HJT Log and lots of help needed

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Peaker

Thread Starter
Joined
Nov 23, 2001
Messages
249
Hi folks,

Could someone take al ook at this HJT log. I'm trying to fox someones PC and failing miserably.

Loads of popups, extremely slow internet (IE6, broadband), IE6 keeps redirecting to a site called deaconjones.biz and keeps saying something about mediatickets?? something called surfya.com keeps re-installing itself after all my attempts to remove it.

I have run AdAware and Spy Bot and a full AVG antivirus scan.

Picked up 18 viruses, 148 spyware and 388 adware!!!

I'm soooo close to wiping the drive and installing 2000 PC currently runs XP and I hate it.

Please help!!
 

Attachments

Joined
Sep 7, 2004
Messages
49,014
You MUST move Hijackthis.exe to a permanent location like C:\HJT

Download the trial version of Ewido Security Suite http://www.ewido.net/en/download/
· Install ewido.
· During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
· Launch ewido
· It will prompt you to update click the OK button and it will go to the main screen
· On the left side of the main screen click update
· Click on Start and let it update.
· DO NOT run a scan yet. You will do that later in safe mode.

Restart your computer into safe mode now. Perform the following steps in safe mode:


Run Ewido:
· Click on scanner
· Click Complete System Scan and the scan will begin.
· During the scan it will prompt you to clean files, click OK
· When the scan is finished, look at the bottom of the screen and click the Save report button.
· Save the report to your desktop
This will take some time to run!
Post that log and a new HiJack log
 
Joined
Sep 7, 2004
Messages
49,014
Also add remove programs remove

WeirdOnTheWeb
LimeWire - the likely source of your infection

Any other P2P programs should also be removed
 
Joined
Sep 7, 2004
Messages
49,014
You still have LimeWire – remove it

Run this http://www.mypctuneup.com/evaluate.php

Fix these with HJT – mark them, close IE, click fix checked


R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll

O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\WINDOWS\AuroraHandler.dll

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll

O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll

O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)

O4 - HKLM\..\Run: [Micro Process] appconf.exe

O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteehl32.exe

O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [Microsoft Windows Firewall] winfirewalls.exe

O4 - HKLM\..\Run: [xs7j33i] debhrui.exe

O4 - HKLM\..\Run: [Norton Antivirus 7.0a] C:\dns2.exe

O4 - HKLM\..\Run: [System Services] wucualt.exe

O4 - HKLM\..\Run: [WINDOWS SYSTEM] ninfoie.exe

O4 - HKLM\..\Run: [ibin] C:\wdns.exe

O4 - HKLM\..\Run: [ue2e1msc] C:\WINDOWS\System32\ue2e1msc.exe

O4 - HKLM\..\Run: [IEACCESS] C:\WINDOWS\System32\temp532.exe -N

O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe

O4 - HKLM\..\Run: [usbn] C:\WINDOWS\system32\usbn.exe -go -c77 -w

O4 - HKLM\..\Run: [ulkheqr] c:\windows\system32\ejhdewi.exe r

O4 - HKLM\..\RunServices: [Micro Process] appconf.exe

O4 - HKLM\..\RunServices: [Microsoft Windows Firewall] winfirewalls.exe

O4 - HKLM\..\RunServices: [ICQ Chat Service] icqjdhs.exe

O4 - HKLM\..\RunServices: [WINDOWS SYSTEM] ninfoie.exe

O4 - HKCU\..\Run: [Micro Process] appconf.exe

O4 - HKCU\..\Run: [Microsoft Windows Firewall] winfirewalls.exe

O4 - HKCU\..\Run: [System Services] wucualt.exe

O4 - HKCU\..\RunServices: [System Services] wucualt.exe

O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe

O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab

O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab

O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab

O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab

O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab

O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll

O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe

O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe

O23 - Service: Micro Process (zymolafor.bsd.st) - Unknown owner - C:\WINDOWS\System32\appconf.exe" -netsvcs (file missing)

DL http://www.downloads.subratam.org/KillBox.zip

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

c:\ex.cab
c:\eied_s7.cab
C:\WINDOWS\System32\vbsys2.dll
C:\wdns.exe
C:\WINDOWS\system32\usbn.exe
C:\WINDOWS\AuroraHandler.dll


Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the Killbox.

Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
Make sure that "Show hidden files and folders" is checked.
Now click "Apply to all folders", Click "Apply" then "OK"

Delete these folders

C:\Program Files\Common Files\WinTools
C:\Program Files\Toolbar

START – RUN – type in %temp% OK - Edit – Select all – File – Delete
Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp
Empty the recycle bin

Click Start > Run > and type in:

services.msc

Click OK.

In the services window find

System Startup Service

Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. File-Exit the Services utility.

Note: You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.


Repeat for –

WebSeach Toolbar support NT service
WinTools for IE service
Micro Process

------------

In Hijack This, click on the "Open Misc Tools section" button. Next click the "Delete an NT service" button. Copy and paste the following in that box:

SvcProc
TBPSSvc
WinToolsSvc
zymolafor.bsd.st

Click OK.


Boot and post a new log (Please post the log not attach it)

Open the log in notepad

EDIT - SELECT ALL
EDIT - COPY

Then come to this message, and in the quick reply box click in the white space and then EDIT - PASTE


Please give feedback on what worked/didn’t work and the current status of your system
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top