sUBs

Hi and Welcome to TSF!

You have a severe case of multiple infections.

Please subscribe to this thread to be notified of fixes as soon as they are posted by our Team. To do this, please click the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

It would appear that your Operating System and Internet Explorer are seriously outdated and this seems to be the source of your problem. Please go to Windows Update site and install all available Critical Updates. Patch your system with the most current security fixes and plug all the known vulnerabilities.

In the meanwhile, I suggest that you stop using Interent Explorer until we've fully disinfected your machine. Please download & use an alternative browser like Firefox.

It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!.
If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are carrying out the procedures below.

Please do not run Hijackthis from it's current location. Create a permanent folder and move hijackthis.exe into it.

1. From Windows Explorer, Click on drive C:
2. Click on File>New>Folder
3. Call it HJT, or any other name of your choice.
4. Move all files to the newly created folder

= = = = = = = = = = =

Please download these additional files/programs :- (Do not run them unless instructed to do so)
Unplug your computer from the Internet when you have finished downloading

CleanUp! - Install

KillBox v2.0.0.175 - Save to Desktop.

Ewido Security Suite - Install & Update it's database but do not run it yet.

Nailfix - Unzip to the desktop

FindIt's.zip - Unzip to a new folder on Desktop



= = = = = = = = = = =

Uninstall the following programs using Add/Remove Programs panel : * Some entries may not be present

• BrowserAid
  Virtual Bouncer
  Surf SideKick

= = = = = = = = = = =

Click Start>Run - type services.msc.
Locate the ognelaqwhori (MsUpdate6) service and double-click on it to open the Properties dialog.
Click the Stop button.
In the Startup type dropdown select Disabled.
Click the Apply button and then the Ok button.

Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
In the popup box that appears, type in MsUpdate6 & click the OK button.


= = = = = = = = = = =

Start HiJackThis & go to Config>Misc Tools> Open process manager
Select the following and click Kill process one at a time. * Some entries may not be present

• C:\WINDOWS\System32\ehjmidjt.exe

= = = = = = = = = = =

Run a scan with HiJackThis & select(tick) the following & click [Fix checked] :

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: (no name) - {0D6A6BB7-5130-4C84-B00A-DDEFFFA65DBB} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: (no name) - {45F58D17-F667-4443-A46F-D7892FEBD45D} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: (no name) - {4797BB1F-D771-4A10-8DE3-9FBA930B2EA6} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: (no name) - {490BC1E4-EA0D-4C3A-9FDA-374EAEA015B8} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O2 - BHO: (no name) - {5CC0CAC7-3E2E-45F1-83E3-A6EF8931140A} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: SDWin32 Class - {6AE88D96-631F-46AD-9D4B-69ABB92908B9} - C:\WINDOWS\System32\ufgiv.dll (file missing)
O2 - BHO: (no name) - {726A38EC-1399-4753-A21A-827830E305ED} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: (no name) - {990A5C79-FBBD-4641-AD6A-6BE9EF0F6AFC} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: (no name) - {99941630-5D3B-4D69-9FE2-F4AF6E2B6140} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: (no name) - {AF6F3F34-8654-452E-9318-5C681F268CFF} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: (no name) - {B51A1262-DE9B-4AEC-8536-4FCD90DAD351} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: (no name) - {BDC47C62-E84B-252B-DD31-13C1514837CF} - C:\WINDOWS\System32\xnkvgkul.dll (file missing)
O2 - BHO: (no name) - {C34628E4-3AC8-4989-85F5-3DD7F36EB30F} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: (no name) - {D1396C01-C870-10F2-BC2B-4A80E8FB5B42} - C:\WINDOWS\System32\tipbkigo.dll (file missing)
O2 - BHO: (no name) - {DB419924-C689-4CF5-B425-B1817447AAE6} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: (no name) - {ECC81B67-E55E-4EB4-B092-2733FC8D1BF6} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: WinStat - {EE02B99B-1D55-48bc-B8DB-649A42CE45F6} - C:\WINDOWS\System32\WinStat12.dll (file missing)
O2 - BHO: (no name) - {F03A651E-CD79-4025-B28C-8BA9C1DB768A} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: (no name) - {F384F462-EFAE-4D1C-AB78-4A3A589473B5} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: (no name) - {F72DB6DB-7B00-44EC-9097-E8350F604682} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: (no name) - {F7DBCF31-416D-A863-252C-8660C18BEEAA} - C:\WINDOWS\System32\zaeqooqd.dll (file missing)
O2 - BHO: (no name) - {FFEB1B38-625B-4EEA-9725-88A52D0A8CBA} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdtl.exe
O4 - HKLM\..\Run: [ufgivc] C:\WINDOWS\System32\ufgivc.exe
O4 - HKLM\..\Run: [HPNT] C:\Program Files\hpdll\hpdll.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [vikelm] c:\windows\system32\vikelm.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [ehjmidjt] C:\WINDOWS\System32\ehjmidjt.exe
O4 - HKLM\..\Run: [zbwmwlds] C:\WINDOWS\System32\zbwmwlds.exe
O4 - HKLM\..\Run: [AutoLoader5s3q1aNTVbXd] "C:\WINDOWS\System32\sccctrs.exe" /HideDir /HideUninstall /PC="CP.FHB" /ShowLegalNote="nonbranded"
O4 - HKLM\..\Run: [5FsW3mQ] sccctrs.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [lkqtl] C:\WINDOWS\System32\lkqtl.exe
O4 - HKLM\..\Run: [fmdslf] c:\windows\system32\lvakym.exe r
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: ognelaqwhori (MsUpdate6) - Unknown owner - C:\WINDOWS\System32\msupd6.exe


= = = = = = = = = = =

Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard.

• C:\WINDOWS\System32\ufgiv.dll
  C:\WINDOWS\System32\xnkvgkul.dll
  C:\WINDOWS\System32\tipbkigo.dll
  C:\WINDOWS\System32\WinStat12.dll
  C:\WINDOWS\System32\zaeqooqd.dll
  C:\WINDOWS\System32\winupdtl.exe
  C:\WINDOWS\System32\ufgivc.exe
  c:\windows\system32\vikelm.exe
  C:\WINDOWS\System32\wsxsvc\
  C:\WINDOWS\System32\ehjmidjt.exe
  C:\WINDOWS\System32\zbwmwlds.exe
  C:\WINDOWS\System32\sccctrs.exe
  C:\WINDOWS\System32\lkqtl.exe
  c:\windows\system32\lvakym.exe
  C:\WINDOWS\System32\sysmonnt
  C:\WINDOWS\System32\msupd6.exe
  C:\WINDOWS\svcproc.exe

Start KillBox.
Go to the File menu, and choose Paste from Clipboard * this feature does not work on older versons of Killbox
Click the dropdown-arrow next to the "Full Path of File to Delete" field.
Verify that the filenames you pasted are found in there.
Select/tick the following:
* Replace on Reboot
* Use Dummy
* End Explorer Shell While Killing File
* "Unregister.dll Before Deleting" * if it's not grayed out
Click the RED X button.
Click "Yes" at the 'Delete on Reboot' prompt.
Click "Yes" at the 'Pending Operations' prompt.

* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


= = = = = = = = = = =

Reboot to SafeMode

1. Shut Windows down, and then turn off the computer.
2. Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening.
3. As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the
   Windows Advanced Options menu appears.
4. Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.

= = = = = = = = = = =

Run Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.


= = = = = = = = = = =

Enable the viewing of Hidden files
1. From Windows Explorer, go to Tools>Folder Options>View tab.
2. enable the option for `Show hidden files and folder´
3. disable the option for `Hide file extensions for known types´
4. disable the option for `Hide protected operating system files´
5. click "Yes" to confirm & then click "OK"

= = =

Locate and delete the following folder(s), if present:

• C:\Program Files\hpdll\
  C:\Program Files\SurfSideKick 3\
  C:\Program Files\mri3vpxc\
  C:\WINDOWS\isrvs\
  C:\PROGRA~1\VBouncer\

Search for & delete ... using "Start>Search..." the following file(s), if present:

• E6F1873B.DLL
  D9EBC318C

= = = = = = = = = = =

Run Cleanup! & configure the program as follows:

1. Click Options...
2. Move the arrow down to Custom CleanUp!
3. Put a check next to the following:
   • Empty Recycle Bins
   • Delete Cookies
   • Delete Prefetch files
   • [X]Scan local drives for temporary files (Please uncheck this option)
   • Cleanup! All Users
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.

* CleanUp! will delete all the files in your temp folders without making a backup


= = = = = = = = = = =

Run Ewido:

• Click Scanner
• Click Complete System Scan to begin scanning.
• Click OK when prompted to clean files
• With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click OK.
• Once finished, click the Save report button
• Save the report to your desktop

Close Ewido


= = = = = = = = = = =

Reboot to NormalMode.

Do an online scan at Panda

Take note the names and locations of any file it detects but fails to clean.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).

• Save it to your desktop.
• Double-click the new icon on your desktop (tmas-web-scan.exe)
• It will say "Loading TrendMicro definitions".
• Once the definitions are loaded, the program will appear to close then re-open.
• Click "Start Scan"
• After it's done scanning, click "Scan Results"
• Make sure all items found have a check next to them, then click "Clean Threats Now".
• Click Exit.

Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.


= = = = = = = = = = =

Run FindIt's.bat and wait for notepad to open a text file. Please be patient as it requires some time to finish running. Then post the results in your next reply

In your next post, please include fresh copies of:

• HiJackThis log
• List of files that Panda failed to disinfect
• Ewido's logs
• FindIt's log
• AntiSpyware log

Please provide details of any problems you encountered whilst performing the above steps.