1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

HJT Log and lots of help needed

Discussion in 'Virus & Other Malware Removal' started by Peaker, Jul 16, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. Peaker

    Peaker Thread Starter

    Joined:
    Nov 23, 2001
    Messages:
    249
    Hi folks,

    Could someone take al ook at this HJT log. I'm trying to fox someones PC and failing miserably.

    Loads of popups, extremely slow internet (IE6, broadband), IE6 keeps redirecting to a site called deaconjones.biz and keeps saying something about mediatickets?? something called surfya.com keeps re-installing itself after all my attempts to remove it.

    I have run AdAware and Spy Bot and a full AVG antivirus scan.

    Picked up 18 viruses, 148 spyware and 388 adware!!!

    I'm soooo close to wiping the drive and installing 2000 PC currently runs XP and I hate it.

    Please help!!
     

    Attached Files:

  2. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    You MUST move Hijackthis.exe to a permanent location like C:\HJT

    Download the trial version of Ewido Security Suite http://www.ewido.net/en/download/
    · Install ewido.
    · During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    · Launch ewido
    · It will prompt you to update click the OK button and it will go to the main screen
    · On the left side of the main screen click update
    · Click on Start and let it update.
    · DO NOT run a scan yet. You will do that later in safe mode.

    Restart your computer into safe mode now. Perform the following steps in safe mode:


    Run Ewido:
    · Click on scanner
    · Click Complete System Scan and the scan will begin.
    · During the scan it will prompt you to clean files, click OK
    · When the scan is finished, look at the bottom of the screen and click the Save report button.
    · Save the report to your desktop
    This will take some time to run!
    Post that log and a new HiJack log
     
  3. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Also add remove programs remove

    WeirdOnTheWeb
    LimeWire - the likely source of your infection

    Any other P2P programs should also be removed
     
  4. Peaker

    Peaker Thread Starter

    Joined:
    Nov 23, 2001
    Messages:
    249
    Here's the logs as requested
     

    Attached Files:

  5. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    You still have LimeWire – remove it

    Run this http://www.mypctuneup.com/evaluate.php

    Fix these with HJT – mark them, close IE, click fix checked


    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll

    O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\WINDOWS\AuroraHandler.dll

    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll

    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll

    O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)

    O4 - HKLM\..\Run: [Micro Process] appconf.exe

    O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteehl32.exe

    O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe

    O4 - HKLM\..\Run: [Microsoft Windows Firewall] winfirewalls.exe

    O4 - HKLM\..\Run: [xs7j33i] debhrui.exe

    O4 - HKLM\..\Run: [Norton Antivirus 7.0a] C:\dns2.exe

    O4 - HKLM\..\Run: [System Services] wucualt.exe

    O4 - HKLM\..\Run: [WINDOWS SYSTEM] ninfoie.exe

    O4 - HKLM\..\Run: [ibin] C:\wdns.exe

    O4 - HKLM\..\Run: [ue2e1msc] C:\WINDOWS\System32\ue2e1msc.exe

    O4 - HKLM\..\Run: [IEACCESS] C:\WINDOWS\System32\temp532.exe -N

    O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe

    O4 - HKLM\..\Run: [usbn] C:\WINDOWS\system32\usbn.exe -go -c77 -w

    O4 - HKLM\..\Run: [ulkheqr] c:\windows\system32\ejhdewi.exe r

    O4 - HKLM\..\RunServices: [Micro Process] appconf.exe

    O4 - HKLM\..\RunServices: [Microsoft Windows Firewall] winfirewalls.exe

    O4 - HKLM\..\RunServices: [ICQ Chat Service] icqjdhs.exe

    O4 - HKLM\..\RunServices: [WINDOWS SYSTEM] ninfoie.exe

    O4 - HKCU\..\Run: [Micro Process] appconf.exe

    O4 - HKCU\..\Run: [Microsoft Windows Firewall] winfirewalls.exe

    O4 - HKCU\..\Run: [System Services] wucualt.exe

    O4 - HKCU\..\RunServices: [System Services] wucualt.exe

    O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe

    O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

    O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab

    O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab

    O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab

    O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab

    O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab

    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab

    O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll

    O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll

    O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

    O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe

    O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe

    O23 - Service: Micro Process (zymolafor.bsd.st) - Unknown owner - C:\WINDOWS\System32\appconf.exe" -netsvcs (file missing)

    DL http://www.downloads.subratam.org/KillBox.zip

    Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

    Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

    c:\ex.cab
    c:\eied_s7.cab
    C:\WINDOWS\System32\vbsys2.dll
    C:\wdns.exe
    C:\WINDOWS\system32\usbn.exe
    C:\WINDOWS\AuroraHandler.dll


    Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

    Exit the Killbox.

    Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
    Make sure that "Show hidden files and folders" is checked.
    Now click "Apply to all folders", Click "Apply" then "OK"

    Delete these folders

    C:\Program Files\Common Files\WinTools
    C:\Program Files\Toolbar

    START – RUN – type in %temp% OK - Edit – Select all – File – Delete
    Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp
    Empty the recycle bin

    Click Start > Run > and type in:

    services.msc

    Click OK.

    In the services window find

    System Startup Service

    Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. File-Exit the Services utility.

    Note: You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.


    Repeat for –

    WebSeach Toolbar support NT service
    WinTools for IE service
    Micro Process

    ------------

    In Hijack This, click on the "Open Misc Tools section" button. Next click the "Delete an NT service" button. Copy and paste the following in that box:

    SvcProc
    TBPSSvc
    WinToolsSvc
    zymolafor.bsd.st

    Click OK.


    Boot and post a new log (Please post the log not attach it)

    Open the log in notepad

    EDIT - SELECT ALL
    EDIT - COPY

    Then come to this message, and in the quick reply box click in the white space and then EDIT - PASTE


    Please give feedback on what worked/didn’t work and the current status of your system
     
  6. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/381576

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice