pop up constantly in my computer

[backup2000]

I have windows 2000 and differents popup open all the time, I tried spybot and adaware in normal and safe mode, also I tried to disconnect from the internet, but still the same, I know that I am SICK

THE LOG THAT i GOT was this

Logfile of HijackThis v1.99.1
Scan saved at 3:07:25 PM, on 6/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\winnt\system32\uxckwus.exe
C:\WINNT\system32\raunau.exe
C:\WINNT\system32\ssmng.exe
C:\WINNT\system32\vidctrl\vidctrl.exe
C:\program files\tvs\tvs_b.exe
C:\WINNT\system\jtmbiliad.exe
C:\WINNT\system32\solys.exe
C:\Program Files\eaus\rlws.exe
C:\WINNT\system32\accwiz.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINNT\ceres.dll
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINNT\cfgmgr52.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: FlashEnhancer Ext - {5EDB03AF-0341-4e96-9E9B-3171522E4BAF} - c:\Program Files\Fla\fla.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [PSof1] C:\WINNT\system32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINNT\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINNT\system32\wintask.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINNT\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [uxckwus] c:\winnt\system32\uxckwus.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\raunau.exe reg_run
O4 - HKLM\..\Run: [tsvcin] C:\WINNT\system32\n20050308.EXE
O4 - HKLM\..\Run: [t7rh36l] ssmng.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINNT\system32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [tvs_b] C:\program files\tvs\tvs_b.exe
O4 - HKLM\..\Run: [FlaCPY] "C:\Program Files\Common Files\Java\flacpy.exe"
O4 - HKLM\..\Run: [exp] C:\WINNT\system32\exp
O4 - HKLM\..\Run: [C:\WINNT\VCMnet11.exe] C:\WINNT\VCMnet11.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT\wupdt.exe
O4 - HKCU\..\Run: [cw0nRWJ9V] solys.exe
O4 - HKCU\..\Run: [Aooa] C:\Program Files\eaus\rlws.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O20 - Winlogon Notify: WindowsUpdate - C:\WINNT\system32\d2j00c1mef.dll (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

any help

 

[Flrman1]

Hi backup2000

Welcome to TSG!

* First go to Add/Remove programs and uninstall Windows AFA Internet Enhancement.


* Go here and download Microsoft Antispyware Beta. First in the top menu click File then Check for updates to download the definitons updates.

After updating look in the right side of the main window under "Run Quick Scan Now" and click Spyware scan options. In that window put a tick by Run a full system scan and then put a check by all three options below that then click Run Scan now.

When the scan is finished, let it fix anything that it finds (have it quarantine the items that have that option rather than delete just in case. It is a beta program and there may be false positives)

Restart your computer.



* * Go here to download CCleaner.

• Install CCleaner
• Launch CCleaner and look in the upper right corner and click on the "Options" button.
• Click "Advanced" and remove the check by "Only delete files in Windows temp folders older than 48 hours".
• Click OK
• Do not run CCleaner yet. You will run it later in safe mode.

* Download the trial version of Ewido Security Suite here.

• Install ewido.
• During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
• Launch ewido
• It will prompt you to update click the OK button and it will go to the main screen
• On the left side of the main screen click update
• Click on Start and let it update.
• DO NOT run a scan yet. You will do that later in safe mode.

* Click here for info on how to boot to safe mode if you don't already know how.


* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in safe mode:


* Run Ewido:

• Click on scanner
• Put a check by the following before you scan:
  • Binder
    [*]Crypter
    [*]Archives
• Click the Start Scan button to start the scan.
• During the scan it will prompt you to clean files, click OK
• When the scan is finished, look at the bottom of the screen and click the Save report button.
• Save the report to your desktop

* Start Ccleaner and click Run Cleaner


* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


* Restart back into Windows normally now.


* Come back here and post a new HijackThis log, as well as the log from the Ewido scan.

 

[backup2000]

this the log

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:49:41 PM, 6/25/2005
+ Report-Checksum: 9940E11D

+ Date of database: 6/25/2005
+ Version of scan engine: v3.0

+ Duration: 92 min
+ Scanned Files: 18896
+ Speed: 3.39 Files/Second
+ Infected files: 34
+ Removed files: 34
+ Files put in quarantine: 34
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Program Files\CasStub\casstub.exe -> TrojanDownloader.Agent.qg -> Cleaned with backup
C:\Program Files\Common Files\Java\flacpy.cfg -> Spyware.FlashEnhancer -> Cleaned with backup
C:\Program Files\Common Files\Java\flacpy.exe -> Spyware.FlashEnhancer.a -> Cleaned with backup
C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe -> Spyware.DelphinMedia.Viewer.f -> Cleaned with backup
C:\Program Files\eaus\rlws.exe -> Spyware.PurityScan -> Cleaned with backup
C:\Program Files\Fla\f.bak -> Spyware.FlashEnhancer -> Cleaned with backup
C:\Program Files\Fla\Fla.dll -> Spyware.FlashEnhancer -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\C130879B-0AC7-4041-B21B-BFD41A\32C7F593-5AFE-4AD8-B492-84C81B -> Spyware.BetterInternet.d -> Cleaned with backup
C:\Program Files\tvs\tvs_re_inst.exe -> Spyware.Broadcap.a -> Cleaned with backup
C:\Program Files\Windows Media Player\wmplayer.exe -> Backdoor.Generic -> Cleaned with backup
C:\WINNT\Buddy.exe -> Spyware.BetterInternet.d -> Cleaned with backup
C:\WINNT\ceres.dll -> Spyware.BetterInternet.d -> Cleaned with backup
C:\WINNT\cfgmgr52\EECH1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINNT\cfgmgr52\SPZ3.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINNT\ezymmxcg.exe -> Spyware.BookedSpace.e -> Cleaned with backup
C:\WINNT\icont.exe -> Spyware.AdURL -> Cleaned with backup
C:\WINNT\system\UpdInst.exe -> Spyware.Look2Me.ab -> Cleaned with backup
C:\WINNT\system32\asms.exe -> TrojanDropper.Agent.kd -> Cleaned with backup
C:\WINNT\system32\dist001.exe -> TrojanDownloader.Agent.qg -> Cleaned with backup
C:\WINNT\system32\exp -> TrojanDownloader.Small.abd -> Cleaned with backup
C:\WINNT\system32\fxe.dll -> Spyware.Look2Me -> Cleaned with backup
C:\WINNT\system32\Fоnts\smss.exe -> Spyware.PurityScan -> Cleaned with backup
C:\WINNT\system32\guard.tmp -> Spyware.Look2Me -> Cleaned with backup
C:\WINNT\system32\installer_MARKETING49.exe -> TrojanDownloader.Adload.a -> Cleaned with backup
C:\WINNT\system32\j6j60g1se6.dll -> Spyware.Look2Me -> Cleaned with backup
C:\WINNT\system32\kfdsw.dll -> Spyware.Look2Me -> Cleaned with backup
C:\WINNT\system32\mvpol9731.dll -> Spyware.Look2Me -> Cleaned with backup
C:\WINNT\system32\pTutoenr.dll -> Spyware.Look2Me -> Cleaned with backup
C:\WINNT\system32\redit.cpl -> TrojanDownloader.Qoologic.p -> Cleaned with backup
C:\WINNT\system32\solys.exe -> TrojanDownloader.Agent.ed -> Cleaned with backup
C:\WINNT\system32\ssmng.exe -> TrojanDownloader.Apropo.ac -> Cleaned with backup
C:\WINNT\system32\supdate.dll -> TrojanDownloader.Qoologic.p -> Cleaned with backup
C:\WINNT\system32\uci.exe -> TrojanDropper.Agent.hl -> Cleaned with backup
C:\WINNT\system32\vidctrl\vidctrl.exe -> Spyware.DelphinMediaViewer -> Cleaned with backup


::Report End


=======================================

and hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 3:07:25 PM, on 6/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\winnt\system32\uxckwus.exe
C:\WINNT\system32\raunau.exe
C:\WINNT\system32\ssmng.exe
C:\WINNT\system32\vidctrl\vidctrl.exe
C:\program files\tvs\tvs_b.exe
C:\WINNT\system\jtmbiliad.exe
C:\WINNT\system32\solys.exe
C:\Program Files\eaus\rlws.exe
C:\WINNT\system32\accwiz.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINNT\ceres.dll
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINNT\cfgmgr52.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: FlashEnhancer Ext - {5EDB03AF-0341-4e96-9E9B-3171522E4BAF} - c:\Program Files\Fla\fla.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [PSof1] C:\WINNT\system32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINNT\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINNT\system32\wintask.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINNT\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [uxckwus] c:\winnt\system32\uxckwus.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\raunau.exe reg_run
O4 - HKLM\..\Run: [tsvcin] C:\WINNT\system32\n20050308.EXE
O4 - HKLM\..\Run: [t7rh36l] ssmng.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINNT\system32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [tvs_b] C:\program files\tvs\tvs_b.exe
O4 - HKLM\..\Run: [FlaCPY] "C:\Program Files\Common Files\Java\flacpy.exe"
O4 - HKLM\..\Run: [exp] C:\WINNT\system32\exp
O4 - HKLM\..\Run: [C:\WINNT\VCMnet11.exe] C:\WINNT\VCMnet11.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT\wupdt.exe
O4 - HKCU\..\Run: [cw0nRWJ9V] solys.exe
O4 - HKCU\..\Run: [Aooa] C:\Program Files\eaus\rlws.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O20 - Winlogon Notify: WindowsUpdate - C:\WINNT\system32\d2j00c1mef.dll (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

 

[Flrman1]

• First launch ewido and update it again.
• It will prompt you to update click the OK button and it will go to the main screen
• On the left side of the main screen click update
• Click on Start and let it update.
• DO NOT run a scan yet. You will do that later in safe mode.

* Click Here and download Killbox and save it to your desktop.


* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to.


* Click on My Computer then click Tools > Folder Options. In Folder options click on the View tab. Under Files and Folders tick "Show hidden files and folders" then uncheck "Hide file extensions for known file types" and uncheck "Hide protected operating system files (recommended)". Now click "Like current folder" then "Apply" and "OK"


* Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINNT\ceres.dll

O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINNT\cfgmgr52.dll

O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll

O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)

O2 - BHO: FlashEnhancer Ext - {5EDB03AF-0341-4e96-9E9B-3171522E4BAF} - c:\Program Files\Fla\fla.dll

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [PSof1] C:\WINNT\system32\PSof1.exe

O4 - HKLM\..\Run: [exp.exe] C:\WINNT\system32\exp.exe

O4 - HKLM\..\Run: [WinTask driver] C:\WINNT\system32\wintask.exe

O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINNT\cfgmgr52.dll,DllRun

O4 - HKLM\..\Run: [uxckwus] c:\winnt\system32\uxckwus.exe

O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\raunau.exe reg_run

O4 - HKLM\..\Run: [tsvcin] C:\WINNT\system32\n20050308.EXE

O4 - HKLM\..\Run: [t7rh36l] ssmng.exe

O4 - HKLM\..\Run: [vidctrl] C:\WINNT\system32\vidctrl\vidctrl.exe

O4 - HKLM\..\Run: [tvs_b] C:\program files\tvs\tvs_b.exe

O4 - HKLM\..\Run: [FlaCPY] "C:\Program Files\Common Files\Java\flacpy.exe"

O4 - HKLM\..\Run: [exp] C:\WINNT\system32\exp

O4 - HKLM\..\Run: [C:\WINNT\VCMnet11.exe] C:\WINNT\VCMnet11.exe

O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT\wupdt.exe

O4 - HKCU\..\Run: [cw0nRWJ9V] solys.exe

O4 - HKCU\..\Run: [Aooa] C:\Program Files\eaus\rlws.exe

O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll

O20 - Winlogon Notify: WindowsUpdate - C:\WINNT\system32\d2j00c1mef.dll (file missing)


* Restart your computer into safe mode now. Perform the following steps in safe mode:


* Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINNT\system32\PSof1.exe

C:\WINNT\system32\wintask.exe

C:\WINNT\cfgmgr52.dll

c:\winnt\system32\uxckwus.exe

C:\WINNT\system32\raunau.exe

C:\WINNT\system32\n20050308.EXE

C:\WINNT\system32\ssmng.exe

C:\WINNT\system32\vidctrl\vidctrl.exe

C:\program files\tvs\tvs_b.exe

C:\Program Files\Common Files\Java\flacpy.exe

C:\WINNT\system32\exp.exe

C:\WINNT\VCMnet11.exe

C:\WINNT\wupdt.exe

C:\WINNT\system32\solys.exe

C:\Program Files\eaus\rlws.exe

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the Killbox.


* Delete these folders:

c:\Program Files\Fla
C:\Program Files\eaus
C:\Program Files\Cas
C:\program files\tvs
C:\WINNT\system32\vidctrl


* Run Ewido again:

• Click on scanner
• Put a check by the following before you scan:
  • Binder
    [*]Crypter
    [*]Archives
• Click the Start Scan button to start the scan.
• During the scan it will prompt you to clean files, click OK
• When the scan is finished, look at the bottom of the screen and click the Save report button.
• Save the report to your desktop

* Start Ccleaner and click Run Cleaner


* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


* Restart back into Windows normally now.


* Run ActiveScan online virus scan here

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan