[p0chacco]

Logfile of HijackThis v1.99.1
Scan saved at 7:05:10 PM, on 7/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Seagate\Sync\SeaSyncServices.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\DOCUME~1\JOSEMA~1\LOCALS~1\Temp\AutoDetect.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\system32\wscript.exe
C:\Program Files\DAP\DAP.EXE
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\system32\wscript.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\JGochangco\My Documents\Applications\HijackThis.exe


F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\kernel.dll.vbs
O4 - HKLM\..\Run: [Aikelyu] C:\WINDOWS\system32\aikelyu.html

[HJT Analyzer]

Hello, visitor!

The Hijack This log analyzer has analyzed your log. Please take a closer look on the results.

Your log does not indicate any spyware or virus infection. However, there are some entries that you might want to fix. Please follow the steps below.

The following entries are not malicious, but some of them are not used anymore. You may use HijackThis to fix a few of them. However, please keep in mind that some of the entries marked as Questionable or Not Needed are fully legitimate and might be required by installed software to work properly, while some others might be related to certain parasites. It is up to you to decide whether you need any of them, or not.
O4 - HKLM\..\Run: [Aikelyu] C:\WINDOWS\system32\aikelyu.html[/b:c8a1bfb31a]


The following files and Windows registry entries are marked as "unknown". Currently, the HijackThis Log Analyzer cannot provide required information on these items. The files and entries in the list below can be both malicious and fully legitimate. Because of this, please do not take any action! Wait for the forum responders or other forum users to provide you with necessary details and further instructions.
C:\Program Files\Seagate\Sync\SeaSyncServices.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\DOCUME~1\JOSEMA~1\LOCALS~1\Temp\AutoDetect.exe

If you want to see more detailed analysis of your log, click here.

Thank you for using the 2-Spyware.com HijackThis log analyzer beta 2!

[p0chacco]

I've been trying REAL hard to delete

O4 - HKLM\..\Run: [Aikelyu] C:\WINDOWS\system32\aikelyu.html[/b:c8a1bfb31a]

AND

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\kernel.dll.vbs

But, everytime i delete both of them... BOTH of them REGENERATES.

Is it a virus? when i first got it. an html file popped up with some spanish words.

*STUMPED BAD*

[p0chacco]

Still cant be deleted.

*bump*

[Bobby]

hello,
have you tried to delete those entries in a safe mode? you can find safe mode instructions here.
_________________
I reccomend spyware doctor and malware bytes as ultimate protection.

[stardestiny]

I've finally learned how to kill it... but first an intro...

I got this virus in a internet cafe in Cebu, Philippines

It exploits the autorun feature in memorycards and copies itself to computers and connected memory cards thereafter

Because it does not spread itself to the internet, it hasn't gained enough notoreity to be included in virus defenses of various programs

Be sure to also clean your infected memory cards...

Here's how you clean it:

Download startup control Panel at mlin.net (You're going to use this later)

Go to your Task Manager (Ctrl+Alt+Del)
Terminate the Wscipt.exe process
Terminate the Explorer.exe process

Click New Task and Type "cmd" (without the quotes)

type the following in your command prompt

del c:\pooh.vbs /f/s/q/a
del d:\pooh.vbs /f/s/q/a
(include your other drives and USB drives that have been infected)

del c:\autorun.inf
del d:\autorun.inf
(include your other drives and USB drives that have been infected)


del c:\windows\system32\kernell.dll.vbs

del c:\aikelyu.html /f/s/q/a

Use the start-up program from mlin.net to remove aikelyu.html on windows startup

Go to New Task and type "regedit" (without the quotes)

Go to

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

and modify it to make the value in Shell to only contain "explorer.exe"

That's about it... Good luck everybody...

Oh yeah... to the creator of the virus... "Jayker"... go f*ck yourself

[Bobby]

hello stardestiny
i'm glad you want to help and you are welcome here. but please be kind enough to not spam this forum i left your post that was not spam, but if you post anything advertisement related, i won't hesitate to delete it again.
_________________
I reccomend spyware doctor and malware bytes as ultimate protection.