Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Many problems. WinFixer, Aurora, trojans..etc [CLOSED]


  • This topic is locked This topic is locked

#1
latinusa

latinusa

    Member

  • Member
  • PipPip
  • 15 posts
This is my Hijack Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:24:58 AM, on 9/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ffsraxj\neovvknh.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\steil\nsxos.exe
C:\WINDOWS\System32\ndco\ehwpf.exe
C:\Program Files\Instant Buzz\IBDaemon.exe
C:\Program Files\Media Gateway\MediaGateway.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\etjtta.exe
C:\Documents and Settings\Antonio\My Documents\Unzipped\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {ADD814A1-3A11-E47D-6526-111F506A3B69} - C:\WINDOWS\rkulywxk.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: (no name) - {1BAF4F54-80CF-81B3-0965-1891D2D46DB1} - C:\WINDOWS\rkulywxk.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: (no name) - {5455BB9B-E46E-7C9B-07F3-B3173770A8AD} - C:\WINDOWS\System32\nuedvrxc\emtmlint.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: (no name) - {B8D60EBB-5565-4392-957B-7164BA087AD4} - C:\PROGRA~1\INSTAN~1\IBBar.dll
O2 - BHO: (no name) - {BE9B42C6-EA10-976F-1E3D-CBD8BB5E4037} - C:\WINDOWS\System32\xemfbrrh\bcvqmgkw.dll
O2 - BHO: (no name) - {DB85B131-8B32-B963-6BFD-B49E153515FF} - C:\WINDOWS\System32\afkhvmmc\aehdwdhm.dll
O2 - BHO: (no name) - {EC4D7D15-D223-C80B-0817-B7448EBF0C42} - C:\WINDOWS\System32\avntowbf\jnaaxfnu.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O3 - Toolbar: Instant Bu&zz - {7475D3FD-5D85-49DB-8B9B-6968467B2D80} - C:\PROGRA~1\INSTAN~1\IBBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Search - {5145881A-04D5-4776-44E1-6DFEFCAD631C} - C:\WINDOWS\rkulywxk.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [sfwharci] C:\WINDOWS\System32\jcrgno\sfwharci.exe
O4 - HKLM\..\Run: [txkfkcg] C:\WINDOWS\System32\vlrss\txkfkcg.exe
O4 - HKLM\..\Run: [mtsnk] C:\WINDOWS\System32\epydp\mtsnk.exe
O4 - HKLM\..\Run: [wwgfp] C:\WINDOWS\System32\qsqoc\wwgfp.exe
O4 - HKLM\..\Run: [cdivtoa] C:\WINDOWS\System32\bpeme\cdivtoa.exe
O4 - HKLM\..\Run: [laeul] C:\WINDOWS\System32\apryh\laeul.exe
O4 - HKLM\..\Run: [kfpbivt] C:\WINDOWS\System32\judsudu\kfpbivt.exe
O4 - HKLM\..\Run: [nsxos] C:\WINDOWS\System32\steil\nsxos.exe
O4 - HKLM\..\Run: [tptavwx] C:\WINDOWS\System32\ibre\tptavwx.exe
O4 - HKLM\..\Run: [ehwpf] C:\WINDOWS\System32\ndco\ehwpf.exe
O4 - HKLM\..\Run: [Instant Buzz Daemon] C:\Program Files\Instant Buzz\IBDaemon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [neovvknh] C:\WINDOWS\System32\ffsraxj\neovvknh.exe
O4 - HKLM\..\Run: [vt3um6nk] C:\WINDOWS\System32\vt3um6nk.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\utnian.exe reg_run
O4 - HKLM\..\Run: [ukddxml] C:\WINDOWS\System32\etjtta.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Startup Manager] C:\Documents and Settings\Antonio\Application Data\Systweak\ASO 2\smstartUp manager.exe
O4 - HKCU\..\Run: [dpnbc3] C:\WINDOWS\System32\dpnbc3.exe
O8 - Extra context menu item: &Buscar en Geomundos - res://C:\WINDOWS\Downloaded Program Files\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar &R - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Instant Buzz - {066040F0-5018-4E15-8AA0-81D36136D989} - C:\PROGRA~1\INSTAN~1\IBBar.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar &R - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: g7ps - {9EACF0FB-4FC7-436E-989B-3197142AD979} - C:\Program Files\Common Files\G7PS\Shared Files\G7PSDLL\G7PS.dll
O20 - Winlogon Notify: policies - C:\WINDOWS\system32\syimgvw.dll
O23 - Service: cdivtoabpeme - Unknown owner - C:\WINDOWS\System32\bpeme\cdivtoa.exe
O23 - Service: cmglitlyqtfb - Unknown owner - C:\WINDOWS\System32\lyqtfb\cmglit.exe
O23 - Service: dlmbgrxrjhaw - Unknown owner - C:\WINDOWS\System32\rjhaw\dlmbgrx.exe
O23 - Service: dpsishkwanwwd - Unknown owner - C:\WINDOWS\System32\wanwwd\dpsishk.exe
O23 - Service: gfekopoocqcvx - Unknown owner - C:\WINDOWS\System32\ocqcvx\gfekopo.exe
O23 - Service: guktlcspdjm - Unknown owner - C:\WINDOWS\System32\pdjm\guktlcs.exe
O23 - Service: mnbepnscqrvrv - Unknown owner - C:\WINDOWS\System32\nscqrvrv\mnbep.exe
O23 - Service: neovvknhffsraxj - Unknown owner - C:\WINDOWS\System32\ffsraxj\neovvknh.exe
O23 - Service: nrruamoe - Unknown owner - C:\WINDOWS\System32\amoe\nrru.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: swchvaigrnngkw - Unknown owner - C:\WINDOWS\System32\grnngkw\swchvai.exe
O23 - Service: tifjpcvdwg - Unknown owner - C:\WINDOWS\System32\pcvdwg\tifj.exe
O23 - Service: tkmjwhyniy - Unknown owner - C:\WINDOWS\System32\whyniy\tkmj.exe
O23 - Service: xgdhxdoendrg - Unknown owner - C:\WINDOWS\System32\ndrg\xgdhxdoe.exe
O23 - Service: xtcneunv - Unknown owner - C:\WINDOWS\System32\eunv\xtcn.exe
  • 0

Advertisements


#2
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hello and welcome!

Download the latest version of Ad-Aware from HERE (if you already have Ad-Aware installed, make sure that it is the latest version 1.0.6 and always go online and update it before you run it).

If it's NOT the version 1.0.6, can you then uninstall your current version/delete folder: C:\Program Files\Lavasoft & empty recycle bin. Finally install the latest version.

Download Lavasoft's VX2 Cleaner plug-in HERE
  • Install the VX2 Cleaner
  • Start Ad-Aware SE
  • Go to "Plug-ins"
  • Select the VX2 Cleaner plug-in and click "Run Tool" (Before running the VX2 Cleaner, make sure other anti-virus or anti-spyware applications are closed.)
  • Click "OK" when asked if you want to execute this tool.
  • If your computer isn't infected, click "Close".
If your computer is infected;
  • Select "Clean"
  • Reboot your system.
  • Scan your computer with Ad-Aware:

    Set up the Configurations as follows:
    • Click the Gear wheel at the top of the Ad-Aware window
    • Click General > Safety & Settings: Check (Green) all three.
    • Click Tweak > Cleaning Engine > UNcheck "Always try to unload modules before deletion".
    3. Click on "Proceed"
    4. Click on "Scan Now"
    5. Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
    6. Select "Search for low-risk threats"
    7. Run the scanner using the Full Scan (Perform full system scan) mode.
    8. When the scan has completed, select Next.
    9. In the Scanning Results window, select the "Scan Summary" tab.
    10. Check the box next to every "target family" for removal.
    11. Click "Next", Click "OK".

  • Reboot your computer again
  • Run a second scan (With Ad-aware & VX2 Cleaner) to make sure the files have been removed from your computer
Post a fresh HiJackThis log once done. :tazz:
  • 0

#3
latinusa

latinusa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
HI,

I get an ERROR when trying to install the VX2 plug in for AdAware. I have version 1.0.6...Why is installation aborted?
Thanks..
  • 0

#4
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
What does the error say?
  • 0

#5
latinusa

latinusa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
HI,
I was able to install VX2 cleaner, but when I tried to run it, it says= "Clean failed, Check for a new version of VX2"...
  • 0

#6
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Ok, can you do this with Ad-aware..

1. Launch Ad-Aware SE and run the WebUpdate feature. (Click on the Globe icon, Click "connect", Click "OK", Click "Finish".)

IF you are having problems with the updating, get the manual updates here; http://download.lava...public/defs.zip

2. Set up the Configurations as follows:
  • Click the Gear wheel at the top of the Ad-Aware window
  • Click General > Safety & Settings: Check (Green) all three.
  • Click Tweak > Cleaning Engine > UNcheck "Always try to unload modules before deletion".
3. Click on "Proceed"
4. Click on "Scan Now"
5. Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
6. Select "Search for low-risk threats"
7. Run the scanner using the Full Scan (Perform full system scan) mode.
8. When the scan has completed, select Next.
9. In the Scanning Results window, select the "Scan Summary" tab.
10. Check the box next to every "target family" for removal.
11. Click "Next", Click "OK".
12. Reboot.

Then..

Please download cureit;
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Run drweb - cureit
Double-click the "drweb-cureit.exe" and click "ok" in the prompt window that will open, asking "start the express scan now".
It will first make a quick scan of your system, let it clean what it finds, and when it says "done" in the lower left corner click on all your drive's.
A red dot will mark the selected drive(s) . Then hit the pedestrian who now has turned green.
Click on the green man in the right corner, it will scan ALL your drive's, hit yes to all.

Reboot.

Post a fresh HiJackThis log once finished. :tazz:
  • 0

#7
latinusa

latinusa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
OK..here is my log after all cleanup runs.
Do you have any links to download software to prevent spyware install?..
I think I still have WinFixer popup..Let me konw ..THANKS>>

Logfile of HijackThis v1.99.1
Scan saved at 11:26:14 PM, on 9/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ubyxcq\lllkixuq.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\services.exe
C:\Documents and Settings\Antonio\My Documents\Unzipped\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {ADD814A1-3A11-E47D-6526-111F506A3B69} - C:\WINDOWS\rkulywxk.dll (file missing)
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: (no name) - {1BAF4F54-80CF-81B3-0965-1891D2D46DB1} - C:\WINDOWS\rkulywxk.dll (file missing)
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: (no name) - {B8D60EBB-5565-4392-957B-7164BA087AD4} - C:\PROGRA~1\INSTAN~1\IBBar.dll
O2 - BHO: (no name) - {BE9B42C6-EA10-976F-1E3D-CBD8BB5E4037} - C:\WINDOWS\System32\xemfbrrh\bcvqmgkw.dll
O2 - BHO: (no name) - {C6E414AC-59A0-9CD1-67D3-17FA8A271437} - C:\WINDOWS\System32\mutwvinr\quuqjhop.dll
O2 - BHO: (no name) - {DB85B131-8B32-B963-6BFD-B49E153515FF} - C:\WINDOWS\System32\afkhvmmc\aehdwdhm.dll
O2 - BHO: (no name) - {EC4D7D15-D223-C80B-0817-B7448EBF0C42} - C:\WINDOWS\System32\avntowbf\jnaaxfnu.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O3 - Toolbar: Instant Bu&zz - {7475D3FD-5D85-49DB-8B9B-6968467B2D80} - C:\PROGRA~1\INSTAN~1\IBBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [fdyhw] C:\WINDOWS\System32\rtdamax\fdyhw.exe
O4 - HKLM\..\Run: [gkwaxga] C:\WINDOWS\System32\psyoaoa\gkwaxga.exe
O4 - HKLM\..\Run: [kfpbivt] C:\WINDOWS\System32\judsudu\kfpbivt.exe
O4 - HKLM\..\Run: [ovyanhp] C:\WINDOWS\System32\oranrw\ovyanhp.exe
O4 - HKLM\..\Run: [tptavwx] C:\WINDOWS\System32\ibre\tptavwx.exe
O4 - HKLM\..\Run: [mwjlwljj] C:\WINDOWS\System32\vtow\mwjlwljj.exe
O4 - HKLM\..\Run: [aiyu] C:\WINDOWS\System32\liyrmrks\aiyu.exe
O4 - HKLM\..\Run: [lllkixuq] C:\WINDOWS\System32\ubyxcq\lllkixuq.exe
O4 - HKLM\..\Run: [ebjcgx] C:\WINDOWS\System32\ecwfn\ebjcgx.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\dpkslk.exe reg_run
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Startup Manager] C:\Documents and Settings\Antonio\Application Data\Systweak\ASO 2\smstartUp manager.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000106.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000106.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &Buscar en Geomundos - res://C:\WINDOWS\Downloaded Program Files\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar &R - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Instant Buzz - {066040F0-5018-4E15-8AA0-81D36136D989} - C:\PROGRA~1\INSTAN~1\IBBar.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar &R - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: g7ps - {9EACF0FB-4FC7-436E-989B-3197142AD979} - C:\Program Files\Common Files\G7PS\Shared Files\G7PSDLL\G7PS.dll
O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\vmmdbg.dll
O23 - Service: cdivtoabpeme - Unknown owner - C:\WINDOWS\System32\bpeme\cdivtoa.exe
O23 - Service: cmglitlyqtfb - Unknown owner - C:\WINDOWS\System32\lyqtfb\cmglit.exe
O23 - Service: dlmbgrxrjhaw - Unknown owner - C:\WINDOWS\System32\rjhaw\dlmbgrx.exe
O23 - Service: dpsishkwanwwd - Unknown owner - C:\WINDOWS\System32\wanwwd\dpsishk.exe
O23 - Service: gfekopoocqcvx - Unknown owner - C:\WINDOWS\System32\ocqcvx\gfekopo.exe
O23 - Service: guktlcspdjm - Unknown owner - C:\WINDOWS\System32\pdjm\guktlcs.exe
O23 - Service: lllkixuqubyxcq - Unknown owner - C:\WINDOWS\System32\ubyxcq\lllkixuq.exe
O23 - Service: mnbepnscqrvrv - Unknown owner - C:\WINDOWS\System32\nscqrvrv\mnbep.exe
O23 - Service: neovvknhffsraxj - Unknown owner - C:\WINDOWS\System32\ffsraxj\neovvknh.exe
O23 - Service: nrruamoe - Unknown owner - C:\WINDOWS\System32\amoe\nrru.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: swchvaigrnngkw - Unknown owner - C:\WINDOWS\System32\grnngkw\swchvai.exe
O23 - Service: tifjpcvdwg - Unknown owner - C:\WINDOWS\System32\pcvdwg\tifj.exe
O23 - Service: tkmjwhyniy - Unknown owner - C:\WINDOWS\System32\whyniy\tkmj.exe
O23 - Service: xgdhxdoendrg - Unknown owner - C:\WINDOWS\System32\ndrg\xgdhxdoe.exe
O23 - Service: xtcneunv - Unknown owner - C:\WINDOWS\System32\eunv\xtcn.exe
  • 0

#8
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
We're not finished yet, you have so many different malwares on the system.

Please print these instructions out, or write them down, as you can't read them during the fix. Ask any question(s) before proceeding with the fix.

Download SpyBot S&D, Click Here

IF you have an older version of SpyBot installed, please do the following first:

1. Undo immunization
2. If SDHelper and TeaTimer are enabled, deactivate them first.
3. If Opera Browser is installed, de-select protection for Opera Immunity
4. Uninstall old version of Spybot S&D
5. Reboot

Install the SpyBot S&D. Do NOT use TeaTimer yet, as it would interfere with the fixes.

Launch SpyBot. Click on the menu named "mode". Choose "Advanced mode". Confirm with yes if it gives you an warning. Next, click on "Settings", and choose the "Settings" -tab from the list. Scroll down the menu, and make sure you check the following settings for use "Display available Beta- versions" and "Display PGP signature updates".

Then go to the starting menu by clicking on the "SpyBot S&D" tab on the left handside corner. Choose to "Search for Updates". Check EVERY update on the list for use, and hit "Download Updates". It will update SpyBot. When finished, exit the program.

Next..

Please download Ewido Security Suite it is a free version of the program.
  • Install Ewido Security Suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch Ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update Ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display "Update successful")
  • Exit Ewido. DO NOT run a scan yet.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates

Download
CleanUp

Run the CleanUp! installer and get the program ready to be used but don't run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Now open Ewido and do a scan of your system.
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • Clean anything it finds.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close Ewido.

Launch SpyBot S&D and go to the "Settings" menu, yet again. Choose to go to "Ignore Products" -list. UNcheck every each object on the list. Might be easier if you'd just right click somewhere on the screen and click "Deselect all".

Go to the main menu of SpyBot by clicking the "SpyBot S&D" tab. Search for problems. IF it finds objects written in RED color, only check them for removal. Do not check anything else. Hit "Fix selected problems". If it asks you if you want to run SpyBot on the startup again because it couldn't remove some problems, click YES.

Exit the program.

Now run the CleanUp program:

*IMPORTANT NOTE*
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

Running CleanUp
  • Start CleanUp by double-clicking the icon on your desktop (or from the Start > All Programs menu).
  • When CleanUp starts go to the Options button (right side of CleanUp screen)
  • Move the arrow down to "Custom CleanUp!"
  • Now place a checkmark next to the following (Make sure nothing else is checked!):
    • Delete Cookies
      This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea
    • Empty Recycle Bins
    • Delete Prefetch files
    • Cleanup! All Users
  • Click OK
  • Then click on the CleanUp button. This will take a short while, let it do its thing.
  • When asked to reboot system select No
  • Close CleanUp
Finally, restart your computer back into Normal Mode (Let SpyBot run and fix the problems again if found, if it wanted to run on startup) and please post a new HJT log, as well as the Ewido report log from the Ewido scan by using Add Reply. Let me know how things went. :tazz:
  • 0

#9
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP