alwaysup virus

i have a couple of viruses that are really giving me a hard time here....alwaysup trojan virus and another called download. trojan or something like that......i have attached my hijackthis log file and would really appreciate any help...

thanks

joe

 

I am trying to learn to read HJT logs

Dont do anything i say i am just posting this to see iff i was right when you get more professional help.

I would say that these should be fixed (Do not do it tho):

O4 - HKLM\..\Run: [AEIWLSTA.EXE] AEIWLSTA.EXE START
C:\WINDOWS\System32\AEIWLSTA.EXE (Iff the above is nasty)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe(know this cause i had it once)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O18 - Protocol: bw-0s - {C4DA8E81-B952-4170-8D2A-8E468D66DD29} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll( I think its strange that you have tons of those)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)

DO NOT FIX ANY OF THOSE EXCEPT TOLD BY SOMEONE MORE KNOLDEGDE THAN ME!

Hope i am right, Tell me iff i am not!

-Icelander

 

joewhite02,

You have many issues in this HJT log. Lets take things one at a time so we can get everything.

Please look in Add or Remove Programs for the following and Uninstall them if found:

WinTools

WebSearch Toolbar (Anything referring to WebSearch or Search)

Logitech Desktop Messenger


After you uninstall the above programs you will need to reboot. After you have rebooted procede with the online scans:

TrendMicro Online Scan
Bitdefender online scan
RavAntivirus online scan <-- select Auto Clean then click Scan My PC
TrojanScan online scan

After you run all of the scans listed above, reboot again and post a fresh HJT log.

 

Was i right with my suggestions?

 

ok, i deleted the programs that i could but some said they could not be deleted in the add/remove programs list.......then i ran all of the scans that you said to and here is my new log....

thanks,

joe

 

You missed a few but your on the right track. If its a installed program thats bad like WinTools, first have them uninstall this. Then procede with shutting down processes, removing items with HJT and then manually removing the files leftover.

 

joewhite02,

Please look in Add or Remove Programs for the following and Uninstall them if found:

Blubster <-- If you know this then keep it!


Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: SDWin32 Class - {1E1E0A23-68B3-4D88-8722-0A27E39FB4DD} - C:\WINDOWS\System32\uesqr.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O4 - HKLM\..\Run: [Blubster] C:\Program Files\Blubster\Blubster.exe SILENT
O4 - HKLM\..\Run: [oFtP3EP] dmufunc.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [uesqrc] C:\WINDOWS\System32\uesqrc.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [jvy] C:\WINDOWS\System32\jvy.exe
O4 - HKCU\..\Run: [Zo2FROjmi] cdmtl.exe
O4 - Startup: DLHelperEXE.exe

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} -%windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: NDWCab - http://www.neededware.com/ndw.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinner.com/games/v45/pool/pool.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/version7/dlhelper.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/mpp_229/webolr/OCX/FlashAX.cab

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\Program Files\Common Files\WinTools ←–– Delete this whole folder if it exist!

C:\Program Files\Toolbar ←–– Delete this whole folder if it exist!

C:\Program Files\Blubster ←–– Delete this whole folder if it exist!

C:\WINDOWS\system\shutmi.exe

C:\WINDOWS\System32\jvy.exe

C:\WINDOWS\System32\uesqr.dll

C:\WINDOWS\System32\uesqrc.exe

C:\WINDOWS\VCMnet11.exe

cdmtl.exe <-- Search for this file and delete when found!

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

i did what i could....here is recent log...

thanks

 

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [jfpaqlo] c:\windows\system32\nldcdjp.exe

O15 - Trusted Zone: http://www.neededware.com

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Click Start > Run > type services.msc and Click OK

Locate System Startup Service (SvcProc) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

Locate WinTools for IE service (WinToolsSvc) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

NOW:
Navigate to and DELETE the following if they should remain:

C:\WINDOWS\System\shutmi.exe

C:\WINDOWS\System\nldcdjp.exe

C:\WINDOWS\VCMnet11.exe

NEXT:
Run CCleaner

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

ok, did all that, here is new log.....however i am now getting some popups from Aurora....what can i do about that?

thanks,

Joe

 

Download and run this uninstaller. This has worked before, since Nail.exe has returned I want to attempt this one.

Download it here and reboot into Safe Mode. Run the uninstaller and then reboot back into normal mode and attach a new HJT log.

 

wouldnt let the program run in safe mode....so i ran in normal mode then rebooted.....here is new log

thanks

joe

 

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O4 - HKLM\..\Run: [rjvdmr] c:\windows\system32\ieeroi.exe
O4 - HKLM\..\Run: [amvpvai] c:\windows\system32\nofgub.exe

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\WINDOWS\System32\ieeroi.exe

C:\WINDOWS\System32\nofgub.exe

NEXT:
Run CCleaner

Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

ok, did that....here is the log

thanks,

joe

 

Your HJT log is clean!

Are you having any further problems?

 

nope, everything seems to be good and clear....thank you very much for your help..

joe

 

Your Welcome!

You should see this article on How to Protect yourself from malware!