Help with win32:trojano

Did you follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Did you do the online scans too? You did not mention them. And Swat it is not on our list so I'm just check to see that you complete all of our procedure.

If you have run all steps and still have a problem, follow the steps below.

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Okay! Please answer some questions:

Do you know what the below is?
C:\DOCUME~1\BETSY~1.ME-\LOCALS~1\Temp\180SACIDInstaller.exe

Why is all this stuff from Netscape running?
C:\Program Files\Netscape Internet Service\dialer.exe
C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\nsaccel.exe
C:\Program Files\Netscape Internet Service\css.exe

Why is Winzip running?
C:\PROGRA~1\WINZIP\winzip32.exe

Do you need this ProxyServer setting:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400

Please install HijackThis where requested. You have it where specifically requested not to put it.
C:\Documents and Settings\Betsy.ME-UMGLJZ2QRYPD\Local Settings\Temp\HijackThis.exe

 

You must remember to ALWAYS exit ALL browsers before running HijackThis. Crazy Browser is a browser too.
One more question, do you know what the below is. It seems questionable to me:

C:\Program Files\Instant Buzz\IBDaemon.exe

 

It's Ad-ware!!!! You do not want it.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Look in Add/Remove Programs for an uninstall to the below and uninstall if found:
Instant Buzz

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\System32\nvkpiv.exe
C:\Program Files\Instant Buzz\IBDaemon.exe
C:\DOCUME~1\BETSY~1.ME-\LOCALS~1\Temp\180SACIDInstaller.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\Searchx.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O2 - BHO: (no name) - {B8D60EBB-5565-4392-957B-7164BA087AD4} - C:\PROGRA~1\INSTAN~1\IBBar.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O3 - Toolbar: Instant Bu&zz - {7475D3FD-5D85-49DB-8B9B-6968467B2D80} - C:\PROGRA~1\INSTAN~1\IBBar.dll
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\nvkpiv.exe
O4 - HKLM\..\Run: [Instant Buzz Daemon] C:\Program Files\Instant Buzz\IBDaemon.exe
O4 - HKLM\..\Run: [180sacidinstaller] C:\DOCUME~1\BETSY~1.ME-\LOCALS~1\Temp\180SACIDInstaller.exe /did=5592
O9 - Extra button: Instant Buzz - {066040F0-5018-4E15-8AA0-81D36136D989} - C:\PROGRA~1\INSTAN~1\IBBar.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\System32\nvkpiv.exe <--- this will probably come back! The next steps we do will get it.
C:\Program Files\Instant Buzz <--- the whole folder
C:\Documents and Settings\BETSY~1.ME-\Local Settings\Temp\180SACIDInstaller.exe

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Okay! Now to fix:

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\nvkpiv.exe


1) Please download and extract all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce two log files. - Please attach them with your next post! It is possible that one of them will be too large to attach. If so, you should put it into a ZIP file and attach that. If you do not know how to do that, just skip the one that is too large.

2) Please download and extract all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.


Now come back here and post the logs as attachments. Three attachments will take two messages.

 

No! I did not forget you. I just have not had time to get back here for awhile.

Please download Pocket KillBox and extract it to its own folder somewhere

Now run KillBox.

Below you will be entering items into Pocket KillBox. Please read thru all of the instructions so that you understand the steps and do not do something we do not want. Okay! Now select the “Delete on Reboot” and “End Explorer Shell While Killing File ” Options.Now Copy&Paste each of the below files into the box, making sure Delete on Reboot and End Explorer Shell While Killing File are Checked for each entry. Click the Red X to Delete each one, but DO NOT Allow your machine to Reboot until the last item has been entered:


** Note: For the DLLs, instead of End Explorer Shell While Killing File , check the Unregister .dll Before Deleting box instead.

Okay here is the list of files:
C:\WINDOWS\KJZOM.DLL
C:\WINDOWS\wupdsnff.exe
C:\WINDOWS\system32\vpkaw.dat
C:\WINDOWS\System32\AAUKD.DLL
C:\WINDOWS\System32\GTRISTY.DLL
C:\WINDOWS\system32\winup2date.dll
C:\WINDOWS\System32\NVKPIV.EXE
C:\WINDOWS\System32\OBMNDBA.EXE
C:\WINDOWS\System32\WMCONFIG.CPL
C:\WINDOWS\UNADBEH.EXE
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\tnik.exe

When the last item has been entered and you are prompted to reboot, allow Pocket KillBox to Reboot your computer. If you get a Pending File operations type error message, just reboot your PC yourself.

After reboot attach a new HijackThis Log and tell me how things are working and if you had any trouble with the above instructions.