hijack this log (RESOLVED)
-
hijack this log (RESOLVED)
8 hours of trying to figure this out myself and have not been able to fix the problem so any help would be greatly appreciated.
When my computer boots up it sometimes freezes and will not let me click on anything. I have been going thru Windows task manager to acess everthing including the internet. The norton anti virus says i have a virus called Backdoor.DSNX but my trial has expired and will not remove it.
I also have been getting a: protection error #34
and an application error titled: rsvbcatq. exe
also when clicking on IE I get about:blank I went and changed it to display to www.msn.com and when I click IE again the address goes to msn but it does not display anything.
I have ran sypware & adware and spybot.
Can anyone help me out?
-brandi
Logfile of HijackThis v1.99.1
Scan saved at 12
09 AM, on 9/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\exp.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\QnJhbmRp\command.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\bvgzdlv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Brandi\My Documents\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\System32\pkshrgky.dll
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\system32\kgt6.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Unshare] C:\Program Files\safe-share\SafeShare.exe
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [MedGS] C:\WINDOWS\System32\medgs1.exe
O4 - HKLM\..\Run: [GsAds] C:\WINDOWS\System32\gms2.exe
O4 - HKLM\..\Run: [opr] C:\WINDOWS\System32\opr.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows Incontext] C:\DOCUME~1\Brandi\LOCALS~1\Temp\InSearch.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\driddn.exe reg_run
O4 - HKLM\..\Run: [System service65] C:\WINDOWS\etb\pokapoka65.exe
O4 - HKLM\..\Run: [yifhthz] C:\WINDOWS\System32\bvgzdlv.exe r
O4 - HKLM\..\RunOnce: [aj627.exe] C:\WINDOWS\System32\aj627.exe /k
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: rpir.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go.com/games/downl...ameManager.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O20 - AppInit_DLLs: repairs.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QnJhbmRp\command.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
-
Hi and welcome, you got a lot going on let's see if we can fix you up. Long instructions following, have to.
If you have to you can download(burn) the needed fix tools to disk from an uninfected computer and bring them to your computer.
Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.
Please download Nailfix from here:
http://www.noidea.us/easyfile/file.p...50515010747824
or,
http://www.dknoppix.com/cgi-bin/download.cgi?Nailfix
Unzip it to the desktop but please do NOT run it yet.
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml
Once in Safe Mode, please double-click on Nailfix.bat. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.
Then please run Ewido, and run a full scan. Post the log from the scan here for me.
Then please run HijackThis, click Scan, and check:
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\System32\pkshrgky.dll
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\system32\kgt6.dll
O4 - HKLM\..\Run: [Unshare] C:\Program Files\safe-share\SafeShare.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [MedGS] C:\WINDOWS\System32\medgs1.exe
O4 - HKLM\..\Run: [GsAds] C:\WINDOWS\System32\gms2.exe
O4 - HKLM\..\Run: [opr] C:\WINDOWS\System32\opr.exe
O4 - HKLM\..\Run: [Windows Incontext] C:\DOCUME~1\Brandi\LOCALS~1\Temp\InSearch.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\driddn.exe reg_run
O4 - HKLM\..\Run: [yifhthz] C:\WINDOWS\System32\bvgzdlv.exe r
O4 - HKLM\..\RunOnce: [aj627.exe] C:\WINDOWS\System32\aj627.exe /k
O4 - Global Startup: rpir.exe
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O20 - AppInit_DLLs: repairs.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QnJhbmRp\command.exe
Close all open windows except for HijackThis and click Fix Checked.
Still in safe mode
Delete these files/folders
C:\WINDOWS\Nail.exe < file--may not be there
C:\WINDOWS\System32\pkshrgky.dll < file
C:\WINDOWS\system32\kgt6.dll < file
C:\Program Files\safe-share < folder
C:\WINDOWS\System32\wintask.exe < file
C:\Program Files\SurfSideKick 3 < folder
C:\WINDOWS\System32\medgs1.exe < file
C:\WINDOWS\System32\gms2.exe < file
C:\WINDOWS\System32\opr.exe
C:\Documents and Settings\Brandi\LOCALS~1\Temp\InSearch.exe < file
C:\WINDOWS\System32\driddn.exe < file
C:\WINDOWS\System32\bvgzdlv.exe r < file
C:\WINDOWS\System32\aj627.exe < file
rpir.exe < file
C:\Program Files\Cas < folder
repairs.dll < file
C:\WINDOWS\QnJhbmRp\command.exe < file
Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
-
i saved the first ewido & could not find to post.
Here is the 2nd scan (a message appears after the scan asking if i want to delete spyware pro i clicked no & this is what remains)
--------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 1117 PM, 9/9/2005
+ Report-Checksum: 9B45B0F
+ Scan result:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\Surf SideKick -> Spyware.SurfSide : Cleaned with backup
[748] C:\WINDOWS\System32\krwkk.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\Program Files\Spyware Killer Pro\SpyWare Killer\quarantine\{32AFBEE8-F44D-4610-96CC-23B1B59A0CBB}.zip/{0634E9FE-2D76-4058-8278-BC2733628368} -> Spyware.Cookie.Advertising : Error during cleaning
C:\Program Files\Spyware Killer Pro\SpyWare Killer\quarantine\{32AFBEE8-F44D-4610-96CC-23B1B59A0CBB}.zip/{09F627AC-6037-4630-84EF-665C43DAB72D} -> Spyware.Cookie.Hitslink : Error during cleaning
C:\Program Files\Spyware Killer Pro\SpyWare Killer\quarantine\{32AFBEE8-F44D-4610-96CC-23B1B59A0CBB}.zip/{0B9D61E2-4498-4536-9B58-9416FC2450EC} -> Spyware.Cookie.Centrport : Error during cleaning
C:\Program Files\Spyware Killer Pro\SpyWare Killer\quarantine\{32AFBEE8-F44D-4610-96CC-23B1B59A0CBB}.zip/{17361532-421B-42D9-BC52-9CC81361A797} -> Spyware.Cookie.Adserver : Error during cleaning
C:\Program Files\Spyware Killer Pro\SpyWare Killer\quarantine\{32AFBEE8-F44D-4610-96CC-23B1B59A0CBB}.zip/{1D0CF154-2664-4546-81F6-02F4E775A91E} -> Spyware.Cookie.Ru4 : Error during cleaning
C:\Program Files\Spyware Killer Pro\SpyWare Killer\quarantine\{32AFBEE8-F44D-4610-96CC-23B1B59A0CBB}.zip/{1E31ED1E-78C3-4762-BE5A-3F091D73CFC1} -> Spyware.Cookie.Commission-junction : Error during cleaning
C:\Program Files\Spyware Killer Pro\SpyWare Killer\quarantine\{32AFBEE8-F44D-4610-96CC-23B1B59A0CBB}.zip/{249EDC91-D48C-465B-BA49-1C8E7FDC01CB} -> Spyware.Cookie.Questionmarket : Error during cleaning
C:\Program Files\Spyware Killer Pro\SpyWare Killer\quarantine\{32AFBEE8-F44D-4610-96CC-23B1B59A0CBB}.zip/{256662FF-1CE6-4FE8-9CEC-F75D681AEC0E} -> Spyware.Cookie.Tribalfusion : Error during cleaning
C:\Program Files\Spyware Killer Pro\SpyWare Killer\quarantine\{32AFBEE8-F44D-4610-96CC-23B1B59A0CBB}.zip/{26C5E218-6379-4DCF-AB8B-B4571F94D049} -> Spyware.Cookie.Coremetrics : Error during cleaning
C:\Program Files\Spyware Killer Pro\SpyWare Killer\quarantine\{32AFBEE8-F44D-4610-96CC-23B1B59A0CBB}.zip/{26F50F44-BFAF-41BB-9DE6-87F96759AD23} -> Spyware.Cookie.Advertising : Error during cleaning
C:\Program Files\Spyware Killer Pro\SpyWare Killer\quarantine\{32AFBEE8-F44D-4610-96CC-23B1B59A0CBB}.zip/{2AADF2ED-BB5F-4F08-9C7F-662F60C04EFB} -> Spyware.Cookie.Valueclick : Error during cleaning
C:\Program Files\Spyware Killer Pro\SpyWare Killer\quarantine\{32AFBEE8-F44D-4610-96CC-23B1B59A0CBB}.zip/{3B15652C-C563-46CA-8061-EED0580CD787} -> Spyware.Cookie.Hitbox : Error during cleaning
C:\Program Files\Spyware Killer Pro\SpyWare Killer\quarantine\{32AFBEE8-F44D-4610-96CC-23B1B59A0CBB}.zip/{492F8553-8BCF-44CB-BCB8-BA2FE2EE7EA0} -> Spyware.Cookie.Casalemedia : Error during cleaning
C:\Program Files\Spyware Killer Pro\SpyWare Killer\quarantine\{32AFBEE8-F44D-4610-96CC-23B1B59A0CBB}.zip/{4D089AA1-944C-490B-AF69-0C8C55437B47} -> Spyware.Cookie.Hitbox : Error during cleaning
C:\Program Files\Spyware Killer Pro\SpyWare Killer\quarantine\{32AFBEE8-F44D-4610-96CC-23B1B59A0CBB}.zip/{5513BCC9-3489-429E-BA7D-25C51E2C7FDF} -> Spyware.Cookie.Doubleclick : Error during cleaning
C:\Program Files\Spyware Killer Pro\SpyWare Killer\quarantine\{32AFBEE8-F44D-4610-96CC-23B1B59A0CBB}.zip/{5528E820-2947-4F41-8733-C8E185766869} -> Spyware.Cookie.Falkag : Error during cleaning
C:\Program Files\Spyware Killer Pro\SpyWare Killer\quarantine\{32AFBEE8-F44D-4610-96CC-23B1B59A0CBB}.zip/{554A7AA5-9374-4D16-946A-43A02B05D984} -> Spyware.Cookie.7search : Error during cleaning
C:\Program Files\Spyware Killer Pro\SpyWare Killer\quarantine\{32AFBEE8-F44D-4610-96CC-23B1B59A0CBB}.zip/{76B023C9-5F23-471F-AEE6-D678F101CD37} -> Spyware.Cookie.Tradedoubler : Error during cleaning
C:\Program Files\Spyware Killer Pro\SpyWare Killer\quarantine\{32AFBEE8-F44D-4610-96CC-23B1B59A0CBB}.zip/{77F0473F-D6BC-42A1-AEA8-85C5490FA83E} -> Spyware.Cookie.Overture : Error during cleaning
C:\Program Files\Spyware Killer Pro\SpyWare Killer\quarantine\{32AFBEE8-F44D-4610-96CC-23B1B59A0CBB}.zip/{8EA4998D-A780-4CA8-80CA-04661EB18104} -> Spyware.Cookie.Mediaplex : Error during cleaning
C:\Program Files\Spyware Killer Pro\SpyWare Killer\quarantine\{32AFBEE8-F44D-4610-96CC-23B1B59A0CBB}.zip/{982455D4-6AD3-4E0A-A162-48D48E0113BF} -> Spyware.Cookie.Atdmt : Error during cleaning
C:\Program Files\Spyware Killer Pro\SpyWare Killer\quarantine\{32AFBEE8-F44D-4610-96CC-23B1B59A0CBB}.zip/{A3F4714F-0090-432F-941C-68F74214ECED} -> Spyware.Cookie.Bfast : Error during cleaning
C:\Program Files\Spyware Killer Pro\SpyWare Killer\quarantine\{32AFBEE8-F44D-4610-96CC-23B1B59A0CBB}.zip/{AB3759A9-DEE4-409A-8DFB-A498115E2371} -> Spyware.Cookie.2o7 : Error during cleaning
C:\Program Files\Spyware Killer Pro\SpyWare Killer\quarantine\{32AFBEE8-F44D-4610-96CC-23B1B59A0CBB}.zip/{AF2A0244-D391-4B04-935B-64503FFE0E4E} -> Spyware.Cookie.Bluestreak : Error during cleaning
C:\Program Files\Spyware Killer Pro\SpyWare Killer\quarantine\{32AFBEE8-F44D-4610-96CC-23B1B59A0CBB}.zip/{B014C0AD-D10F-4BD1-8FD1-376F65F2C98B} -> Spyware.Cookie.Hitbox : Error during cleaning
C:\Program Files\Spyware Killer Pro\SpyWare Killer\quarantine\{32AFBEE8-F44D-4610-96CC-23B1B59A0CBB}.zip/{B7804599-10E3-4618-BE2D-B0842BB47C40} -> Spyware.Cookie.Falkag : Error during cleaning
C:\Program Files\Spyware Killer Pro\SpyWare Killer\quarantine\{32AFBEE8-F44D-4610-96CC-23B1B59A0CBB}.zip/{BCC9C62D-08BE-485D-8EA0-A76C6F43EBA6} -> Spyware.Cookie.Liveperson : Error during cleaning
C:\Program Files\Spyware Killer Pro\SpyWare Killer\quarantine\{32AFBEE8-F44D-4610-96CC-23B1B59A0CBB}.zip/{C0AEF2AF-5607-4ADA-9B85-BD8CE4827D9E} -> Spyware.Cookie.Revenue : Error during cleaning
C:\Program Files\Spyware Killer Pro\SpyWare Killer\quarantine\{32AFBEE8-F44D-4610-96CC-23B1B59A0CBB}.zip/{C80F797B-422C-4A79-ACDD-024F3B5F7E7F} -> Spyware.Cookie.Fastclick : Error during cleaning
C:\Program Files\Spyware Killer Pro\SpyWare Killer\quarantine\{32AFBEE8-F44D-4610-96CC-23B1B59A0CBB}.zip/{DE8775B4-1003-4B9F-96DE-31E6490D752D} -> Spyware.Cookie.Qksrv : Error during cleaning
C:\Program Files\Spyware Killer Pro\SpyWare Killer\quarantine\{32AFBEE8-F44D-4610-96CC-23B1B59A0CBB}.zip/{EBFB703B-F6D9-49B6-A733-5A838780E8D4} -> Spyware.Cookie.Statcounter : Error during cleaning
::Report End
This is the HJT log
Logfile of HijackThis v1.99.1
Scan saved at 11:34:52 PM, on 9/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Brandi\My Documents\hijackthis\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.d-a-l.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [System service65] C:\WINDOWS\etb\pokapoka65.exe
O4 - HKLM\..\Run: [rgjhbzw] C:\WINDOWS\System32\jrptjl.exe r
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\driddn.exe reg_run
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go.com/games/downl...ameManager.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - AppInit_DLLs: repairs.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QnJhbmRp\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
I could not find these programs to "fix" in the HJT log:
04 - HKLM\..\Run: [Wintask driver] C:\WINDOWS\System32\wintask.exe
04 - HKLM\..\Run: [yifhthz] C:\WINDOWS\System32\bvgzdlv.exe r
04 - HKLM\..\RunOnce: [aj627.exe] C:\WINDOWS\System32\aj627.exe /k
the following will not delete:
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O20 - AppInit_DLLs: repairs.dll
this file says missing file at the end of it and displays the following message: Unexpected error occured @ procedure.
Mod backup_MakeBackup (sItem+020-AppInit_DLLS:rpairs.dll)
Error #5 Invalid procedure
email me @merijn@spywareinfo.com
report the following :
*What you were trying to fix when the error occured
*How you can reproduce the error
*A complete HJT scan log, if possible
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QnJhbmRp\command.exe (file missing)
I only found the following files/folders to delete:
C:\WINDOWS\System32\medgs1.exe <file
C:\WINDOWS\System32\gms2.exe< file
C:\WINDOWS\System32\opr.exe
C:\WINDOWS\QnJhbmRp\command.exe<file
I have no idea of what to do next....please help.
Last edited by b_cantu; 10-09-2005 at 06:28 AM.
-
You did good and got the nail infection.
That surfsidekick3 is a real booger to get rid of and still there.
Download the Elite Toolbar Remover from http://www.majorgeeks.com/download4465.html.
Boot into Safe mode. You can do this by tapping the F8 key during reboot. Select "Safe Mode" from the menu and press enter.
Run the EliteToolbar Remover, then click the "Kill Elite Toolbar" button and wait until it will finish its work.
Reboot into normal mode Go to Start > Run > type msconfig in the text box > Click on OK > From the General tab select “Normal Startup”
You also have the Epolvy Trojan which needs special attention. Instructions below:
Download Process Explorer from http://www.sysinternals.com/Utilitie...sExplorer.html
Run Process Explorer and find the Process(file) in the list of Processes:scroll down on left hand side and look for the file
jrptjl.exe
Select the process(highlight) and click Process(at top of box and then click Suspend.) Leave this program running please.
Then in HijackThis click Config > Misc Tools > Delete a file on reboot...
In the explorer Window select the file C:\WINDOWS\System32\jrptjl.exe (Full path can also be found in running processes)>>>>>>
When prompted if you want to reboot click YES
Leave Process explorer running with the process suspended.
After the reboot check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:
O4 - HKLM\..\Run: [rgjhbzw] C:\WINDOWS\System32\jrptjl.exe r
Reboot and post another HJT log please
-
i cannot find this file:
Run Process Explorer and find the Process(file) in the list of Processes:scroll down on left hand side and look for the file
jrptjl.exe
this is a copy of the processes
Process PID CPU Description Company Name
System Idle Process 0 91.18
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 580 Windows NT Session Manager Microsoft Corporation
csrss.exe 628 1.47 Client Server Runtime Process Microsoft Corporation
winlogon.exe 652 Windows NT Logon Application Microsoft Corporation
services.exe 700 1.47 Services and Controller app Microsoft Corporation
svchost.exe 884 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 988 Generic Host Process for Win32 Services Microsoft Corporation
wuauclt.exe 3156 Automatic Updates Microsoft Corporation
svchost.exe 1132 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1180 Generic Host Process for Win32 Services Microsoft Corporation
LEXBCES.EXE 1508 LexBce Service Lexmark International, Inc.
LEXPPS.EXE 1580 LEXPPS.EXE Lexmark International, Inc.
spoolsv.exe 1540 Spooler SubSystem App Microsoft Corporation
PhotoshopElementsFileAgent.exe 2020
ewidoctrl.exe 152 ewido control ewido networks
ewidoguard.exe 172 guard ewido networks
Navapsvc.exe 280 Norton AntiVirus Auto-Protect Service Symantec Corporation
PhotoshopElementsDeviceConnect.exe 512
svchost.exe 1384 Generic Host Process for Win32 Services Microsoft Corporation
wdfmgr.exe 1216 Windows User Mode Driver Manager Microsoft Corporation
lsass.exe 712 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 1432 Windows Explorer Microsoft Corporation
Navapw32.exe 1868 Norton AntiVirus Agent Symantec Corporation
WkUFind.exe 536 Microsoft® Works Update Detection Microsoft® Corporation
qttask.exe 548 Apple Computer, Inc.
CAgent.exe 568 ABBYY Community Agent ABBYY (BIT Software)
SetHook.exe 612 MediaFACE Hook Application Fellowes, Inc.
Directcd.exe 980 DirectCD Application Roxio
msmsgs.exe 1060 Messenger Microsoft Corporation
WkCalRem.exe 1404 Microsoft® Works Calendar Reminder Service Microsoft® Corporation
rpir.exe 1752
IEXPLORE.EXE 3212 Internet Explorer Microsoft Corporation
procexp.exe 2792 5.88 Sysinternals Process Explorer Sysinternals
hijackthis.exe 3408 HijackThis Soeperman Enterprises Ltd.
Process: Procexp Pid: -1
do I skip this and go to the next step?
once again thanks for your help, brandi
Last edited by b_cantu; 11-09-2005 at 09:09 AM.
-
No,
We got to get this, it is changeing names each time you reboot.
It is there.
Make sure you can see hidden files/folders
In Windows XP
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
After you're cleaned, please "rehide" them again.
Do not reboot, look in HJT log for this:
O4 - HKLM\..\Run: [rgjhbzw] C:\WINDOWS\System32\jrptjl.exe r----the file name will change at each reboot but the "r" will always be there as an indicator but I don't thing it shows in the list of processes.
Get yourself a fresh HJT log do not reboot after look for that file in your log and re-do the fix above, just remember it will have a different file name but the "r" will always be there but the "r" should not be seen in the list of processes.
Last edited by Neal; 11-09-2005 at 01:55 PM.
-
I clicked the show hidden files & unchecked the hide protected operating system files like you asked
ran the process explorer again and still cannot find the process jrptjl.exe
When in process explorer am I suppose to click file and run or is this file suppose to automatically come out with the rest of the processes that show up?
I made another copy of the processes maybe you see something I dont:
Process PID CPU Description Company Name
System Idle Process 0 95.45
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 584 Windows NT Session Manager Microsoft Corporation
csrss.exe 632 Client Server Runtime Process Microsoft Corporation
winlogon.exe 656 Windows NT Logon Application Microsoft Corporation
services.exe 704 1.52 Services and Controller app Microsoft Corporation
svchost.exe 888 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 992 Generic Host Process for Win32 Services Microsoft Corporation
wuauclt.exe 2252 Automatic Updates Microsoft Corporation
svchost.exe 1140 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1192 Generic Host Process for Win32 Services Microsoft Corporation
LEXBCES.EXE 1552 LexBce Service Lexmark International, Inc.
LEXPPS.EXE 1604 LEXPPS.EXE Lexmark International, Inc.
spoolsv.exe 1588 Spooler SubSystem App Microsoft Corporation
PhotoshopElementsFileAgent.exe 1880
ewidoctrl.exe 1304 ewido control ewido networks
ewidoguard.exe 1480 guard ewido networks
keepsafe.exe 1972
Navapsvc.exe 160 Norton AntiVirus Auto-Protect Service Symantec Corporation
PhotoshopElementsDeviceConnect.exe 408
svchost.exe 108 Generic Host Process for Win32 Services Microsoft Corporation
wdfmgr.exe 1812 Windows User Mode Driver Manager Microsoft Corporation
lsass.exe 716 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 1408 Windows Explorer Microsoft Corporation
Navapw32.exe 1780 Norton AntiVirus Agent Symantec Corporation
WkUFind.exe 1848 Microsoft® Works Update Detection Microsoft® Corporation
CAgent.exe 1964 ABBYY Community Agent ABBYY (BIT Software)
SetHook.exe 916 MediaFACE Hook Application Fellowes, Inc.
Directcd.exe 976 DirectCD Application Roxio
driddn.exe 1052
msmsgs.exe 1208 Messenger Microsoft Corporation
WkCalRem.exe 1828 Microsoft® Works Calendar Reminder Service Microsoft® Corporation
procexp.exe 1172 3.03 Sysinternals Process Explorer Sysinternals
Process: System Idle Process Pid: 0
Type Name
-
Show me a new HJT log.
Do not close out of it just click the "-" at top right and leave it there on your taskbar.
We will use a different tool this time and with this tool we will be looking for this in bold(of course it will be different now) and it will not have an extension on it like .exe or .dll just a bunch of letters.
O4 - HKLM\..\Run: [rgjhbzw] C:\WINDOWS\System32\jrptjl.exe r
After you get your HJT log do not reboot
-
Logfile of HijackThis v1.99.1
Scan saved at 3:59:20 PM, on 9/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\driddn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\keepsafe.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN\MSNCoreFiles\MSN6.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Brandi\My Documents\hijackthis\hijackthis.exe
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [System service65] C:\WINDOWS\etb\pokapoka65.exe
O4 - HKLM\..\Run: [rgjhbzw] C:\WINDOWS\System32\jrptjl.exe r
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\driddn.exe reg_run
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: rpir.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go.com/games/downl...ameManager.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - AppInit_DLLs: repairs.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QnJhbmRp\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Keep Safe Service (KSIE) - Unknown owner - C:\WINDOWS\System32\keepsafe.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
-
OK we are going in another direction for awhile.
Print everything out as you will not be on the internet during the latter part of the fix
Download LQfix.exe and place it on your desktop.
Doubleclick LQfix.exe and click install.
Leave the default settings. If you change them, the fix will fail.
Make sure 'Launch LQfix' is checked. After clicking finish in the install, the fix will start.
Follow the prompts on the screen.
Your system will reboot afterwards.
Please be patient after reboot, because there is a script running in the background.
This tool can run very fast.
Next, download Lavasoft's Ad-Aware and the VX2 Cleaner Plug-in. Install Ad-Aware using the default options, then install vx2cleaner_inst.exe, taking all the defaults there as well.
Run Ad-Aware, update to the latest definitions, then click on Add-ons in the lefthand column. Select VX2 Cleaner V2.0 and click Run Tool. Click "OK", then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware.
Reboot your PC and run Ad-Aware again. This time, click on the Start button in Ad-Aware, select "Perform smart system scan" and click Next. Once the scan finishes, click "Next" again. Select all objects found (right click anywhere in the list of found objects and click "Select All Objects"). Click "Next" one more time, then "OK" to confirm the removal.
You will be prompted to set Ad-Aware to run on reboot, click "OK". Exit Ad-Aware and restart your PC once again.
When Ad-Aware starts up, click on "Start", then "Next". Follow the steps above if anything is found, or click "Finish", then exit Ad-Aware.
In case you don't have Ewido:
Do not run the scanner yet but do it from safe mode in a little bit
Please download, install, update and scan your system with the free version of Ewido trojan scanner: www.ewido.net/en/download/
1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
2. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
3. From the main ewido screen, click on UPDATE in the left menu, then click the Start update button.
4. After the update finishes (the status bar at the bottom will display "Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run.
5. If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
6. When the scan finishes, click on "Save Report". This will create a text file. Please then paste the contents of the text file to this thread, along with a new HijackThis log.
Make sure you can still see hidden files/folders
Reboot into safe mode and scan only with HJT and put a check next to these items: The only thing open should be HJT and that is it.
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O4 - HKLM\..\Run: [System service65] C:\WINDOWS\etb\pokapoka65.exe
O4 - HKLM\..\Run: [rgjhbzw] C:\WINDOWS\System32\jrptjl.exe r
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\driddn.exe reg_run
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: rpir.exe
O20 - AppInit_DLLs: repairs.dll
Again make sure all browser windows are closed and click FIX Nothing open in task bar, nothing, only hijackthis.
Still in safe mode
Run Ewido while in safe mode full system scan, save the log please
After the scan:
Search for and delete as many of these files/folders you can find and delete them.
C:\Program Files\SurfSideKick 3 < folder
C:\WINDOWS\etb < folder
C:\WINDOWS\System32\driddn.exe reg_run < file
rpir.exe < file
Still in safe mode
Open C:\Windows\Prefetch\ Delete ALL files in this folder.
Do this also if these Temp Folders are part of your OS.
Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
Next navigate to the C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.
Empty the Recycle Bin
Post a new HJT log please.
