[reemah]

Hi, I usually use Mozilla Firefox, and today I accidentally opened Internet Exporer, and before I knew it, I have this new pop up virus. I've tried to get rid of it using Ad-Aware and SpyBot etc, but I still see the oddly-named, reappearing processes in Task Manager. I then deleted Internet Exporer in Safe Mode, which stopped the popups, but the processes still appear, a new Folder in my Program Files was made called "internet explorer," (note the lower case letters) and an occasional Aurora Pop up still occurs.

So I hope I've come to the right place. Here is the HiJack this Log


Logfile of HijackThis v1.99.1
Scan saved at 7:09:59 PM, on 6/8/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWSB\System32\smss.exe
C:\WINDOWSB\system32\winlogon.exe
C:\WINDOWSB\system32\services.exe
C:\WINDOWSB\system32\lsass.exe
C:\WINDOWSB\system32\svchost.exe
C:\WINDOWSB\System32\svchost.exe
C:\WINDOWSB\system32\spoolsv.exe
C:\WINDOWSB\Explorer.exe
c:\windowsb\system32\ethrem.exe
C:\WINDOWSB\System32\RunDll32.exe
C:\WINDOWSB\System32\VTTimer.exe
C:\WINDOWSB\System32\RUNDLL32.exe
C:\WINDOWSB\System32\rundll32.exe
C:\WINDOWSB\System32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\reemah.CORNICOPIA\Desktop\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWSB\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWSB\systb.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [checkrun] C:\windowsb\system32\elitelda32.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [jlrgfdf] c:\windowsb\system32\ethrem.exe r
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWSB\svcproc.exe

Edited by reemah, 09 June 2005 - 05:32 PM.

[Advertisements]

Hi reemah and welcome to GeeksToGo! My name is Excal and I will be helping you.

We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time. Click here: http://www.microsoft...p1/default.mspx Apply the update, reboot, and post a fresh Hijack This log.

[Excal]

Hi reemah and welcome to GeeksToGo! My name is Excal and I will be helping you.

We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time. Click here: http://www.microsoft...p1/default.mspx Apply the update, reboot, and post a fresh Hijack This log.

[reemah]

After installing the update, I had to restart and the restart was really unusually slow, is this normal? Also, here is the Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 10:13:53 PM, on 6/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWSB\System32\smss.exe
C:\WINDOWSB\system32\winlogon.exe
C:\WINDOWSB\system32\services.exe
C:\WINDOWSB\system32\lsass.exe
C:\WINDOWSB\system32\svchost.exe
C:\WINDOWSB\System32\svchost.exe
C:\WINDOWSB\system32\spoolsv.exe
C:\WINDOWSB\Explorer.exe
C:\WINDOWSB\System32\wuauclt.exe
C:\WINDOWSB\System32\msiexec.exe
c:\windowsb\system32\kkltsc.exe
C:\WINDOWSB\System32\RunDll32.exe
C:\WINDOWSB\System32\VTTimer.exe
C:\WINDOWSB\System32\RUNDLL32.exe
C:\WINDOWSB\System32\rundll32.exe
C:\WINDOWSB\System32\rundll32.exe
C:\Documents and Settings\reemah.CORNICOPIA\Desktop\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWSB\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWSB\systb.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [checkrun] C:\windowsb\system32\elitelda32.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWSB\wupdt.exe
O4 - HKLM\..\Run: [aykvyu] c:\windowsb\system32\kkltsc.exe r
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWSB\svcproc.exe

[Excal]

Hi reemah and welcome to GeeksToGo! My name is Excal and I will be helping you.

I can see that you have some malware issues. This maybe a few step process in removing it. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

Lets see how your computer runs after we get it Malware Free

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Please download the trial version of Ewido Security Suite Here
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from Here
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, please double-click on
Nailfix.bat. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Post the log from the scan here for me.

Then please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

[reemah]

Nailfix.bat? I have nailfix.cmd and Process.exe, but no Nailfix.bat

[Excal]

Nailfix.bat? I have nailfix.cmd and Process.exe, but no Nailfix.bat

Sorry about that, we jsut recently changed. Its nailfix.cmd.


Thanks,




Excal

[reemah]

Okay here is my Ewido Scan Result

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:38:18 PM, 6/14/2005
+ Report-Checksum: 86A520F7

+ Date of database: 6/14/2005
+ Version of scan engine: v3.0

+ Duration: 35 min
+ Scanned Files: 90833
+ Speed: 42.36 Files/Second
+ Infected files: 23
+ Removed files: 23
+ Files put in quarantine: 23
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\reemah.CORNICOPIA\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\reemah.CORNICOPIA\Cookies\reemah@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\reemah.CORNICOPIA\Cookies\reemah@clickagents[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\reemah.CORNICOPIA\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\reemah.CORNICOPIA\Cookies\reemah@fastclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\reemah.CORNICOPIA\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\reemah.CORNICOPIA\Cookies\reemah@hitbox[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\reemah.CORNICOPIA\Cookies\reemah@mediaplex[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\reemah.CORNICOPIA\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\reemah.CORNICOPIA\Cookies\reemah@p[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\reemah.CORNICOPIA\Local Settings\Temp\temp.fr173A -> Spyware.ImiBar.d -> Cleaned with backup
C:\Documents and Settings\reemah.CORNICOPIA\Local Settings\Temp\temp.fr919E -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\reemah.CORNICOPIA\Local Settings\Temp\temp.frA97E -> TrojanDownloader.Intexp.c -> Cleaned with backup
C:\Program Files\Windows Media Player\wmplayer.exe.tmp -> TrojanDownloader.Small.apm -> Cleaned with backup
C:\Program Files\Your Uninstaller 2004\HbUninst.exe -> Spyware.Hotbar -> Cleaned with backup
C:\WINDOWSB\EliteToolBar\EliteToolBar version 60.dll -> Spyware.EliteBar.af -> Cleaned with backup
C:\WINDOWSB\Helper101.dll -> Spyware.Delf.r -> Cleaned with backup
C:\WINDOWSB\system32\Cache\HelperInstall.exe -> TrojanDropper.Delf.z -> Cleaned with backup
C:\WINDOWSB\system32\Cache\thin-175-1-x-x.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWSB\system32\elitelda32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWSB\system32\elitexxb32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWSB\tct101.dll -> TrojanDownloader.Dyfuca.eg -> Cleaned with backup
C:\WINDOWSB\tdtb.exe -> Trojan.Imiserv.c -> Cleaned with backup


::Report End

And Here is a fresh HJT log


Logfile of HijackThis v1.99.1
Scan saved at 3:42:02 PM, on 6/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWSB\System32\smss.exe
C:\WINDOWSB\system32\winlogon.exe
C:\WINDOWSB\system32\services.exe
C:\WINDOWSB\system32\lsass.exe
C:\WINDOWSB\system32\svchost.exe
C:\WINDOWSB\System32\svchost.exe
C:\WINDOWSB\system32\spoolsv.exe
C:\WINDOWSB\Explorer.EXE
C:\WINDOWSB\System32\RunDll32.exe
C:\WINDOWSB\System32\VTTimer.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWSB\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWSB\System32\wuauclt.exe
C:\Documents and Settings\reemah.CORNICOPIA\Desktop\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWSB\systb.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWSB\wupdt.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWSB\svcproc.exe (file missing)


Edit: I also got this error when I restarted my computer

Edited by reemah, 14 June 2005 - 04:47 PM.

[Excal]

Hi reemah,

that error is fine, it will be gone after this fix

Download CWShredder here to its own folder.

Update CWShredder

* Open CWShredder and click I AGREE
* Click Check For Update
* Close CWShredder
We will be using this program later.

Download and install CleanUp! Here
We will use this program later.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Go to Start->Run and type in services.msc and hit OK. Then look for System Startup Service (SvcProc) and double click on it. Click on the Stop button and under Startup type, choose Disabled.

4. Close all browsers, windows and unneeded programs.

5. Open HiJack and do a scan.

6. Put a Check next to the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWSB\systb.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWSB\wupdt.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWSB\svcproc.exe (file missing)

7. click the Fix Checked box

8. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

9. Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWSB\systb.dll
C:\WINDOWSB\wupdt.exe
C:\WINDOWSB\svcproc.exe

10. Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about. Reboot your computer into normal windows.

11. Run the program CleanUp!

12. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

13. Please post an Active scan log and a fresh HiJackThis log to verify all is good. Ensure you rehide your “hidden files and folders” back to the way they were.

[reemah]

Okay, so I couldn't run the scan in FireFox, so I downloaded and tried to install MS Internet Explorer. When I ran the installation, it told me that I already had a newer version installed. So I searched and searched for it and couldn't find it. I do, however, have a folder in my Program Files called "internet explorer" but I can't find the actual program there.

So I ended up using MSN Explorer that I have from when I used to have MSN DSL. I ran the scan, here are the results:


Incident Status Location

Spyware:Spyware/Dyfuca No disinfected Windows Registry
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\reemah.CORNICOPIA\Favorites\Casino & Carrers
Adware:Adware/PowerSearch No disinfected C:\WINDOWSB\System32\stlb2.xml
Adware:Adware/Aurora No disinfected Windows Registry
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWSB\EliteToolBar\xml\images\casino.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWSB\EliteToolBar\xml\images\dating.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWSB\EliteToolBar\xml\images\drugs.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWSB\EliteToolBar\xml\images\fav.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWSB\EliteToolBar\xml\images\virus.bmp
Adware:Adware/Transponder No disinfected C:\WINDOWSB\lageeag.exe
Adware:Adware/PortalScan No disinfected C:\WINDOWSB\system32\Cache\InstallAPS.exe
Spyware:Spyware/Dyfuca No disinfected C:\WINDOWSB\system32\Cache\optimize7.exe
Adware:Adware/PowerSearch No disinfected C:\WINDOWSB\system32\stlb2.xml
Adware:Adware/PortalScan No disinfected C:\WINDOWSB\system32\winupdt.008
Adware:Adware/PortalScan No disinfected C:\WINDOWSB\system32\winupdt.bin

And here is a HJT Log:
Logfile of HijackThis v1.99.1
Scan saved at 5:14:39 PM, on 6/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWSB\System32\smss.exe
C:\WINDOWSB\system32\winlogon.exe
C:\WINDOWSB\system32\services.exe
C:\WINDOWSB\system32\lsass.exe
C:\WINDOWSB\system32\svchost.exe
C:\WINDOWSB\System32\svchost.exe
C:\WINDOWSB\system32\spoolsv.exe
C:\WINDOWSB\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWSB\System32\RunDll32.exe
C:\WINDOWSB\System32\VTTimer.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\reemah.CORNICOPIA\Desktop\HJT\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWSB\System32\msdxm.ocx
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

Edited by reemah, 14 June 2005 - 06:16 PM.

[Excal]

Hi reemah,

You need to keep IE installed so you can get the security updates from Microsoft.
This is very important. (you don't have to use it, just for the updates )

Just a few more things to clean up.

Download LQfix Here
save it to your desktop, please do not use yet

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Please remove these entries from Add/Remove Programs in the Control Panel(if present):

BargainBuddy
EliteToolBar

5. Please remove the following folders using Windows Explorer (if present):

C:\WINDOWSB\EliteToolBar
C:\Documents and Settings\reemah.CORNICOPIA\Favorites\Casino & Carrers

6. Please remove just the files from the following paths using Windows Explorer (if present):


C:\WINDOWSB\System32\stlb2.xml
C:\WINDOWSB\lageeag.exe
C:\WINDOWSB\system32\Cache\InstallAPS.exe
C:\WINDOWSB\system32\Cache\optimize7.exe
C:\WINDOWSB\system32\stlb2.xml
C:\WINDOWSB\system32\winupdt.008
C:\WINDOWSB\system32\winupdt.bin

7. double click on LQFix program u downloaded.
A doswindow will open and close again, this is normal.

8. Please post back and let me know how your computer is running.

[reemah]

seems like everything is working perfectly, no popups or anything thank you sooooo much! What shall i do now? With the things I downloaded etc.?

[Excal]

Hi reemah,

Thats GREAT to hear!!

I would keep Cleanup! and run it periodically. You can delete/uninstall all others.

Great job, it appears your computer is clean

Now that your system is Malware Free, it is important to reset your system Restore. Click Here to learn how to.
Might I suggest the following Free Spyware programs for added security, you can download them at the following links. These programs work great for detection:

Ad-aware SE

Spybot S&D


If you are unhappy with your current antivirus and want to replace it or if you dont already have one, I suggest one of these free programs:
*Note - do not use more than one anti-virus program as it will more than likely cause conflict.

AVG
Avast


The following free programs are great for prevention:

SpywareBlaster 3.4

Spywareguard

IE/Spyad


A Firewall is a must! Here are 2 good free versions:

Sygate

ZoneLabs

There are other options other than Internet Explorer for a browser, which some say have better security. Two of them are:

Firefox

Opera

This site is a great source for tightening up security on Internet Explorer settings.

Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month.
Included in those updates is Windows XP Service Pack 2. Click Here
Since you're junkware free, the time to get it is NOW. Service Pack 2 is a MAJOR upgrade for XP. It adds numerous security and software patches, as well as new features and functionality. You will also be adding another layer of protection against future threats.

Be sure and give the Temp folders a cleaning out now and then as well, Make sure after you clean your Temp files to empty out your Recycle bin as well.
For ease use the following program:

Cleanup
Run "Cleanup" and when it has finished, Reboot

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Edited by Excalibur190, 14 June 2005 - 07:15 PM.

[Excal]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.