I am have been having trouble with my computer's performance ever since I switched to DSL. My computer keeps freezing up a few minutes after startup. If it successfully starts up, it then freezes up when I try to open a program. I have McAfee virus protection on it, which finds no viruses. I also have microsoft antispyware beta version and aol spyware on my computer. They both return different types of spyware which I delete every time. A transponder and auroa spyware is the main ones that keeps returning. Also my real time sypware protection for ms antispyware got disabled when I upgrades my virus protection and I can't enable it.

Please help.............

OK, you have a rather nasty infection with Aurora. I have moved this to the Applications & Security forum.
Please download Ewido free trial, update it and remove what it finds. Then download HiJackThis, install into a seperate folder and scan, make a log and post the log as a reply here. Wait for the experts to advise before removing anything with HJT.

Ewido Suite:
http://www.download.com/Ewido-Security-Suite/3000-8022_4-10326287.html

HiJackThis v 1.99.1:
http://www.lurkhere.com/~nicefiles/index.html

I am have been having trouble with my computer's performance ever since I switched to DSL. My computer keeps freezing up a few minutes after startup. If it successfully starts up, it then freezes up when I try to open a program. I have McAfee virus protection on it, which finds no viruses. I also have microsoft antispyware beta version and aol spyware on my computer. They both return different types of spyware which I delete every time. A transponder and auroa spyware is the main ones that keeps returning. Also my real time sypware protection for ms antispyware got disabled when I upgraded my virus protection and I can't enable it.

Please help.............

Merged duplicate threads.

Before running any scans, please post a copy of your HJT log. It will tell us if the have Aurora infection.

I have a simple question about your DSL.

Did you have to install software?
Is your setup PPPoE?
Who is your DSL provider?

Here are the results of the HJT scan:

Logfile of HijackThis v1.99.1
Scan saved at 4:41:39 PM, on 08/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\aol\ACS\AOLacsd.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.exe
c:\windows\system32\bhcpjj.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\WINDOWS\etb\pokapoka62.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\WINDOWS\System32\wuauclt.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\Documents and Settings\Fred\Desktop\Spyware\HijackThis1991.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=%tb_id
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\Run: [svwxeq] c:\windows\system32\bhcpjj.exe r
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.8.6/ttinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4549/mcfscan.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\mgasn1.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\aol\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\aol\AOLSPY~1\\aolserv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee.com Personal Firewall Service (MpfService) - McAfee.com Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Please download, install, and update the free version of Ewido (wido.net/en/download/) trojan scanner:

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Exit Ewido. DO NOT scan yet.


Download CCLEANER (http://www.ccleaner.com/ccdownload.asp) and install, but do not run it yet.

Please download the Nail/Aurora Spyware Fix from NoIdea USA (http://www.noidea.us/easyfile/file.php?download=20050515010747824) (Alternate download link: http://www.dknoppix.com/cgi-bin/download.cgi?Nailfix )

Unzip it to the desktop but do NOT run yet.

Reboot into Safe Mode. To do this with Windows XP, you can follow these steps from Microsoft:

Restart your computer and start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when you the Boot Menu appears.
Select an option when the Windows Advanced Options menu appears, and then press ENTER.
When the Boot menu appears again, and the words "Safe Mode" appear in blue at the bottom, select the installation that you want to start, and then press ENTER.


Once in Safe Mode, please double-click on nailfix.cmd that you unzipped earlier. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Next, run Ewido again.

Click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.


Then run HijackThis, click Scan, and place a checkmark by the following item (if found):

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Now, run CCleaner.

Uncheck "Cookies" under "Internet Explorer".
if you are running Firefox: then click on the "Applications" tab and uncheck "Cookies" under "Firefox".
Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.

Finally, restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

The DSL provider is BellSouth and yes I had to install software before using it. I am not sure what PPPoE is.

I will run the HJT this evening when I get in.

Thanks

Here are the results from the HJT scan:
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\rundll32.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\Documents and Settings\Fred\Desktop\Spyware\HijackThis1991.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=%tb_id
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka62.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url]http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409[/url]
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - [url]http://www.nick.com/common/groove/gx/GrooveAX27.cab[/url]
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - [url]http://download.toontown.com/sv1.0.8.6/ttinst.cab[/url]
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - [url]http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4549/mcfscan.cab[/url]
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - [url]http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab[/url]
O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\mvminst.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\aol\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\aol\AOLSPY~1\\aolserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee.com Personal Firewall Service (MpfService) - McAfee.com Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


Here are the results from the ewido scan:
[1056] C:\WINDOWS\system32\kqdes.dll -> Spyware.Look2Me : Cleaned with backup
[1544] C:\WINDOWS\system32\mvminst.dll -> Spyware.Look2Me : Error during cleaning
[1596] C:\WINDOWS\system32\MBPI32.DLL -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Fred\Cookies\fred@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Fred\Cookies\fred@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Fred\Cookies\fred@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Fred\Cookies\fred@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Fred\Cookies\fred@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP688\A0069024.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP692\A0074247.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP693\A0076233.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP693\A0078248.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP696\A0081410.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP697\A0083507.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP697\A0083508.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP697\A0083509.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP697\A0083510.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP699\A0086525.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP716\A0089749.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP716\A0089808.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\guard.tmp -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\kqdes.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\MBPI32.DLL -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\mgasn1.dll -> Spyware.Look2Me : Cleaned with backup

Open Hijack this and place a check next to the following:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=%tb_id
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka62.exe

O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.8.6/ttinst.cab

O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\mvminst.dll

Make sure ALL program and browser windows are closed except for Hijackthis and click Fix Checked.

Re-boot and delete:

C:\WINDOWS\system32\mvminst.dll
C:\WINDOWS\etb\pokapoka62.exe

Re-post a new Hijackthis log and let us know how the system is running

Also note, please post the entire Hijackthis log. If you are using MSCONFIG to stop programs from loading, make sure it is set to LOAD ALL programs before posting your next HIJACKTHIS log.

I could not find the following files on the hard drive. Did you want me to delete them using HJT?
C:\WINDOWS\system32\mvminst.dll
C:\WINDOWS\etb\pokapoka62.exe

Overall the system has improved in performance.


Logfile of HijackThis v1.99.1
Scan saved at 11:02:57 PM, on 08/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\aol\ACS\AOLacsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\aol\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Support.com\bin\tgcmd.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Fred\Desktop\Spyware\HijackThis1991.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [ycfpal] c:\windows\system32\sduqocj.exe r
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [MPSExe] C:\Program Files\McAfee.com\MPS\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [lanbrup] C:\WINDOWS\System32\lanbrup.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\aol\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4549/mcfscan.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\mvminst.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\aol\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\aol\AOLSPY~1\\aolserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee.com Personal Firewall Service (MpfService) - McAfee.com Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

classicsoftware,

This log has Epolvy... Do you know how to handle that??

No teach me....

I assume ycfpal] c:\windows\system32\sduqocj.exe r is the tipoff.

Is this the source of the Aurora? Or is it the other way around.

Yes that is the clue and it is part of the new bundle along with DSR... It will reinstall Nail if you fix it... I don't see Nail in this log right now, but I suspect it may be there anyway since Epolvy is... Killing it is tricky because it regenerates with a new name when you try... Here is a clue for DSR:

O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe

Here is the fix I have right now...

Please download ewido security suite (http://www.ewido.net/en/download/) it is a free version of the program.
Install ewido security suite
When installing, under "Additional Options" uncheck..
Install background guard
Install scan via context menu

Launch ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.

You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update.
Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")
Exit ewido. DO NOT scan yet.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates (http://www.ewido.net/en/download/updates/)

Download CleanUp (http://www.stevengould.org/software/cleanup/download.html)
Install the program, dont run it yet, we will later.

Please download this file: Nailfix Utility (http://www.noidea.us/easyfile/file.php?download=20050711214630636)
Save it to your desktop.
DO NOT run it yet.

Download dsrfix.zip (http://www.atribune.org/downloads/dsrfix.zip)
Save it to your desktop.
Unzip dsrfix.zip and extract it to your desktop.
This will create a new folder on your desktop named dsrfix.
Do Not open that folder yet.
Please download APT (http://www.diamondcs.com.au/index.php?page=apt) and unzip the contents to a new folder on your desktop.
Open the folder you just created and click on apt.exe and search in the window for <<bad process here >>.
Open your C:\Windows\system32 folder and search for << trojan file here >>.
Don't delete it yet, just leave the system32 folder open so you can see the bad file.
In APT again, Select << bad process here>> and Click Kill3

Then immediately delete << trojan file here >> from your system32 folder.
Close APT.

To reboot into SafeMode with Windows XP, you can follow these steps from Microsoft (http://support.microsoft.com/default.aspx?kbid=315222):

Next, please reboot your computer in SafeMode by doing the following:
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, start tapping press F8 key.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.
Once in Safe Mode, please double-click on nailfix.exe.
Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish".
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Now open ewido and do a scan of your system.
Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.
Now scan with HJT and place a checkmark next to each of the following items:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

(add other entries here as well)

Close all open windows except for HJT, then click the Fix Checked button. Close HJT.

Now open the folder dsrfix on your desktop.
Double-Click on dsrfix.bat
A window will pop up briefly then close, this is normal.
Enable show hidden files and folders:

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK

Now using Windows Explorer find and remove the following folders/files
C:\WINDOWS\System32\file_name <-- File
C:\WINDOWS\folder_name\ <-- Folder

Now run the CleanUp program:

*IMPORTANT NOTE*
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

Running CleanUp
Start CleanUp by double-clicking the icon on your desktop (or from the Start > All Programs menu).
When CleanUp starts go to the Options button (right side of CleanUp screen)
Move the arrow down to "Custom CleanUp!"
Now place a checkmark next to the following (Make sure nothing else is checked!):
Delete Cookies
This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea
Empty Recycle Bins
Delete Prefetch files
Cleanup! All Users

Click OK
Then click on the CleanUp button. This will take a short while, let it do its thing.
When asked to reboot system select No
Close CleanUp
Finally, restart your computer back into Normal Mode and please post a new HJT log, as well as the ewido report log from the Ewido scan by using Add Reply

I'll leave this for you to fill in the blanks since you are already working on this... ;)

Before I edit this, I want to get this 100% straight.

C:\WINDOWS\dinst.exe
C:\WINDOWS\etb\pokapoka62.exe
c:\windows\system32\sduqocj.exe r


Which goes where in the fix?

I'll obviously copy this for future reference

One more thing. When did this new item start installing the Nail.exe. It was prevalent enough all by itself.

Before I edit this, I want to get this 100% straight.

C:\WINDOWS\dinst.exe
C:\WINDOWS\etb\pokapoka62.exe
c:\windows\system32\sduqocj.exe r


Which goes where in the fix?

I'll obviously copy this for future reference

One more thing. When did this new item start installing the Nail.exe. It was prevalent enough all by itself.
That middle one is actually EliteBar... It needs to be fixed, but it may require a different fix if HJT won't take care of it... As for when this started, probably about 2 or 3 weeks ago... Bundling garbage seems to be all the rage for the slimewriters these days... The one from CWS is a nightmare of bundles...

Here is an example of how I did a similar fix... This was before the canned speech I posted was developed, so the order is a bit different, but I think it will give you the idea:

http://www.pcguide.com/vb/showthread.php?t=39343

OK Diamond22. Sorry you had to sit through the lecture. Even though we have done some of these fixes before we'll run the entire playbook again. You may want to print this out first:

Download CleanUp (http://www.stevengould.org/software/cleanup/download.html)
Install the program, dont run it yet, we will later.

Please download this file: Nailfix Utility (http://www.noidea.us/easyfile/file.php?download=20050711214630636)
Save it to your desktop.
DO NOT run it yet.

Download dsrfix.zip (http://www.atribune.org/downloads/dsrfix.zip)
Save it to your desktop.
Unzip dsrfix.zip and extract it to your desktop.
This will create a new folder on your desktop named dsrfix.
Do Not open that folder yet.
Please download APT (http://www.diamondcs.com.au/index.php?page=apt) and unzip the contents to a new folder on your desktop.
Open the folder you just created and click on apt.exe and search in the window for c:\windows\system32\sduqocj.exe.
Open your C:\Windows\system32 folder and search for c:\windows\system32\sduqocj.exe.
Don't delete it yet, just leave the system32 folder open so you can see the bad file.
In APT again, Select c:\windows\system32\sduqocj.exe and Click Kill3

Then immediately delete c:\windows\system32\sduqocj.exe from your system32 folder.
Close APT.

To reboot into SafeMode with Windows XP, you can follow these steps from Microsoft (http://support.microsoft.com/default.aspx?kbid=315222):

Next, please reboot your computer in SafeMode by doing the following:
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, start tapping press F8 key.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.
Once in Safe Mode, please double-click on nailfix.exe.
Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish".
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Now open ewido and do a scan of your system.
Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.
Now scan with HJT and place a checkmark next to each of the following items:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [ycfpal] c:\windows\system32\sduqocj.exe

Close all open windows except for HJT, then click the Fix Checked button. Close HJT.

Now open the folder dsrfix on your desktop.
Double-Click on dsrfix.bat
A window will pop up briefly then close, this is normal.
Enable show hidden files and folders:

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK

Now using Windows Explorer find and remove the following folders/files

C:\WINDOWS\dinst.exe
C:\WINDOWS\etb\pokapoka62.exe
C:\WINDOWS\System32\sduqocj.exe <-- Files
C:\WINDOWS\etb\ <-- Folder

Now run the CleanUp program:

*IMPORTANT NOTE*
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

Running CleanUp
Start CleanUp by double-clicking the icon on your desktop (or from the Start > All Programs menu).
When CleanUp starts go to the Options button (right side of CleanUp screen)
Move the arrow down to "Custom CleanUp!"
Now place a checkmark next to the following (Make sure nothing else is checked!):
Delete Cookies
This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea
Empty Recycle Bins
Delete Prefetch files
Cleanup! All Users

Click OK
Then click on the CleanUp button. This will take a short while, let it do its thing.
When asked to reboot system select No
Close CleanUp
Finally, restart your computer back into Normal Mode and please post a new HJT log, as well as the ewido report log from the Ewido scan by using Add Reply

I am having trouble getting online with DSL and Dial up. I ran all of the scans but I still could not find these files:
C:\WINDOWS\dinst.exe
C:\WINDOWS\etb\pokapoka62.exe
C:\WINDOWS\System32\sduqocj.exe <-- Files
C:\WINDOWS\etb\ <-- Folder

I found and deleted the etb folder, but pokapoka62 was not in it.
I am considering reinstalling XP on the computer or taking it to someone (Best Buy/Geek Squad) to have them look at.

You might have to show hidden files to delete them. For now just post a new HJT log. I would not recommend geek squad or best buy. Find a good local shop where you won't get taken. Geek squad is a rip-off from what I've heard.

If you don't have any data of value on the PC, you can re-format and re-install your OS. I hate to let the bastards get the best of me. You have a very nasty infection that is hard to get rid of.

Part of the problem is your system is NOT up to date and basically has no protection from this stuff.

Please post another HJT log and let us know how things are going.

This is elitebar and needs LQfix:

C:\WINDOWS\etb\pokapoka62.exe

Download LQfix from here (http://users.pandora.be/bluepatchy/LQfix.zip)