Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Many problems. WinFixer, Aurora, trojans..etc [CLOSED]

Started by latinusa , Sep 20 2005 11:23 AM

This topic is locked

#1
latinusa

Posted 20 September 2005 - 11:23 AM

Member

Member
15 posts

This is my Hijack Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:24:58 AM, on 9/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ffsraxj\neovvknh.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\steil\nsxos.exe
C:\WINDOWS\System32\ndco\ehwpf.exe
C:\Program Files\Instant Buzz\IBDaemon.exe
C:\Program Files\Media Gateway\MediaGateway.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\etjtta.exe
C:\Documents and Settings\Antonio\My Documents\Unzipped\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {ADD814A1-3A11-E47D-6526-111F506A3B69} - C:\WINDOWS\rkulywxk.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: (no name) - {1BAF4F54-80CF-81B3-0965-1891D2D46DB1} - C:\WINDOWS\rkulywxk.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: (no name) - {5455BB9B-E46E-7C9B-07F3-B3173770A8AD} - C:\WINDOWS\System32\nuedvrxc\emtmlint.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: (no name) - {B8D60EBB-5565-4392-957B-7164BA087AD4} - C:\PROGRA~1\INSTAN~1\IBBar.dll
O2 - BHO: (no name) - {BE9B42C6-EA10-976F-1E3D-CBD8BB5E4037} - C:\WINDOWS\System32\xemfbrrh\bcvqmgkw.dll
O2 - BHO: (no name) - {DB85B131-8B32-B963-6BFD-B49E153515FF} - C:\WINDOWS\System32\afkhvmmc\aehdwdhm.dll
O2 - BHO: (no name) - {EC4D7D15-D223-C80B-0817-B7448EBF0C42} - C:\WINDOWS\System32\avntowbf\jnaaxfnu.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O3 - Toolbar: Instant Bu&zz - {7475D3FD-5D85-49DB-8B9B-6968467B2D80} - C:\PROGRA~1\INSTAN~1\IBBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Search - {5145881A-04D5-4776-44E1-6DFEFCAD631C} - C:\WINDOWS\rkulywxk.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [sfwharci] C:\WINDOWS\System32\jcrgno\sfwharci.exe
O4 - HKLM\..\Run: [txkfkcg] C:\WINDOWS\System32\vlrss\txkfkcg.exe
O4 - HKLM\..\Run: [mtsnk] C:\WINDOWS\System32\epydp\mtsnk.exe
O4 - HKLM\..\Run: [wwgfp] C:\WINDOWS\System32\qsqoc\wwgfp.exe
O4 - HKLM\..\Run: [cdivtoa] C:\WINDOWS\System32\bpeme\cdivtoa.exe
O4 - HKLM\..\Run: [laeul] C:\WINDOWS\System32\apryh\laeul.exe
O4 - HKLM\..\Run: [kfpbivt] C:\WINDOWS\System32\judsudu\kfpbivt.exe
O4 - HKLM\..\Run: [nsxos] C:\WINDOWS\System32\steil\nsxos.exe
O4 - HKLM\..\Run: [tptavwx] C:\WINDOWS\System32\ibre\tptavwx.exe
O4 - HKLM\..\Run: [ehwpf] C:\WINDOWS\System32\ndco\ehwpf.exe
O4 - HKLM\..\Run: [Instant Buzz Daemon] C:\Program Files\Instant Buzz\IBDaemon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [neovvknh] C:\WINDOWS\System32\ffsraxj\neovvknh.exe
O4 - HKLM\..\Run: [vt3um6nk] C:\WINDOWS\System32\vt3um6nk.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\utnian.exe reg_run
O4 - HKLM\..\Run: [ukddxml] C:\WINDOWS\System32\etjtta.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Startup Manager] C:\Documents and Settings\Antonio\Application Data\Systweak\ASO 2\smstartUp manager.exe
O4 - HKCU\..\Run: [dpnbc3] C:\WINDOWS\System32\dpnbc3.exe
O8 - Extra context menu item: &Buscar en Geomundos - res://C:\WINDOWS\Downloaded Program Files\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar &R - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Instant Buzz - {066040F0-5018-4E15-8AA0-81D36136D989} - C:\PROGRA~1\INSTAN~1\IBBar.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar &R - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: g7ps - {9EACF0FB-4FC7-436E-989B-3197142AD979} - C:\Program Files\Common Files\G7PS\Shared Files\G7PSDLL\G7PS.dll
O20 - Winlogon Notify: policies - C:\WINDOWS\system32\syimgvw.dll
O23 - Service: cdivtoabpeme - Unknown owner - C:\WINDOWS\System32\bpeme\cdivtoa.exe
O23 - Service: cmglitlyqtfb - Unknown owner - C:\WINDOWS\System32\lyqtfb\cmglit.exe
O23 - Service: dlmbgrxrjhaw - Unknown owner - C:\WINDOWS\System32\rjhaw\dlmbgrx.exe
O23 - Service: dpsishkwanwwd - Unknown owner - C:\WINDOWS\System32\wanwwd\dpsishk.exe
O23 - Service: gfekopoocqcvx - Unknown owner - C:\WINDOWS\System32\ocqcvx\gfekopo.exe
O23 - Service: guktlcspdjm - Unknown owner - C:\WINDOWS\System32\pdjm\guktlcs.exe
O23 - Service: mnbepnscqrvrv - Unknown owner - C:\WINDOWS\System32\nscqrvrv\mnbep.exe
O23 - Service: neovvknhffsraxj - Unknown owner - C:\WINDOWS\System32\ffsraxj\neovvknh.exe
O23 - Service: nrruamoe - Unknown owner - C:\WINDOWS\System32\amoe\nrru.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: swchvaigrnngkw - Unknown owner - C:\WINDOWS\System32\grnngkw\swchvai.exe
O23 - Service: tifjpcvdwg - Unknown owner - C:\WINDOWS\System32\pcvdwg\tifj.exe
O23 - Service: tkmjwhyniy - Unknown owner - C:\WINDOWS\System32\whyniy\tkmj.exe
O23 - Service: xgdhxdoendrg - Unknown owner - C:\WINDOWS\System32\ndrg\xgdhxdoe.exe
O23 - Service: xtcneunv - Unknown owner - C:\WINDOWS\System32\eunv\xtcn.exe

#2
Rawe

Posted 20 September 2005 - 11:32 AM

Visiting Staff

Member
4,746 posts

Hello and welcome!

Download the latest version of Ad-Aware from HERE (if you already have Ad-Aware installed, make sure that it is the latest version 1.0.6 and always go online and update it before you run it).

If it's NOT the version 1.0.6, can you then uninstall your current version/delete folder: C:\Program Files\Lavasoft & empty recycle bin. Finally install the latest version.

Download Lavasoft's VX2 Cleaner plug-in HERE

Install the VX2 Cleaner
Start Ad-Aware SE
Go to "Plug-ins"
Select the VX2 Cleaner plug-in and click "Run Tool" (Before running the VX2 Cleaner, make sure other anti-virus or anti-spyware applications are closed.)
Click "OK" when asked if you want to execute this tool.
If your computer isn't infected, click "Close".

If your computer is infected;

Select "Clean"
Reboot your system.
Scan your computer with Ad-Aware:

Set up the Configurations as follows:
- Click the Gear wheel at the top of the Ad-Aware window
- Click General > Safety & Settings: Check (Green) all three.
- Click Tweak > Cleaning Engine > UNcheck "Always try to unload modules before deletion".
3. Click on "Proceed"
4. Click on "Scan Now"
5. Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
6. Select "Search for low-risk threats"
7. Run the scanner using the Full Scan (Perform full system scan) mode.
8. When the scan has completed, select Next.
9. In the Scanning Results window, select the "Scan Summary" tab.
10. Check the box next to every "target family" for removal.
11. Click "Next", Click "OK".
Reboot your computer again
Run a second scan (With Ad-aware & VX2 Cleaner) to make sure the files have been removed from your computer

Post a fresh HiJackThis log once done. :tazz:

#3
latinusa

Posted 20 September 2005 - 01:28 PM

Member

Topic Starter
Member
15 posts

HI,

I get an ERROR when trying to install the VX2 plug in for AdAware. I have version 1.0.6...Why is installation aborted?
Thanks..

#4
Rawe

Posted 20 September 2005 - 11:26 PM

Visiting Staff

Member
4,746 posts

What does the error say?

#5
latinusa

Posted 21 September 2005 - 09:28 AM

Member

Topic Starter
Member
15 posts

HI,
I was able to install VX2 cleaner, but when I tried to run it, it says= "Clean failed, Check for a new version of VX2"...

#6
Rawe

Posted 21 September 2005 - 09:41 AM

Visiting Staff

Member
4,746 posts

Ok, can you do this with Ad-aware..

1. Launch Ad-Aware SE and run the WebUpdate feature. (Click on the Globe icon, Click "connect", Click "OK", Click "Finish".)

IF you are having problems with the updating, get the manual updates here; http://download.lava...public/defs.zip

2. Set up the Configurations as follows:

Click the Gear wheel at the top of the Ad-Aware window
Click General > Safety & Settings: Check (Green) all three.
Click Tweak > Cleaning Engine > UNcheck "Always try to unload modules before deletion".

3. Click on "Proceed"
4. Click on "Scan Now"
5. Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
6. Select "Search for low-risk threats"
7. Run the scanner using the Full Scan (Perform full system scan) mode.
8. When the scan has completed, select Next.
9. In the Scanning Results window, select the "Scan Summary" tab.
10. Check the box next to every "target family" for removal.
11. Click "Next", Click "OK".
12. Reboot.

Then..

Please download cureit;
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Run drweb - cureit
Double-click the "drweb-cureit.exe" and click "ok" in the prompt window that will open, asking "start the express scan now".
It will first make a quick scan of your system, let it clean what it finds, and when it says "done" in the lower left corner click on all your drive's.
A red dot will mark the selected drive(s) . Then hit the pedestrian who now has turned green.
Click on the green man in the right corner, it will scan ALL your drive's, hit yes to all.

Reboot.

Post a fresh HiJackThis log once finished. :tazz:

#7
latinusa

Posted 22 September 2005 - 10:48 PM

Member

Topic Starter
Member
15 posts

OK..here is my log after all cleanup runs.
Do you have any links to download software to prevent spyware install?..
I think I still have WinFixer popup..Let me konw ..THANKS>>

Logfile of HijackThis v1.99.1
Scan saved at 11:26:14 PM, on 9/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ubyxcq\lllkixuq.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\services.exe
C:\Documents and Settings\Antonio\My Documents\Unzipped\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {ADD814A1-3A11-E47D-6526-111F506A3B69} - C:\WINDOWS\rkulywxk.dll (file missing)
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: (no name) - {1BAF4F54-80CF-81B3-0965-1891D2D46DB1} - C:\WINDOWS\rkulywxk.dll (file missing)
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: (no name) - {B8D60EBB-5565-4392-957B-7164BA087AD4} - C:\PROGRA~1\INSTAN~1\IBBar.dll
O2 - BHO: (no name) - {BE9B42C6-EA10-976F-1E3D-CBD8BB5E4037} - C:\WINDOWS\System32\xemfbrrh\bcvqmgkw.dll
O2 - BHO: (no name) - {C6E414AC-59A0-9CD1-67D3-17FA8A271437} - C:\WINDOWS\System32\mutwvinr\quuqjhop.dll
O2 - BHO: (no name) - {DB85B131-8B32-B963-6BFD-B49E153515FF} - C:\WINDOWS\System32\afkhvmmc\aehdwdhm.dll
O2 - BHO: (no name) - {EC4D7D15-D223-C80B-0817-B7448EBF0C42} - C:\WINDOWS\System32\avntowbf\jnaaxfnu.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O3 - Toolbar: Instant Bu&zz - {7475D3FD-5D85-49DB-8B9B-6968467B2D80} - C:\PROGRA~1\INSTAN~1\IBBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [fdyhw] C:\WINDOWS\System32\rtdamax\fdyhw.exe
O4 - HKLM\..\Run: [gkwaxga] C:\WINDOWS\System32\psyoaoa\gkwaxga.exe
O4 - HKLM\..\Run: [kfpbivt] C:\WINDOWS\System32\judsudu\kfpbivt.exe
O4 - HKLM\..\Run: [ovyanhp] C:\WINDOWS\System32\oranrw\ovyanhp.exe
O4 - HKLM\..\Run: [tptavwx] C:\WINDOWS\System32\ibre\tptavwx.exe
O4 - HKLM\..\Run: [mwjlwljj] C:\WINDOWS\System32\vtow\mwjlwljj.exe
O4 - HKLM\..\Run: [aiyu] C:\WINDOWS\System32\liyrmrks\aiyu.exe
O4 - HKLM\..\Run: [lllkixuq] C:\WINDOWS\System32\ubyxcq\lllkixuq.exe
O4 - HKLM\..\Run: [ebjcgx] C:\WINDOWS\System32\ecwfn\ebjcgx.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\dpkslk.exe reg_run
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Startup Manager] C:\Documents and Settings\Antonio\Application Data\Systweak\ASO 2\smstartUp manager.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000106.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000106.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &Buscar en Geomundos - res://C:\WINDOWS\Downloaded Program Files\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar &R - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Instant Buzz - {066040F0-5018-4E15-8AA0-81D36136D989} - C:\PROGRA~1\INSTAN~1\IBBar.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar &R - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: g7ps - {9EACF0FB-4FC7-436E-989B-3197142AD979} - C:\Program Files\Common Files\G7PS\Shared Files\G7PSDLL\G7PS.dll
O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\vmmdbg.dll
O23 - Service: cdivtoabpeme - Unknown owner - C:\WINDOWS\System32\bpeme\cdivtoa.exe
O23 - Service: cmglitlyqtfb - Unknown owner - C:\WINDOWS\System32\lyqtfb\cmglit.exe
O23 - Service: dlmbgrxrjhaw - Unknown owner - C:\WINDOWS\System32\rjhaw\dlmbgrx.exe
O23 - Service: dpsishkwanwwd - Unknown owner - C:\WINDOWS\System32\wanwwd\dpsishk.exe
O23 - Service: gfekopoocqcvx - Unknown owner - C:\WINDOWS\System32\ocqcvx\gfekopo.exe
O23 - Service: guktlcspdjm - Unknown owner - C:\WINDOWS\System32\pdjm\guktlcs.exe
O23 - Service: lllkixuqubyxcq - Unknown owner - C:\WINDOWS\System32\ubyxcq\lllkixuq.exe
O23 - Service: mnbepnscqrvrv - Unknown owner - C:\WINDOWS\System32\nscqrvrv\mnbep.exe
O23 - Service: neovvknhffsraxj - Unknown owner - C:\WINDOWS\System32\ffsraxj\neovvknh.exe
O23 - Service: nrruamoe - Unknown owner - C:\WINDOWS\System32\amoe\nrru.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: swchvaigrnngkw - Unknown owner - C:\WINDOWS\System32\grnngkw\swchvai.exe
O23 - Service: tifjpcvdwg - Unknown owner - C:\WINDOWS\System32\pcvdwg\tifj.exe
O23 - Service: tkmjwhyniy - Unknown owner - C:\WINDOWS\System32\whyniy\tkmj.exe
O23 - Service: xgdhxdoendrg - Unknown owner - C:\WINDOWS\System32\ndrg\xgdhxdoe.exe
O23 - Service: xtcneunv - Unknown owner - C:\WINDOWS\System32\eunv\xtcn.exe

#8
Rawe

Posted 24 September 2005 - 01:46 AM

Visiting Staff

Member
4,746 posts

We're not finished yet, you have so many different malwares on the system.

Please print these instructions out, or write them down, as you can't read them during the fix. Ask any question(s) before proceeding with the fix.

Download SpyBot S&D, Click Here

IF you have an older version of SpyBot installed, please do the following first:

1. Undo immunization
2. If SDHelper and TeaTimer are enabled, deactivate them first.
3. If Opera Browser is installed, de-select protection for Opera Immunity
4. Uninstall old version of Spybot S&D
5. Reboot

Install the SpyBot S&D. Do NOT use TeaTimer yet, as it would interfere with the fixes.

Launch SpyBot. Click on the menu named "mode". Choose "Advanced mode". Confirm with yes if it gives you an warning. Next, click on "Settings", and choose the "Settings" -tab from the list. Scroll down the menu, and make sure you check the following settings for use "Display available Beta- versions" and "Display PGP signature updates".

Then go to the starting menu by clicking on the "SpyBot S&D" tab on the left handside corner. Choose to "Search for Updates". Check EVERY update on the list for use, and hit "Download Updates". It will update SpyBot. When finished, exit the program.

Next..

Please download Ewido Security Suite it is a free version of the program.

Install Ewido Security Suite
When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
Launch Ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
You will need to update Ewido to the latest definition files.
- On the left hand side of the main screen click update.
- Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display "Update successful")
Exit Ewido. DO NOT run a scan yet.

If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates

Download
CleanUp

Run the CleanUp! installer and get the program ready to be used but don't run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Now open Ewido and do a scan of your system.

Click on scanner
Click on Complete System Scan and the scan will begin.
Clean anything it finds.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.

Close Ewido.

Launch SpyBot S&D and go to the "Settings" menu, yet again. Choose to go to "Ignore Products" -list. UNcheck every each object on the list. Might be easier if you'd just right click somewhere on the screen and click "Deselect all".

Go to the main menu of SpyBot by clicking the "SpyBot S&D" tab. Search for problems. IF it finds objects written in RED color, only check them for removal. Do not check anything else. Hit "Fix selected problems". If it asks you if you want to run SpyBot on the startup again because it couldn't remove some problems, click YES.

Exit the program.

Now run the CleanUp program:

*IMPORTANT NOTE*
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

Running CleanUp

Start CleanUp by double-clicking the icon on your desktop (or from the Start > All Programs menu).
When CleanUp starts go to the Options button (right side of CleanUp screen)
Move the arrow down to "Custom CleanUp!"
Now place a checkmark next to the following (Make sure nothing else is checked!):
- Delete Cookies
  This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea
- Empty Recycle Bins
- Delete Prefetch files
- Cleanup! All Users
Click OK
Then click on the CleanUp button. This will take a short while, let it do its thing.
When asked to reboot system select No
Close CleanUp

Finally, restart your computer back into Normal Mode (Let SpyBot run and fix the problems again if found, if it wanted to run on startup) and please post a new HJT log, as well as the Ewido report log from the Ewido scan by using Add Reply. Let me know how things went. :tazz:

#9
Rawe

Posted 11 October 2005 - 06:17 AM

Visiting Staff

Member
4,746 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.