Aurora/ABI Networks Issues

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Next please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

Alright, i followed your instructions. Thanks again, and here are the two logfiles you asked for:

---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:          6:07:24 AM, 6/19/2005
 + Report-Checksum:     FCE2EE2D

 + Date of database:        6/19/2005
 + Version of scan engine:  v3.0

 + Duration:                79 min
 + Scanned Files:           81526
 + Speed:               17.17 Files/Second
 + Infected files:          111
 + Removed files:           111
 + Files put in quarantine:     111
 + Files that could not be opened:  0
 + Files that could not be cleaned: 0

 + Binder:      Yes
 + Crypter:     Yes
 + Archives:        Yes

 + Scanned items:
    C:\

 + Scan result:
    C:\Documents and Settings\Lethal Heritage\Cookies\lethal [email]heritage@a.websponsors[1].txt[/email] -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Lethal Heritage\Cookies\lethal [email]heritage@adknowledge[1].txt[/email] -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Lethal Heritage\Cookies\lethal [email]heritage@ads.monster[1].txt[/email] -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Lethal Heritage\Cookies\lethal [email]heritage@advertising[1].txt[/email] -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Lethal Heritage\Cookies\lethal [email]heritage@atdmt[2].txt[/email] -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Lethal Heritage\Cookies\lethal [email]heritage@clickagents[1].txt[/email] -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Lethal Heritage\Cookies\lethal [email]heritage@com[2].txt[/email] -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Lethal Heritage\Cookies\lethal [email]heritage@debtsettlementusa[2].txt[/email] -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Lethal Heritage\Cookies\lethal [email]heritage@doubleclick[1].txt[/email] -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Lethal Heritage\Cookies\lethal [email]heritage@exitexchange[1].txt[/email] -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Lethal Heritage\Cookies\lethal [email]heritage@fastclick[1].txt[/email] -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Lethal Heritage\Cookies\lethal [email]heritage@geocities[2].txt[/email] -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Lethal Heritage\Cookies\lethal [email]heritage@guide.real[1].txt[/email] -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Lethal Heritage\Cookies\lethal [email]heritage@hb.lycos[1].txt[/email] -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Lethal Heritage\Cookies\lethal [email]heritage@linksynergy[2].txt[/email] -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Lethal Heritage\Cookies\lethal [email]heritage@mediaplex[1].txt[/email] -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Lethal Heritage\Cookies\lethal [email]heritage@myway[1].txt[/email] -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Lethal Heritage\Cookies\lethal [email]heritage@p[1].txt[/email] -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Lethal Heritage\Cookies\lethal [email]heritage@realguide.real[2].txt[/email] -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Lethal Heritage\Cookies\lethal [email]heritage@search.msn[1].txt[/email] -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Lethal Heritage\Cookies\lethal [email]heritage@servedby.advertising[2].txt[/email] -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Lethal Heritage\Cookies\lethal [email]heritage@www.clickxchange[2].txt[/email] -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Lethal Heritage\Cookies\lethal [email]heritage@www.real[1].txt[/email] -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Lethal Heritage\Cookies\lethal [email]heritage@xiti[1].txt[/email] -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Lethal Heritage\Cookies\lethal [email]heritage@z1.adserver[2].txt[/email] -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Lethal Heritage\Local Settings\Temp\AutoUpdate0\auto_update_install.exe -> Spyware.POP.dl -> Cleaned with backup
    C:\Documents and Settings\Lethal Heritage\Local Settings\Temp\BIH\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
    C:\Documents and Settings\Lethal Heritage\Local Settings\Temp\Del8D2.tmp -> TrojanDownloader.Small.asf -> Cleaned with backup
    C:\Documents and Settings\Lethal Heritage\Local Settings\Temp\Del903.tmp -> TrojanDownloader.Small.asf -> Cleaned with backup
    C:\Documents and Settings\Lethal Heritage\Local Settings\Temp\i1A84.tmp -> TrojanDownloader.Totavel.a -> Cleaned with backup
    C:\Documents and Settings\Lethal Heritage\Local Settings\Temp\res8D3.tmp -> Spyware.180Solutions -> Cleaned with backup
    C:\Documents and Settings\Lethal Heritage\Local Settings\Temp\temp.fr14E1 -> Spyware.BetterInternet -> Cleaned with backup
    C:\Documents and Settings\Lethal Heritage\Local Settings\Temp\temp.fr1722\eabh.dll -> Spyware.EzuLa -> Cleaned with backup
    C:\Documents and Settings\Lethal Heritage\Local Settings\Temp\temp.fr1722\seng.dll -> Spyware.EzuLa -> Cleaned with backup
    C:\Documents and Settings\Lethal Heritage\Local Settings\Temp\temp.fr4B57 -> TrojanDownloader.Intexp.c -> Cleaned with backup
    C:\Documents and Settings\Lethal Heritage\Local Settings\Temp\temp.fr8EFB -> Spyware.Adstart.c -> Cleaned with backup
    C:\Documents and Settings\Lethal Heritage\Local Settings\Temporary Internet Files\Content.IE5\096BG9QF\AM_1.0.163[1].exe -> TrojanDownloader.Apropo.s -> Cleaned with backup
    C:\Documents and Settings\Lethal Heritage\Local Settings\Temporary Internet Files\Content.IE5\096BG9QF\AM_1.0.194[1].exe -> Trojan.Pakes -> Cleaned with backup
    C:\Documents and Settings\Lethal Heritage\Local Settings\Temporary Internet Files\Content.IE5\096BG9QF\AproposClientInstaller[2].exe -> Trojan.Pakes -> Cleaned with backup
    C:\Documents and Settings\Lethal Heritage\Local Settings\Temporary Internet Files\Content.IE5\8T4NGNCN\svcproc[1].exe -> Trojan.Stervis.c -> Cleaned with backup
    C:\Documents and Settings\Lethal Heritage\Local Settings\Temporary Internet Files\Content.IE5\KPSPUR8D\Nail[1].exe -> Trojan.Nail -> Cleaned with backup
    C:\Documents and Settings\Lethal Heritage\Local Settings\Temporary Internet Files\Content.IE5\KPSPUR8D\Poller[1].exe -> Spyware.BetterInternet -> Cleaned with backup
    C:\Documents and Settings\Lethal Heritage\Local Settings\Temporary Internet Files\Content.IE5\OTIRKPIB\AM_1.0.174[1].exe -> TrojanDownloader.Apropos.s -> Cleaned with backup
    C:\Documents and Settings\Lethal Heritage\Local Settings\Temporary Internet Files\Content.IE5\UTS7M9I5\abiuninst[1].exe -> Spyware.BetterInternet -> Cleaned with backup
    C:\Program Files\AutoUpdate\AutoUpdate.exe -> TrojanDownloader.Apropo.g -> Cleaned with backup
    C:\Program Files\Windows Media Player\wmplayer.exe.tmp -> TrojanDownloader.Small.wj -> Cleaned with backup
    C:\WINDOWS\bbchk.exe -> Spyware.Bargainbuddy -> Cleaned with backup
    C:\WINDOWS\bsx32\ADTMI1.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\ADVC5.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\ADVCTX2.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\ASIB9894.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\ASIC29667.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\ASID12180.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\ASIE17070.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\ASIF29819.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\ASIF4502.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\ASIFWH29233.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\ASIG21943.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\ASIGT10102.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\ASIH7853.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\ASII21469.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\ASIL18549.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\ASIOG19375.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\ASIOT25456.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\ASIPF1965.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\ASIR21184.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\ASIRE20082.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\ASIS24110.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\ASIS31590.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\ASIT17011.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\ASIT26116.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\ASIW11211.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\ASIWS3.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\BID1.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\BingoRoom1.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\CARD2.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\CARS3.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\DATE4.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\EECH1.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\EML1.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\FAST1.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\FINC3.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\FINC5.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\FLWR1.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\HERBS1.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\INK1.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\JOBS4.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\MOVS2.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\NEWS2.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\SHOP2.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\SPZ3.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\TECH2.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\UTONE2.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\WWW3.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bsx32\XTFL2.bsx -> Spyware.BookedSpace -> Cleaned with backup
    C:\WINDOWS\bundles\bs5-vwqouc.exe -> Spyware.BookedSpace.c -> Cleaned with backup
    C:\WINDOWS\bundles\saie1101.exe -> Spyware.180solutions -> Cleaned with backup
    C:\WINDOWS\bundles\shopinst.exe -> TrojanDownloader.Small.wj -> Cleaned with backup
    C:\WINDOWS\bundles\thin-8-1-x-x.exe -> Spyware.BetterInternet -> Cleaned with backup
    C:\WINDOWS\bundles\TVM_B5_Bundle_8.EXE -> TrojanDropper.Small.ht -> Cleaned with backup
    C:\WINDOWS\bundles\txdesuf.exe -> Backdoor.Agent.bg -> Cleaned with backup
    C:\WINDOWS\cxtpls_loader.exe -> Spyware.Apropos.b -> Cleaned with backup
    C:\WINDOWS\Shciu.exe -> Backdoor.Agent.bg -> Cleaned with backup
    C:\WINDOWS\systb.dll -> Spyware.ImiBar.d -> Cleaned with backup
    C:\WINDOWS\system32\auto_update_uninstall.exe -> Spyware.Apropos -> Cleaned with backup
    C:\WINDOWS\system32\chkal.exe -> TrojanDownloader.Agent.ed -> Cleaned with backup
    C:\WINDOWS\system32\cidntz.exe -> TrojanDownloader.Apropo.ac -> Cleaned with backup
    C:\WINDOWS\system32\ijxaaz.exe -> Spyware.BetterInternet -> Cleaned with backup
    C:\WINDOWS\system32\uxrbqf.exe -> Spyware.Adstart.b2 -> Cleaned with backup
    C:\WINDOWS\tdtb.exe -> Trojan.Imiserv.c -> Cleaned with backup
    C:\WINDOWS\wupdt.exe -> TrojanDownloader.Intexp.c -> Cleaned with backup


::Report End

And here is the hijackthis report:

Logfile of HijackThis v1.99.1
Scan saved at 6:08:45 AM, on 6/19/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
c:\windows\system32\ijxaaz.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://websearch.drsnsrch.com/sidesearch.cgi?id=[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://websearch.drsnsrch.com/sidesearch.cgi?id=[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://websearch.drsnsrch.com/sidesearch.cgi?id=[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://websearch.drsnsrch.com/sidesearch.cgi?id=[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [url]http://websearch.drsnsrch.com/sidesearch.cgi?id=[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = [url]http://websearch.drsnsrch.com/sidesearch.cgi?id=[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SDWin32 Class - {55BC0B87-99F7-4859-9985-210257629C24} - C:\WINDOWS\System32\uxrbq.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Rxagik] C:\WINDOWS\Meruoq.exe
O4 - HKLM\..\Run: [anjl] C:\WINDOWS\Zzkhcea.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - [url]http://software-dl.real.com/155817ca767553f5a501/netzip/RdxIE601.cab[/url]
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab[/url]
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

Thanks again.

BTW, would you say this Ewido suite is the best security program to have? Or is there a better one?

Thanks!

Counterspy is also another of the best programs. Both need to be purchased to retain the real-time protection.

===============

When we're done cleaning off your system, I'd recommend that you install all the critical windows updates available from Microsoft, up to service pack 1. This will help to make your system more secure and prevent many 'problems' from reoccurring in the future.

===============

Now, let's open a command prompt by going to the start menu and then select 'Run'.

In the box that pops up type in 'cmd'. The command prompt will open.

OR

You can go to Start -> Programs -> Accessories -> Command Prompt. Unregister the dll(s) we're going to remove, by entering the following:

regsvr32 /u cxtpls.dll

It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save typing them in.

===============

Let's look for, and delete, any program segments(prefetches) that might be present, and are associated with the 'problems' we're trying to remove from this system. To do this, let's:

1) Click "Start | Search", then search for each of these program's base name(s), in all files and folders:

ijxaaz.exe*

2) Then if any are found in the 'prefetch' folder, delete them.

Look closely, since the 'base' name will have a bunch of random numbers and letters attached to it.

===============

Run HiJackThis then:

1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

c:\windows\system32\ijxaaz.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Still in HiJackThis, click "Scan", then check(tick) the following, if present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: SDWin32 Class - {55BC0B87-99F7-4859-9985-210257629C24} - C:\WINDOWS\System32\uxrbq.dll (file missing)

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [Rxagik] C:\WINDOWS\Meruoq.exe
O4 - HKLM\..\Run: [anjl] C:\WINDOWS\Zzkhcea.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/155817c...ip/RdxIE601.cab

Now, with all windows closed (including Internet Explorer) except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

folders...

C:\Program Files\Aprps
C:\Program Files\VVSN

files...

c:\windows\system32\ijxaaz.exe
C:\WINDOWS\Meruoq.exe
C:\WINDOWS\Zzkhcea.exe

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

-

Reboot.

===============

To help protect your system from hostile ActiveX content, or special 'downloadable' files:

Download, install and keep updated, SpywareBlaster. If you've installed it for the first time:

1) Check for any available updates; if present, they'll be automatically downloaded and installed.
2) Next, "Enable all protection".
3) Exit the program.

-

Note: Remember to regularly check for updates.

===============

After rebooting, rescan with hijackthis and post back a new log. Let me know how everything goes.

Logfile of HijackThis v1.99.1
Scan saved at 2:29:52 PM, on 6/19/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Everything is working fine for the moment, or so it seems.

Another quick question: I only have 256 MB of RAM, will running Ewido and Sygate Firewall slow my computer down?

Thanks again for all your help, I owe you 1000fold.

256 should be enough for you with those, but more is always better :).

Now that's done you need to install all the critical windows updates available from Microsoft, up to service pack 1. This will help to make your system more secure and prevent many 'problems' from reoccurring in the future.

-

Congratulations! Your log looks clean - good work!

===============

Now that your PC is clean you need to follow these easy steps to keeping it this way:

Secure your Internet Explorer by going here and following the instructions there.

Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera which in my opinion, is better still.

Use a firewall to help prevent your PC's control being usurped by undesireables. There is a link to a good, free firewall in my signature.

Install and keep updated, Ad-Aware SE, and Spybot S&D.
Run them both on a regular basis, following the manufacturer's recommendations.

Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.

Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.

Clear your Temp folders.
Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.
Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

C:\Documents and Settings\username\Local Settings\Temp\

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Empty the Recycle Bin.

For XP users.
After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points.

Go to Start>Run and type msconfig. Press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings link on the left.

Check the box labelled 'Turn off System restore'.

Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.

Note that all previous restore points will be lost.

===============

If you have any more problems, post back.

-

Happy surfing,

crunchie.

Ever since I did all this, my autorun on my primary DVD Rom has stopped working. The last CD I used in there was a German instructional CD called "Kontatke" and now when I go into my computer my D: drive is listed as "Kontatke." The only way I can get into CDs that I put in that drive is to right-click, "Explore." How can I fix this? Did I mess something up?

Thanks!

Go to Start\Run and type in REGEDIT and hit ok. Locate;
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dvdrom

In the right pane double click on autorun and check to make sure the value is set to '1' and not zero. Change to '1' if necessary.

Set a system restore point first!!