Trojan Horse

You need to post a HijackThis log from normal boot mode but before doing that, run the below steps.

Fisrt, download Nail/Bolder/Aurora Remover 0.3.1 Beta and save it to its own folder like c:\ABIremover

- Now extract the abiremover.exe file from the ZIP file into the folder you created but do not run the EXE yet.

- Reboot into Safe Mode with no network suppost and do not run anything else but what I tell you to run!

- Run the ABIRemover.exe, press install, wait (explorer window will disapear)

- When it finishes just reboot into normal mode get a new HJT log and attach it.

 

You must remember to exit browsers ( C:\Program Files\Internet Explorer\IEXPLORE.EXE ) before running HijackThis.

Open Control Panel and select Add/Remove programs. Uninstall the below if found.
WeirdOnTheWeb
WeatherBug
wildtangent

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\System32\psoft1.exe
C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe
c:\windows\system32\wqbjwej.exe
C:\WINDOWS\inscdm\xwteieicnv.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://103.nowfind.biz/pps.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/pps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/pps.php
O1 - Hosts: auto.search.msn.com 127.0.0.1
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O2 - BHO: (no name) - {E044EE05-0045-FC30-A800-728758F6B6BE} - C:\WINDOWS\inscdm\xwteieicnv.dll
O4 - HKLM\..\Run: [PSoft1] C:\WINDOWS\System32\psoft1.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitepya32.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [pdeptc] C:\WINDOWS\System32\pdeptc.exe
O4 - HKLM\..\Run: [eienitg] c:\windows\system32\wqbjwej.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O13 - DefaultPrefix: http://103.nowfind.biz/gall.php?url=
O13 - WWW Prefix: http://103.nowfind.biz/gall.php?url=
O13 - Home Prefix: http://103.nowfind.biz/gall.php?url=
O13 - Mosaic Prefix: http://103.nowfind.biz/gall.php?url=
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.15.19/ttinst.cab

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\WeirdOnTheWeb <--- the whole folder
C:\Program Files\AWS <--- the whole folder
C:\WINDOWS\cfgmgr52.dll
C:\WINDOWS\inscdm\xwteieicnv.dll
C:\WINDOWS\System32\psoft1.exe
c:\windows\system32\wqbjwej.exe
C:\WINDOWS\inscdm\xwteieicnv.exe
C:\WINDOWS\System32\pdeptc.exe
C:\windows\system32\elitepya32.exe <-- also delete all other filenames beginning with elite and ending with exe in the system32 folder.

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.


Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and continue with the below.

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixIE.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixIE.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to add into the registry, click YES!

Now post a new HJT log. And tell us how things are working.

 

It is critical that you remember to exit browsers before running HijackThis. You had:

C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE

Also notepad.exe was running. Did you have it open for some reason?

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to System Startup Service or SvcProc ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

System Startup Service

If that does not work, try using the short name of the service: SvcProc

Now exit HijackThis!

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
c:\windows\system32\xwlsxuo.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [kvxhmp] c:\windows\system32\xwlsxuo.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
c:\windows\system32\xwlsxuo.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

If any of these problem entries have reappeared with new names, do not power down or reboot your PC after posting your log. Just wait until after you receive my next instructions. You can physically disconnect from the internet for security.

 

Everything should be OK! The SvcProc is not something your wanted on your PC. That is why we were trying to disable and delete the file. Just reboot and post a new log. But are you sure that there are no other lines similar to:
O4 - HKLM\..\Run: [kvxhmp] c:\windows\system32\xwlsxuo.exe

These malware items have a tendency to rename themselves.

 

That's a poor choice for color selection!
Did all of those files get deleted? It does not look like it because your nail/aurora problem has already come back. See the SvcProc is back too.

I hope you did not reboot (as I requested) after posting your log! Because the problem file will probably have renamed again. Before I can post a fix, I need to know that you have not rebooted or powered down your PC.

 

Okay! What is the current status on the SvcProc service? Is it still disabled? Does it show in your HJT log? In fact post a current HJT log right now. Do not power down yet. What I will probably want you to do, is to pull the power plug to prevent a graceful shutdown. Quite often malware makes use of Windows shutdown procedures to recreate themselves. Just continue to wait until I look at the current HJT log before doing anything.

 

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
c:\windows\system32\ojpufm.exe


After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [vrekas] c:\windows\system32\ojpufm.exe

Now exit HijackThis.

Download Pocket KillBox and extract it to its own folder.

IMPORTANT: Now print these instruction or copy them locally. I want you to run all of the below steps while physically disconnected from the internet. Do not reconnect until I say to do so. And do not open a browser until I say to.

OK! Disconnect now before continuing.

Now run killbox.

Now, Copy and Paste c:\windows\system32\ojpufm.exe into the box – If it exists, it will show up in Blue. Check the option to Replace on Reboot and also check the Use Dummy option and also check the End Explorer Shell While Killing File option too. Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

At this point, I want you to pull the power chord to your PC (yes you read that correctly). I want to try to prevent it from spawning on shutdown.

Wait a couple minutes and plug your power chord back in and then reboot your PC.

Now get a new HJT log. Reconnect to the internet, run your browser and come back here and post the HJT log. Tell us how the above steps went and where things stand now. Remember, if there is still a problem, do not reboot or power down after posting you HJT log.

 

Download Download Nail FIX to a folder that you can locate. Then extract the files from the ZIP files into the folder you downloaded to. This should create a subfolder call NailFix with two files in it.

Now exit all browser windows and use Windows Explorer to locate the folder and double click on nailfix.cmd. DO NOT BE ALARMED when your desktop blanks out and your Win Explorer window will close. After doing this, look at your HJT log and see if the F2 line with nail.exe and the O23 line with SvcProc on them are gone. If not, run the same process again after booting to safe mode.

 

I think we need to get a firewall installed on your PC before trying to fix anything else. Go to How to Protect yourself from malware! and install one of the free firewalls. Make sure if you ever see a message from the firewall about nail.exe svcproc.exe or those strange file names from the O4 lines, that you block it from having any access and tell it to always do that.

Also please do the following and tell me if all items are set as indicated:
Right Click Start.
Select Explorer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide extensions for known file types option.
Uncheck the Hide protected operating system files (recommended) option.
Click Apply.
Click OK.

 

Which firewall did you install and has anything popped up with warnings about any of the problem files we have been working on?

 

The file is okay but I do not think it needs internet access. See: http://www.liutilities.com/products/wintaskspro/processlibrary/ndisuio/

If you can figure what needs to be fix (you should be an expert by now ) by yourself, try repeating some of the cleaning steps like in messages numbers 22, 18, and 9 as may apply.


Is SvcProc running anymore? Did it reappear in your HJT log?

Post a new HJT log after trying some fixes. Remember to always double check the fixes by rebooting to make sure that they are really fixed.

 

Do one more thing for me! If that strange looking filename (the O4 line one) has come back, put a copy of it into a ZIP file and upload it here as an attachment. I want to look at it.

 

The file you compressed and uploaded is now only the dummy file the Pocket Killbox created.

Have HJT fix the below line:
O4 - HKLM\..\Run: [npimwo] c:\windows\system32\vjtdobr.exe

Reboot into safe mode and run what we ran in message number 5:

Nail/Bolder/Aurora Remover 0.3.1 Beta


Then reboot into normal mode. Let's see it anything comes back. If it does, it would mean there is another hidden process around that is regenerating this crap. If a new O4 line does appear, upload that file for me (in a ZIP file).

 

First let's make sure you have the following update on your PC:http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Get the update for your system on the line that reads:
"Microsoft Windows XP and Microsoft Windows XP Service Pack 1"

Now run this: Symantec W32.Sasser Removal Tool

Do you still have an issue?

 

You're welcome. Yes you can turn System Restore back on. You should now perform the steps in the below to help keep you clean:

How to Protect yourself from malware!