trjoan horse downloader.small.33.f

First I have to ask why are you formatting so often? Is it because of virus problems or for some other reason? It should not be necessary to do this so often and chances are that if you are doing that so often, you probably are not getting all the proper patches and updates applied to your system.

Second, what do you mean by backup disks? Spare harddisk, CD, floppies? How much are you backing up?

Please follow ALL of the steps below completely. Do not skip anything.

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus RemovalMake sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENTto your next message. (Do NOT copy/paste the log into your post).

 

Don't worry about it! Just continue to complete the procedures.

 

It tells you when to run them in the section titled:

Scanning And Cleaning Steps: (These 4 steps are NOT optional and must be run!!)

Just follow the steps.

 

Ccleaner should be run with the default options set. You should clean all the items by default. Just do not use the other tabs (like the Issues tab).

The Spybot DSO patch is no longer needed since the new release came out (forgot to remove that line from the procedure - now it is removed. Thanks!)

You were not suppose to run about:buster or HSremove. They are only for problems with about:blank or HSA hijackers which you do not have.

I'm not sure what happen to your ntoskrnl.exe file but try the below:

Open a command prompt window by clicking Start, Run, and enter cmd and click OK.
In the command prompt window type the below commands each follow by the enter key. Make sure you type them exactly as written.

cd c:\windows\system32

copy "..\driver cache\i386\ntoskrnl.exe"


If prompted to overwite the existing file, type y and enter.

If you receive a file not found error, make sure that the path in the copy command is correct. If it is correct and you still receive the error, then try the following commands:

cd "c:\windows\driver cache\i386"

expand sp1.cab -F:ntoskrnl.exe c:\windows\system32


Again, if you are prompted to overwrite the file, type y and then enter.

Now reboot and see if this problem is fixed. Now post the HijackThis log I requested.

 

Disconnect (physically unplug your cable) from the internet and exit all browsers. Then safe a new HijackThis log. Now reconnect to the internet and try to post your log even if you have to post it inline.

 

Why are you running two instances of HijackThis and why didn't you install it as requested? You have the below in your log:

C:\Documents and Settings\Slide Queen\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
C:\Documents and Settings\Slide Queen\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

This means yo are running it twice and that you are running it directly from the ZIP file which I requested that you not do. You must fix this or you will not get any backups.
Why are you trying to view winmm.dll. It is not an image file.

You need to open Control Panel and run Add/Remove programs and uninstall WeatherBug.

I do not use AIM so explain to me why there are two types of AIM running. aim.exe and aim+.exe
Why are both required?

You have both AVG and Symantec antivirus scanners installed. You must use only one. Pick one and uninstall the other.

Download and run this: EliteToolbar Remover

I'm looking at the rest of your log now.

 

Also run follow the below steps:

To fix your problem with nail:

- Click Start > Run and type: cmd and then click OK! This brings up a command prompt window.
- At the command prompt opens, type the below command and then hit the enter key:

nail.exe /FullRemove

Now the Aurora problem:

Download and run the uninstaller: Aurora Uninstaller

After you run this tool, reboot and then continue with the steps below!

 

Do you know what the below is?

C:\Program Files\ATS\ats.exe

There are some trojans that go by this filename.

 

Look in Add/Remove programs for Internet Optimizer and uninstall if found.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).


Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\System32\kkpian.exe
C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
c:\windows\system32\rzlvfkj.exe
C:\Program Files\ATS\ats.exe


After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitepaa32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\kkpian.exe
O4 - HKLM\..\Run: [BMan] C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [epatxa] c:\windows\system32\rzlvfkj.exe

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\Documents and Settings\All Users\Application Data\msw <--- the whole folder
C:\WINDOWS\EliteToolBar <--- the whole folder
C:\Program Files\Internet Optimizer <--- the whole folder
C:\WINDOWS\System32\kkpian.exe
c:\windows\system32\rzlvfkj.exe
c:\windows\system32\AUNPS2.DLL
C:\WINDOWS\cfgmgr51.dll
C:\windows\system32\elitepaa32.exe <-- also delete all other filenames beginning with elite and ending with exe in the system32 folder.


If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.


Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.


Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

If two hijackthis.exe files show in your process list. You had two of them running.

I do not need to see a screen image. You are getting that message because HijackThis is running from Temp Internet folder (TIF) because you are not extracting it from the ZIP file as requested in my directions.

I also do not need you to keep posting any info about popups each time you come back. Until we are done fixing the problems, you will still have problems. Complete all my steps first and then let's see where things stand. But FIRST install HijackThis properly by extracting it from the ZIP file into the folder requested.


Please complete running the steps in messages # 14 to 17.

 

This sounds a little contradicting! First you say you are not getting anymore popups and then you say you are still getting popups. I would say you are still getting them because you still do not have all your problems fixed and some new problems have showed up.

I do not use a popup blocker as I have not really found one necessary. And if you use Firefox as a browser, a popup blocker is built in.

You need to open Control Panel and run Add/Remove programs and uninstall Weatherbug!

Your new problems require some special tools to helps us fix them. First we need to find a bunch of hidden bad files. The steps below will help us do that:

Follow the steps below:

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder - C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log after rebooting back to normal mode.

After posting the above two logs, we will work up fix for your remaining problems.

 

Make sure you still have system restore disabled. It should remain disable until we have fixed all problems.

Download Pocket Killbox and save it to its own folder where you can find it.

Read thru the below steps and make sure you understand them before starting. Ask questions if you have any before starting.

Run Killbox by double clicking on the killbox.exe file.

Check the following boxes:

Standard File Kill
End Explorer Shell While Killing file

Copy & paste (you must use copy & paste - typing will give an error) the full path of each of the files below (one at a time - see directions after the list) into the Full Path of File to Delete box.

C:\WINDOWS\ZZOMR.DLL
C:\WINDOWS\system32\kkawg.dat
C:\WINDOWS\system32\kkpian.exe
C:\WINDOWS\system32\qojuexx.exe
C:\WINDOWS\system32\rrisegb.dll
C:\WINDOWS\system32\uukdo.dll
C:\WINDOWS\system32\ikw1.sys
C:\WINDOWS\system32\mirindaspe.exe
C:\WINDOWS\system32\v3zdm.exe
C:\WINDOWS\ikw1.sys
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\iikr.exe



With the full path to the file name in the Full Path of File to Delete textbox. The filename will appear under the box in a blue color to indicate it was found. Now Click the Red X and for the confirmation message that will appear, you will need to click Yes. If the file is successfully delete you will get a message of confirmation. Just click OK!
Do this for each of the files listed. Some will not be deleted. Make sure you keep a list of them.

Now for any files not deleted properly above (the ones you wrote down), do the below (if all of them deleted, skip these steps):
- in Killbox select the option to Delete on Reboot
- uncheck the option to End Explorer Shell While Killing file

Copy & paste the full path of each of the files you could not delete above into the box and then click the Red X and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? You will need to click No (since you are not finished adding all related files in yet).

When you do enter the last file name that needs to be deleted, click Yes on the last file.
Note: Killbox will let you know if the file does not exist.

Okay so now your PC should be reboot. If you get an error message about Pending Operations, just reboot your PC yourself.

After reboot download and install Microsoft® Windows AntiSpyware and make sure you get the updates but do not run a scan yet.

Now reboot into safe mode with no network support, make sure you have no browsers opened and then run a full scan with MS Antispyware and let it fix what it finds.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

You still have not uninstall Weather Bug. It is in your log.
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1

Please open Control Panel and run Add/Remove Programs. Look for Weather Bug or Weather and uninstall it.

Each time you run HijackThis to create a log, it defaults to creating a file named hijackthis.log which will overwrite the previous log saved with the same name. For uploading here, it is sometime necessary to change the name of the file each time. As you already did, it is useful to just add a number to the log file each time.

You MUST remember to exit your browsers before running HijackThis. You had two of them running:

C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

Were you able to complete the steps in message # 25 properly? It does not look like it. I still see the same problems.

Download this: ABIremover

Unzip it into its own folder. Now boot into safe mode with no network support and do not open any browsers. Now run the the ABIremover.exe file.

When done reboot into normal mode and post a new HJT log.

 

My directions always tell you what mode to be in.

Did you run ABIremover? If so, I need to see a new HJT log.

 

Okay! Since you did not post the new HJT log, I'm going to assume things are the same as in the last log you posted.

System restore should still be disabled until we are finished fixing all problems.
Make sure viewing of hidden files is enabled.

If you are sure you are closing your browsers then they could be running due to a malware problem. So my below process is going to have you kill any that may be running.

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
c:\windows\system32\ugczktn.exe
C:\Program Files\Internet Explorer\iexplore.exe <--- kill all instances of iexplore.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\kkpian.exe
O4 - HKLM\..\Run: [vfhbvdy] c:\windows\system32\ugczktn.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\kkpian.exe
c:\windows\system32\ugczktn.exe
C:\Program Files\AWS <--- the whole folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

You must not reboot or power down you PC after posting logs. Your problems are changing names when you do and that it the reason you are not finding some of the items I listed to be fixed.

I did not say run CCleaner with read me. I said run Ccleaner and added an note explaining that it was one of the items your downloaded while running the READ ME FIRST sticky thread.

Task Manager is brought up by hitting CTRL-ALT-DEL simultaneously. You could also use the Process Manager of HJT to kill the processes if necessary.

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\windows\system32\notepad.exe
c:\windows\system32\ilkpaq.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [ksarvg] c:\windows\system32\ilkpaq.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
c:\windows\system32\ilkpaq.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner. Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

DO NOT REBOOT after posting your log.

 

Yes! If those same items still exist and nothing new has popped up. In 3 weeks, alot can change.