
Finally, restart your computer back into Normal Mode and please post a new HJT log, as well as the ewido report log from the Ewido scan by using Add Reply

Edited by tampabelle, 30 August 2005 - 08:34 AM.

  • 0

#3
tampabelle
Posted 22 September 2005 - 11:39 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP