Member Avatar for TiJay

Logfile of HijackThis v1.99.1
Scan saved at 9:56:26 PM, on 7/30/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\System32\Ati2evxx.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Norton AntiVirus\navapsvc.exe
G:\Program Files\Norton AntiVirus\SAVScan.exe
G:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
G:\Program Files\Common Files\Symantec Shared\ccApp.exe
G:\Program Files\Common Files\Real\Update_OB\realsched.exe
G:\Program Files\DAEMON Tools\daemon.exe
G:\Program Files\Common Files\AOL\1145160770\ee\AOLSoftware.exe
G:\WINDOWS\System32\rundll32.exe
G:\Program Files\Messenger\msmsgs.exe
G:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
G:\Program Files\MSN Messenger\MsnMsgr.Exe
G:\WINDOWS\System32\devldr32.exe
G:\Program Files\TClock\TClock.exe
g:\program files\common files\aol\1145160770\ee\aim6.exe
G:\Documents and Settings\Hoodz\Desktop\HijackThis.exe
G:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
F2 - REG:system.ini: Shell=Explorer.exe, G:\WINDOWS\System32\rhcbx.exe
F2 - REG:system.ini: UserInit=G:\WINDOWS\system32\userinit.exe,ddjfihw.exe
O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - G:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {0B8F5A08-95CC-F37B-999C-95FC5FFEB7E5} - G:\WINDOWS\System32\vbwtouvi.dll (file missing)
O2 - BHO: (no name) - {10F62E6E-BB8C-D802-A146-EA2B22CED19D} - G:\WINDOWS\System32\ioufilb.dll (file missing)
O2 - BHO: (no name) - {198A0D66-E78E-D804-A146-EA2B2296D1CF} - G:\WINDOWS\System32\gogckfrj.dll (file missing)
O2 - BHO: (no name) - {31206883-8F49-C288-4ABD-A5BFAB8E82C2} - G:\WINDOWS\System32\rkuwyv.dll (file missing)
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - G:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: (no name) - {3EAC253C-B9A9-8A30-A146-EA2B22CE8B9E} - G:\WINDOWS\System32\isezc.dll (file missing)
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - G:\Program Files\NewDotNet\newdotnet7_22.dll
O2 - BHO: (no name) - {4E261F83-FA3D-C2BC-4ABD-A5BFAB8E82C2} - G:\WINDOWS\System32\rkuwyv.dll (file missing)
O2 - BHO: (no name) - {5023C73A-5BA0-3A39-F4EA-00D5FD73B99E} - G:\WINDOWS\System32\ojkrom.dll (file missing)
O2 - BHO: (no name) - {557A956D-56A3-3439-F4EA-00D5FD73BB99} - G:\WINDOWS\System32\cyrwf.dll (file missing)
O2 - BHO: (no name) - {562C9338-53F2-366E-F4EA-00D5FD73BF98} - G:\WINDOWS\System32\qie.dll (file missing)
O2 - BHO: (no name) - {567DC638-5BA6-3138-F4EA-00D5FD73BC9D} - G:\WINDOWS\System32\etysdg.dll (file missing)
O2 - BHO: (no name) - {587E9769-56A2-3035-F4EA-00D5FD73B0CA} - G:\WINDOWS\System32\bnalau.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - G:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {67FE7966-E9FF-D830-A146-EA2B2296D1CF} - G:\WINDOWS\System32\gogckfrj.dll (file missing)
O2 - BHO: (no name) - {68AC7E3D-BDA9-D865-A146-EA2B22CED2CE} - G:\WINDOWS\System32\ulxbph.dll (file missing)
O2 - BHO: (no name) - {6EF7286D-B5FD-D836-A146-EA2B22CED19D} - G:\WINDOWS\System32\ioufilb.dll (file missing)
O2 - BHO: (no name) - {6EF7286E-B9AE-DE30-A146-EA2B22CE809A} - G:\WINDOWS\System32\ezwlk.dll (file missing)
O2 - BHO: (no name) - {74895E0B-95B9-F34F-999C-95FC5FFEB7E5} - G:\WINDOWS\System32\vbwtouvi.dll (file missing)
O2 - BHO: (no name) - {8C7B4E05-F4E2-9A3A-CD4E-FABADB614E96} - G:\WINDOWS\System32\apfaq.dll (file missing)
O2 - BHO: (no name) - {95BC3E31-F8AC-9E34-F83F-FDEA6EEA2290} - G:\WINDOWS\System32\vualu.dll (file missing)
O2 - BHO: (no name) - {9910B117-7CAD-1426-DFF8-2417B1845C95} - G:\WINDOWS\System32\vtla.dll
O2 - BHO: (no name) - {9CEF6966-ACA8-9F6F-F83F-FDEA6EEA28C5} - G:\WINDOWS\System32\wkfzj.dll (file missing)
O2 - BHO: (no name) - {A4093C52-D796-C954-CD4E-FABADB3918C4} - G:\WINDOWS\System32\qxduuj.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - G:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E667B614-72D9-1412-DFF8-2417B1845C95} - G:\WINDOWS\System32\vtla.dll
O2 - BHO: (no name) - {F30D3805-8191-9A0E-CD4E-FABADB614E96} - G:\WINDOWS\System32\apfaq.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - G:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - G:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "G:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "G:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DAEMON Tools] "G:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [IpWins] G:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] G:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [HostManager] G:\Program Files\Common Files\AOL\1145160770\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] G:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [NeroFilterCheck] G:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 G:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\RunServices: [p2p networking] p2pnetworking.exe
O4 - HKCU\..\Run: [MSMSGS] "G:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "G:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "G:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [TClock.exe] G:\Program Files\TClock\tclock_install.exe
O4 - HKCU\..\Run: [Aim6] "G:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///G:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///G:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///G:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///G:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - G:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - G:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - G:\WINDOWS\web\related.htm
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - G:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/162287c683f9971dcf03/netzip/RdxIE601.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O20 - AppInit_DLLs: smss.dll G:\WINDOWS\System32\smss.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - G:\WINDOWS\Sm9zaCBEaXhzb24\command.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - G:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - G:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - G:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

__________________________________________________________

This is my bud's computer...he has the computer knowledge of a common orangatangue...I went through it and fixed a bunch of shit (it's messed up now, but you should have seen it before. I ran CCCleaner, and Killboxed a few things that were being mean...but the computer is still running a bit slow. If someone can read through this, i'd appreciate it.

  • 3 Contributors
  • 5 Replies
  • 100 Views
  • 1 Week Discussion Span
  • Latest Post Latest Post by DMR

Recommended Answers

All 5 Replies

Member Avatar for TiJay

I think he is using an onboard sound card, next time I'm over there, I'll check out his device manager and see if it is Creative...

Member Avatar for DMR

That's a fairly infected/infested system, and here's one of the biggest reasons- the following info in your HJT log's header shows that you are running a totally "virgin" version of Windows XP. That is, no Service Packs, Security/Bug Fixes, etc. have been installed.:

Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running such an outdated, unpatched version of Windows, your system will almost certainly get reinfected in no time. You should use the Windows Update feature to bring your system up to a fully-patched version of Service Pack 1 (note that upgrading to Service Pack 2 on an infected system is not recommended!). Once you've done that, the info in your log's header should read as follows:
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Member Avatar for TiJay

I have tried to convince him to patch his computer up with the updates, he says he can't for whatever reason. I know he has a legit version of windows...I installed it for him. (Unless his pops gave me a bogus version) Now that I finally convinced him to, his computer is too messed up to patch now, I've been trying to clean it to prepare it for updates, but whatever is there is being anal.

As for the soundcard - It is creative, I can't find any removal instructions for it, and I'm getting mixed reviews for the file on my searches, some say its bad, some say it's a legit file used by Creative. None say how to get rid of it other than (Buy this malware program)

*mutters*

Member Avatar for DMR

I have tried to convince him to patch his computer up with the updates, he says he can't for whatever reason.

Please try to find out exactly why he can't update the system. If he doesn't at least upgrade to the final Service Pack 1 rollup, the nastier variants of some of the infections currently out there "in the wild" will just walk right back in to his system.

As for the soundcard - It is creative, I can't find any removal instructions for it, and I'm getting mixed reviews for the file on my searches, some say its bad, some say it's a legit file used by Creative.

There is a valid and non-malicious Creative file named devldr32.exe, but as is often the case, there is also a malicious file which uses the same name in an attempt to avoid detection. We'll deal with that issue in the course of the general disinfecting.


OK, here we go... the system has several infections, so please be patient.

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

* Use Norton's Live Update feature to install the most current Norton antivirus updates.

* Download the following utilities and save them to your desktop or another convenient folder:

ATF-Cleaner
ewido Anti-spyware (30-day trial version)
WinsockXPFix
PurityScan/Oin Uninstaller

* Open your Add/Remove Programs control panel and uninstall any and all software related to the following:

PurityScan
Oin
Outerinfo
MyWay/MySearch/MyBar
NewdotNet

* Run the PurityScan/Oin Uninstaller. A graphical walk-through of the uninstall procedure can be found here.


* Open the Services utility in your Administrative Tools control panel.
- In the list of services, locate the service named Command Service or cmdService and double-click on it.
- In the General tab of the Properties window that opens, click the Stop button.
- Once the service is stopped, choose Disabled in the Startup Type drop-down menu and then click OK.
- Close the Services utility.

* Install and Configure ewido:

  • Close all other Applications and then run the ewido installer
  • Select language click Ok
  • Click I Agree
  • Click next
  • Click Install
  • Click Finish
  • Wait Ewido will open main screen automatically.
  • Wait again a few minutes and Ewido Should Auto update itself. If it doesn't click update at top of screen.
  • It is very important to get the updates
  • When updating has finished, close Ewido.

* Close all open programs/windows, (especially web browsers). Run another HijackThis scan, put a check in the boxes to the left of the following entries, and then click the "Fix Checked" button:

F2 - REG:system.ini: Shell=Explorer.exe, G:\WINDOWS\System32\rhcbx.exe
F2 - REG:system.ini: UserInit=G:\WINDOWS\system32\userinit.exe,ddjfihw.exe
O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - {0B8F5A08-95CC-F37B-999C-95FC5FFEB7E5} - G:\WINDOWS\System32\vbwtouvi.dll (file missing)
O2 - BHO: (no name) - {10F62E6E-BB8C-D802-A146-EA2B22CED19D} - G:\WINDOWS\System32\ioufilb.dll (file missing)
O2 - BHO: (no name) - {198A0D66-E78E-D804-A146-EA2B2296D1CF} - G:\WINDOWS\System32\gogckfrj.dll (file missing)
O2 - BHO: (no name) - {31206883-8F49-C288-4ABD-A5BFAB8E82C2} - G:\WINDOWS\System32\rkuwyv.dll (file missing)
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - G:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: (no name) - {3EAC253C-B9A9-8A30-A146-EA2B22CE8B9E} - G:\WINDOWS\System32\isezc.dll (file missing)
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - G:\Program Files\NewDotNet\newdotnet7_22.dll
O2 - BHO: (no name) - {4E261F83-FA3D-C2BC-4ABD-A5BFAB8E82C2} - G:\WINDOWS\System32\rkuwyv.dll (file missing)
O2 - BHO: (no name) - {5023C73A-5BA0-3A39-F4EA-00D5FD73B99E} - G:\WINDOWS\System32\ojkrom.dll (file missing)
O2 - BHO: (no name) - {557A956D-56A3-3439-F4EA-00D5FD73BB99} - G:\WINDOWS\System32\cyrwf.dll (file missing)
O2 - BHO: (no name) - {562C9338-53F2-366E-F4EA-00D5FD73BF98} - G:\WINDOWS\System32\qie.dll (file missing)
O2 - BHO: (no name) - {567DC638-5BA6-3138-F4EA-00D5FD73BC9D} - G:\WINDOWS\System32\etysdg.dll (file missing)
O2 - BHO: (no name) - {587E9769-56A2-3035-F4EA-00D5FD73B0CA} - G:\WINDOWS\System32\bnalau.dll (file missing)
O2 - BHO: (no name) - {67FE7966-E9FF-D830-A146-EA2B2296D1CF} - G:\WINDOWS\System32\gogckfrj.dll (file missing)
O2 - BHO: (no name) - {68AC7E3D-BDA9-D865-A146-EA2B22CED2CE} - G:\WINDOWS\System32\ulxbph.dll (file missing)
O2 - BHO: (no name) - {6EF7286D-B5FD-D836-A146-EA2B22CED19D} - G:\WINDOWS\System32\ioufilb.dll (file missing)
O2 - BHO: (no name) - {6EF7286E-B9AE-DE30-A146-EA2B22CE809A} - G:\WINDOWS\System32\ezwlk.dll (file missing)
O2 - BHO: (no name) - {74895E0B-95B9-F34F-999C-95FC5FFEB7E5} - G:\WINDOWS\System32\vbwtouvi.dll (file missing)
O2 - BHO: (no name) - {8C7B4E05-F4E2-9A3A-CD4E-FABADB614E96} - G:\WINDOWS\System32\apfaq.dll (file missing)
O2 - BHO: (no name) - {95BC3E31-F8AC-9E34-F83F-FDEA6EEA2290} - G:\WINDOWS\System32\vualu.dll (file missing)
O2 - BHO: (no name) - {9910B117-7CAD-1426-DFF8-2417B1845C95} - G:\WINDOWS\System32\vtla.dll
O2 - BHO: (no name) - {9CEF6966-ACA8-9F6F-F83F-FDEA6EEA28C5} - G:\WINDOWS\System32\wkfzj.dll (file missing)
O2 - BHO: (no name) - {A4093C52-D796-C954-CD4E-FABADB3918C4} - G:\WINDOWS\System32\qxduuj.dll (file missing)
O2 - BHO: (no name) - {E667B614-72D9-1412-DFF8-2417B1845C95} - G:\WINDOWS\System32\vtla.dll
O2 - BHO: (no name) - {F30D3805-8191-9A0E-CD4E-FABADB614E96} - G:\WINDOWS\System32\apfaq.dll (file missing)
O4 - HKLM\..\Run: [IpWins] G:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 G:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\RunServices: [p2p networking] p2pnetworking.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - G:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - G:\WINDOWS\web\related.htm
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O20 - AppInit_DLLs: smss.dll G:\WINDOWS\System32\smss.dll
O23 - Service: Command Service (cmdService) - Unknown owner - G:\WINDOWS\Sm9zaCBEaXhzb24\command.exe (file missing)

* In HijackThis' main window, click on Config, then Misc Tools, and then press the Delete an NT service.. button. When it opens, enter the following in the deletion box and press OK: cmdService
Close HijackThis after that.


* Run WinsockXPFix; instructions can be found here:
http://www.iup.edu/house/resnet/winfix.shtm


* Reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Log in to the Administrator account.

* Run ATF-Cleaner
- Double-click ATF-Cleaner.exe to open the program.
- Under Main choose: Select All
- Click the Empty Selected button.

If you use Firefox browser : Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser: Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.


* Run a full system scan with Norton; have it fix all malicious items it finds.

* Open Ewido

  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
  • Close Ewido.

* Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

* Locate and delete the following files (if they still exist):

G:\WINDOWS\System32\rhcbx.exe
G:\WINDOWS\System32\ddjfihw.exe
G:\WINDOWS\System32\vbwtouvi.dll G:\WINDOWS\System32\ioufilb.dll G:\WINDOWS\System32\gogckfrj.dll G:\WINDOWS\System32\rkuwyv.dll
G:\WINDOWS\System32\isezc.dll G:\WINDOWS\System32\ojkrom.dll G:\WINDOWS\System32\cyrwf.dll G:\WINDOWS\System32\qie.dll G:\WINDOWS\System32\etysdg.dll G:\WINDOWS\System32\bnalau.dll G:\WINDOWS\System32\ulxbph.dll G:\WINDOWS\System32\ezwlk.dll G:\WINDOWS\System32\apfaq.dll G:\WINDOWS\System32\vualu.dll G:\WINDOWS\System32\vtla.dll
G:\WINDOWS\System32\wkfzj.dll G:\WINDOWS\System32\qxduuj.dll
G:\WINDOWS\System32\smss.dll

* Delete the following folders entirely:

G:\WINDOWS\Sm9zaCBEaXhzb24
G:\Program Files\E2G
G:\Program Files\NewDotNet
G:\Program Files\ipwins

* Empty your Recycle Bin and reboot normally.

* Run HijackThis again and post the new log. Also post the log that ewido generated.

-

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.