HJT Log and lots of help needed

[Peaker]

Hi folks,

Could someone take al ook at this HJT log. I'm trying to fox someones PC and failing miserably.

Loads of popups, extremely slow internet (IE6, broadband), IE6 keeps redirecting to a site called deaconjones.biz and keeps saying something about mediatickets?? something called surfya.com keeps re-installing itself after all my attempts to remove it.

I have run AdAware and Spy Bot and a full AVG antivirus scan.

Picked up 18 viruses, 148 spyware and 388 adware!!!

I'm soooo close to wiping the drive and installing 2000 PC currently runs XP and I hate it.

Please help!!

 

[MFDnNC]

You MUST move Hijackthis.exe to a permanent location like C:\HJT

Download the trial version of Ewido Security Suite http://www.ewido.net/en/download/
· Install ewido.
· During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
· Launch ewido
· It will prompt you to update click the OK button and it will go to the main screen
· On the left side of the main screen click update
· Click on Start and let it update.
· DO NOT run a scan yet. You will do that later in safe mode.

Restart your computer into safe mode now. Perform the following steps in safe mode:


Run Ewido:
· Click on scanner
· Click Complete System Scan and the scan will begin.
· During the scan it will prompt you to clean files, click OK
· When the scan is finished, look at the bottom of the screen and click the Save report button.
· Save the report to your desktop
This will take some time to run!
Post that log and a new HiJack log

 

[MFDnNC]

Also add remove programs remove

WeirdOnTheWeb
LimeWire - the likely source of your infection

Any other P2P programs should also be removed

 

[Peaker]

Here's the logs as requested

 

[MFDnNC]

You still have LimeWire – remove it

Run this http://www.mypctuneup.com/evaluate.php

Fix these with HJT – mark them, close IE, click fix checked


R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll

O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\WINDOWS\AuroraHandler.dll

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll

O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll

O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)

O4 - HKLM\..\Run: [Micro Process] appconf.exe

O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteehl32.exe

O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [Microsoft Windows Firewall] winfirewalls.exe

O4 - HKLM\..\Run: [xs7j33i] debhrui.exe

O4 - HKLM\..\Run: [Norton Antivirus 7.0a] C:\dns2.exe

O4 - HKLM\..\Run: [System Services] wucualt.exe

O4 - HKLM\..\Run: [WINDOWS SYSTEM] ninfoie.exe

O4 - HKLM\..\Run: [ibin] C:\wdns.exe

O4 - HKLM\..\Run: [ue2e1msc] C:\WINDOWS\System32\ue2e1msc.exe

O4 - HKLM\..\Run: [IEACCESS] C:\WINDOWS\System32\temp532.exe -N

O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe

O4 - HKLM\..\Run: [usbn] C:\WINDOWS\system32\usbn.exe -go -c77 -w

O4 - HKLM\..\Run: [ulkheqr] c:\windows\system32\ejhdewi.exe r

O4 - HKLM\..\RunServices: [Micro Process] appconf.exe

O4 - HKLM\..\RunServices: [Microsoft Windows Firewall] winfirewalls.exe

O4 - HKLM\..\RunServices: [ICQ Chat Service] icqjdhs.exe

O4 - HKLM\..\RunServices: [WINDOWS SYSTEM] ninfoie.exe

O4 - HKCU\..\Run: [Micro Process] appconf.exe

O4 - HKCU\..\Run: [Microsoft Windows Firewall] winfirewalls.exe

O4 - HKCU\..\Run: [System Services] wucualt.exe

O4 - HKCU\..\RunServices: [System Services] wucualt.exe

O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe

O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab

O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab

O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab

O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab

O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab

O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll

O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe

O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe

O23 - Service: Micro Process (zymolafor.bsd.st) - Unknown owner - C:\WINDOWS\System32\appconf.exe" -netsvcs (file missing)

DL http://www.downloads.subratam.org/KillBox.zip

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

c:\ex.cab
c:\eied_s7.cab
C:\WINDOWS\System32\vbsys2.dll
C:\wdns.exe
C:\WINDOWS\system32\usbn.exe
C:\WINDOWS\AuroraHandler.dll


Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the Killbox.

Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
Make sure that "Show hidden files and folders" is checked.
Now click "Apply to all folders", Click "Apply" then "OK"

Delete these folders

C:\Program Files\Common Files\WinTools
C:\Program Files\Toolbar

START – RUN – type in %temp% OK - Edit – Select all – File – Delete
Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp
Empty the recycle bin

Click Start > Run > and type in:

services.msc

Click OK.

In the services window find

System Startup Service

Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. File-Exit the Services utility.

Note: You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.


Repeat for –

WebSeach Toolbar support NT service
WinTools for IE service
Micro Process

------------

In Hijack This, click on the "Open Misc Tools section" button. Next click the "Delete an NT service" button. Copy and paste the following in that box:

SvcProc
TBPSSvc
WinToolsSvc
zymolafor.bsd.st

Click OK.


Boot and post a new log (Please post the log not attach it)

Open the log in notepad

EDIT - SELECT ALL
EDIT - COPY

Then come to this message, and in the quick reply box click in the white space and then EDIT - PASTE


Please give feedback on what worked/didn’t work and the current status of your system

 

[MFDnNC]

Turn off restore points, boot, turn them back on after we are finished – here’s how

http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam