Multiple pop ups, and I cant get into my regedit OR my task manager... Something called 'Aurora' keeps popping up and i cannot get rid of it with S&D or Adaware!... help please!

Logfile of HijackThis v1.99.1
Scan saved at 6:34:03 PM, on 6/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\windows\system32\qhbehot.exe
C:\WINDOWS\System32\inetfw.exe
C:\WINDOWS\System32\mskev.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\head891238.exe
C:\kavmm.exe
C:\WINDOWS\system32\taskmin.exe
C:\WINDOWS\System32\spoolnt.exe
C:\WINDOWS\System32\wmisg.exe
C:\WINDOWS\System32\ntsubsys.exe
C:\WINDOWS\System32\mskev.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\CMMON32.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Documents and Settings\Shyla\My Documents\downloaded\hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: imGiantObj Class - {00000062-2E5F-4AF7-986E-5B64E0951A96} - C:\WINDOWS\imGiant.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Windows kev Messenger] mskev.exe
O4 - HKLM\..\Run: [Windows Internet Firewall] inetfw.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [eTunnel] C:\head891238.exe
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler V1.39.13R] C:\head891238.exe
O4 - HKLM\..\Run: [3SQfQQ66] c:\windows\temp\3SQfQQ66.exe
O4 - HKLM\..\Run: [3SQfQQ66.exe] C:\windows\temp\3SQfQQ66.exe
O4 - HKLM\..\Run: [Lsass] C:\kavmm.exe
O4 - HKLM\..\Run: [Messenger] C:\WINDOWS\System32\ntsubsys.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [DiskCheck] "C:\WINDOWS\msdarkend.exe"
O4 - HKLM\..\Run: [MMB2] C:\WINDOWS\system32\taskmin.exe
O4 - HKLM\..\Run: [Start Upping] spoolnt.exe
O4 - HKLM\..\Run: [SYSTEM MESSAGER] wmisg.exe
O4 - HKLM\..\Run: [caskmgu] c:\windows\system32\qhbehot.exe r
O4 - HKLM\..\RunServices: [Windows kev Messenger] mskev.exe
O4 - HKLM\..\RunServices: [Windows Internet Firewall] inetfw.exe
O4 - HKLM\..\RunServices: [Start Upping] spoolnt.exe
O4 - HKLM\..\RunServices: [SYSTEM MESSAGER] wmisg.exe
O4 - HKLM\..\RunOnce: [Windows Internet Firewall] inetfw.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Windows kev Messenger] mskev.exe
O4 - HKCU\..\Run: [Windows Internet Firewall] inetfw.exe
O4 - HKCU\..\Run: [Start Upping] spoolnt.exe
O4 - HKCU\..\RunServices: [Windows kev Messenger] mskev.exe
O4 - HKCU\..\RunOnce: [Windows Internet Firewall] inetfw.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{576B3F4C-0B45-4B4F-BF29-DA4166F35BE1}: NameServer = 134.153.2.90 134.153.2.23
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Hello,lurla & Welcome

You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.

Please download, install, and update the free version of Ewido trojan scanner:

1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
2. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
3. From the main ewido screen, click on update in the left menu, then click the Start update button.
4. After the update finishes (the status bar at the bottom will display "Update successful")
5. Exit Ewido. DO NOT scan yet.

Download CCleaner and install, but do not run it yet.

Please download the Nail/Aurora Spyware Fix from NoIdea.US. (Alternate download link: dknoppix mirror)

Unzip it to the desktop but do NOT run yet.

Reboot into Safe Mode. To do this with Windows XP, you can follow these steps from Microsoft:

1. Restart your computer and start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when you the Boot Menu appears.
2. Select an option when the Windows Advanced Options menu appears, and then press ENTER.
3. When the Boot menu appears again, and the words "Safe Mode" appear in blue at the bottom, select the installation that you want to start, and then press ENTER.

Once in Safe Mode, please double-click on nailfix.cmd that you unzipped earlier. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Next, run CCleaner.

1. Uncheck "Cookies" under "Internet Explorer".
2. If you are running Firefox: ,then click on the "Applications" tab and uncheck "Cookies" under "Firefox".
3. Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.

Now run Ewido again.

1. Click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
2. If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
3. When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Then run HijackThis, click Scan, and place a checkmark by the following item:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.


Finally, restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

HGD

now there will be more to do here so come back here
do not run all over the net tell we have this gone

HGD

ok here are my logs... I that F2 line wasnt there when i ran Hijackthis in safe mode, to get rid of nail.exe. And I still cant get into taskmgr etc... ok, here they are!

Logfile of HijackThis v1.99.1
Scan saved at 2:57:36 PM, on 6/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\head891238.exe
C:\WINDOWS\System32\wmisg.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Shyla\My Documents\downloaded\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: imGiantObj Class - {00000062-2E5F-4AF7-986E-5B64E0951A96} - C:\WINDOWS\imGiant.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [eTunnel] C:\head891238.exe
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler V1.39.13R] C:\head891238.exe
O4 - HKLM\..\Run: [3SQfQQ66] c:\windows\temp\3SQfQQ66.exe
O4 - HKLM\..\Run: [3SQfQQ66.exe] C:\windows\temp\3SQfQQ66.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [DiskCheck] "C:\WINDOWS\msdarkend.exe"
O4 - HKLM\..\Run: [MMB2] C:\WINDOWS\system32\taskmin.exe
O4 - HKLM\..\Run: [SYSTEM MESSAGER] wmisg.exe
O4 - HKLM\..\RunServices: [SYSTEM MESSAGER] wmisg.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\RunServices: [Windows kev Messenger] mskev.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:13:31 AM, 6/16/2005
+ Report-Checksum: F613884E

+ Date of database: 6/16/2005
+ Version of scan engine: v3.0

+ Duration: 46 min
+ Scanned Files: 63410
+ Speed: 22.52 Files/Second
+ Infected files: 68
+ Removed files: 68
+ Files put in quarantine: 68
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\

+ Scan result:
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6JQXMBOV\imgthin[1].exe -> TrojanDownloader.VB.if -> Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\C4H9Y5OS\optimize313[1].exe -> TrojanDownloader.Dyfuca.dx -> Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\C4H9Y5OS\thin-149-1-x-x[1].exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QFYBOPWX\1006625464[1].exe -> TrojanProxy.Ranky -> Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QFYBOPWX\mm63[1].ocx -> Spyware.MediaMotor.a -> Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QFYBOPWX\stubinstaller4292[1].exe -> TrojanDownloader.Small.asf -> Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S5I1QXYN\809[1].exe -> Backdoor.RBot.Generic -> Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S5I1QXYN\seeve[1].exe -> Spyware.MediaMotor.f -> Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S5I1QXYN\tct101[1].dll -> TrojanDownloader.Dyfuca.eg -> Cleaned with backup
C:\Documents and Settings\Shyla\Cookies\shyla@a.websponsors[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Shyla\Cookies\shyla@adknowledge[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Shyla\Cookies\shyla@adknowledge[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Shyla\Cookies\shyla@ads.as4x.tmcs[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Shyla\Cookies\shyla@ads.as4x.tmcs[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Shyla\Cookies\shyla@ads.inet-traffic[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Shyla\Cookies\shyla@ads.monster[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Shyla\Cookies\shyla@adtrak[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Shyla\Cookies\shyla@bcentral[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Shyla\Cookies\shyla@burstnet[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Shyla\Cookies\shyla@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Shyla\Cookies\shyla@exitexchange[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Shyla\Cookies\shyla@geocities[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Shyla\Cookies\shyla@geocities[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Shyla\Cookies\shyla@guide.real[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Shyla\Cookies\shyla@hb.lycos[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Shyla\Cookies\shyla@hb.lycos[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Shyla\Cookies\shyla@link[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Shyla\Cookies\shyla@tribalfusion[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Shyla\Cookies\shyla@visit.theglobeandmail[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Shyla\Cookies\shyla@www.myaffiliateprogra m[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Shyla\My Documents\downloaded\hijackthis\backups\backup-20050210-123743-319.dll -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\Documents and Settings\Shyla\My Documents\downloaded\hijackthis\backups\backup-20050322-185454-800.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\Documents and Settings\Shyla\My Documents\downloaded\hijackthis\backups\backup-20050513-170720-212.dll -> Spyware.BargainBuddy.n -> Cleaned with backup
C:\Documents and Settings\Shyla\My Documents\downloaded\hijackthis\backups\backup-20050513-170720-559.dll -> Trojan.Pakes -> Cleaned with backup
C:\Documents and Settings\Shyla\My Documents\downloaded\hijackthis\backups\backup-20050513-170727-750.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\kavmm.exe -> TrojanProxy.Agent.fb -> Cleaned with backup
C:\sakon.exe -> TrojanProxy.Ranky -> Cleaned with backup
C:\slinstaller.exe -> TrojanDownloader.Agent.ex -> Cleaned with backup
C:\systems.exe -> Spyware.WinFetcher.b -> Cleaned with backup
C:\WINDOWS\cxtpls_loader.exe -> TrojanDownloader.Apropo.ab -> Cleaned with backup
C:\WINDOWS\htpatch.exe -> Not-A-Virus.Tool.HTPatch.a -> Cleaned with backup
C:\WINDOWS\imgthin.exe -> TrojanDownloader.VB.if -> Cleaned with backup
C:\WINDOWS\installer_SIAC.exe -> TrojanDownloader.Adload.a -> Cleaned with backup
C:\WINDOWS\javazk.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\jqhqn.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\kopla.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\lrxyv.dll -> Spyware.OneMoreSearch.a -> Cleaned with backup
C:\WINDOWS\mfcnk.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\mm63.ocx -> Spyware.MediaMotor.a -> Cleaned with backup
C:\WINDOWS\NDNuninstall4_85.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\WINDOWS\quvlibvfln.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\rlqzy.dll -> Spyware.OneMoreSearch.a -> Cleaned with backup
C:\WINDOWS\sdkpw32.dll -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\stubinstaller5356.exe -> TrojanDownloader.Small.asf -> Cleaned with backup
C:\WINDOWS\system32\ieibw.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\inetfw.exe -> Backdoor.RBot.Generic -> Cleaned with backup
C:\WINDOWS\system32\mfcel.dll -> TrojanDownloader.Agent.kd -> Cleaned with backup
C:\WINDOWS\system32\mskev.exe -> Backdoor.SdBot -> Cleaned with backup
C:\WINDOWS\system32\netke32.dll -> TrojanDownloader.Agent.kd -> Cleaned with backup
C:\WINDOWS\system32\ntsubsys.exe -> TrojanProxy.Ranky -> Cleaned with backup
C:\WINDOWS\system32\qhbehot.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\system32\qpwmj.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\rdriv.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\WINDOWS\system32\spoolnt.exe -> Backdoor.RBot.Generic -> Cleaned with backup
C:\WINDOWS\system32\Syaleu.exe -> Spyware.DealHelper.v -> Cleaned with backup
C:\WINDOWS\tct101.dll -> TrojanDownloader.Dyfuca.eg -> Cleaned with backup
C:\WINDOWS\wintq32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\wkssvc.exe -> Backdoor.SdBot.xd -> Cleaned with backup


::Report End

edited to add that S&D are showing that Mediamotor and DyFuCa.InternetOptimizer are in the registry and can't be cleaned.

Hi,lurla

Here is what i need you to do next.

Press control-alt-delete to get into the task manager and end the follow processes if they exist:
head891238.exe
3SQfQQ66.exe
msdarkend.exe
taskmin.exe
wmisg.exe
mskev.exe
wkssvc.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R3 - Default URLSearchHook is missing

O2 - BHO: imGiantObj Class - {00000062-2E5F-4AF7-986E-5B64E0951A96} - C:\WINDOWS\imGiant.dll

O4 - HKLM\..\Run: [eTunnel] C:\head891238.exe
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler V1.39.13R] C:\head891238.exe
O4 - HKLM\..\Run: [3SQfQQ66] c:\windows\temp\3SQfQQ66.exe
O4 - HKLM\..\Run: [3SQfQQ66.exe] C:\windows\temp\3SQfQQ66.exe
O4 - HKLM\..\Run: [DiskCheck] "C:\WINDOWS\msdarkend.exe"
O4 - HKLM\..\Run: [MMB2] C:\WINDOWS\system32\taskmin.exe
O4 - HKLM\..\Run: [SYSTEM MESSAGER] wmisg.exe
O4 - HKLM\..\RunServices: [SYSTEM MESSAGER] wmisg.exe
O4 - HKCU\..\RunServices: [Windows kev Messenger] mskev.exe

O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe (file missing)

Make sure you can view hidden and system files: Instructions here

Then Boot to safe mode: Instructions here

Delete the following files\folders IF still present:
C:\WINDOWS\imGiant.dll<---This file
C:\head891238.exe<---This file
C:\WINDOWS\msdarkend.exe<---This file
C:\windows\temp\[/b]<---Delete all items in this folder do not delete the folder it self
C:\WINDOWS\system32\taskmin.exe<---This file
C:\WINDOWS\wkssvc.exe<---This file

Stell in Safe Mode do a file Search for these if found delete them
wmisg.exe
mskev.exe

& do this here

Clean out temporary files:

* Start | Run | type cleanmgr | OK

* Let it scan your system for files to remove.

* Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.

* Click "OK" to remove them.

* Click "Yes" to confirm the deletion.

& also Empty the Recycle Bin

Then do a reboot tell us how it is & show new logfile

HGD

ok, before I start, i want to know if this has to go in order because I cant get into taskmgr... I ctrl-alt-del and it pops up and disappears immediately.. so i cant stop any of the processes... so should I go ahead with the rest of the fix or wait until i can stop these processes?

(just to let you know if it takes me a while to answer, I work 12 hr shifts at the hospital all this weekend starting Friday morning, so I won't get to the computer until each evening... but i will follow your directions as soon as I get them).

Hi,lurla

No problem i will be here or someone is always here
to help you if you need it so take your time.

now i think there is an option in HijackThis to kill
the processes give it a try i my self have not tried this

Go into HijackThis->Config->Misc. Tools->Open process manager. Select the files and click Kill process for each one if they are still listed.

HGD

Ok... followed the directions and everything seems to be ok. I can get into regedit and taskmgr now!! I dont know what I would do without you guys! lol .... so here's my new log... and until next time (lol) .. THANKS!!!

Logfile of HijackThis v1.99.1
Scan saved at 1233 AM, on 6/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\windows\system32\rtyerz.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\windows\system32\calc.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Shyla\My Documents\downloaded\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [rtyerz] c:\windows\system32\rtyerz.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Hi,lurla

This is great news for sure but you have one itme
let's see if we can go after it.

Press control-alt-delete to get into the task manager and end the follow processes if they exist:
rtyerz.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [rtyerz] c:\windows\system32\rtyerz.exe

Make sure you can view hidden and system files: Instructions here

Then Boot to safe mode: Instructions here

Delete the following files\folders IF still present:
c:\windows\system32\rtyerz.exe<---This file

Then do a reboot & right away download these progs here
install then update & just keep them updated

Make your Internet Explorer more secure - This can be done by following these simple instructions:

1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
1. Change the Download signed ActiveX controls to Prompt
2. Change the Download unsigned ActiveX controls to Disable
3. Change the Initialize and script ActiveX controls not marked as safe to Disable
4. Change the Installation of desktop items to Prompt
5. Change the Launching programs and files in an IFRAME to Prompt
6. Change the Navigate sub-frames across different domains to Prompt
7. When all these settings have been made, click on the OK button.
8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
5. Next press the Apply button and then the OK to exit the Internet Properties page.

& now the progs

SpywareBlaster - Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
http://www.javacoolsoftware.com/spywareblaster.html

SpywareGuard - An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware!
http://www.javacoolsoftware.com/spywareguard.html

IE-SPYAD is a Registry file (IE-ADS.REG) that adds a long list of sites and domains associated with known advertisers, marketers, and crapware pushers to the Restricted sites zone of Internet Explorer.
https://netfiles.uiuc.edu/ehowes/www/resource.htm

Blocking Unwanted Parasites with a Hosts File
http://www.mvps.org/winhelp2002/hosts.htm

and this prog here will help keep your PC clean.

popular programs for doing this, is a freeware program Called Crap Cleaner. Crap Cleaner is a single utility that lets you clear your Cookies, Internet Explorer History, Empty the Recycle Bin, Uninstall Programs, Clear Usage Tracks and much more. As well as this, it has an Advanced Registry Scanner. Using a program like this is one of the easiest methods.

You should also think about using Firefox & Mozilla & us IE for updates

Get your Firefox here

Mo who

HGD

ok, I cant help but notice that that nail.exe file is still lurking around... i tried the NailFix in safemode again, but it is still appearing, even after I click 'fix' in Hijackthis. When I rebooted, it said it couldnt FIND the nail.exe file, but its still here... pain in the... ok... whats next?

Logfile of HijackThis v1.99.1
Scan saved at 10:15:36 PM, on 6/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SpywareGuard\sgmain.exe
c:\windows\system32\ncuhlt.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Shyla\My Documents\downloaded\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [kdxpcoq] c:\windows\system32\ncuhlt.exe r
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe