[Excal]

Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme.reg (make sure that Save as Type is set at "All Files") on your Desktop. Ensure there is no space at or above REGEDIT 4.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\ISTbar]

Please download ISTFIX Here
Please do not run yet

Download LQfix Here
save it to your desktop, please do not use yet

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

2. Locate fixme.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer "Yes" and wait for a message to appear similar to "Merged Successfully".


3. Please remove the following folders using Windows Explorer (if present):

C:\PROGRAM FILES\joystick networks
C:\PROGRAM FILES\NewDotNet
C:\PROGRAM FILES\Sqwire
C:\PROGRAM FILES\whInstall
C:\PROGRAM FILES\Windows SyncroAd
C:\PROGRAM FILES\COMMON FILES\InetGet
C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
C:\Documents and Settings\Lauren\Favorites\Casino & Carrers
C:\Documents and Settings\Lauren\Favorites\Fun & Games
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\vidctrl

4. Please remove just the files from the following paths using Windows Explorer (if present):

C:\GatorPatch.log
C:\Program Files\Common Files\Windows\mc-58-12-0000120.exe
C:\Program Files\DNS\cwebpage.dll
C:\WINDOWS\Downloaded Program Files\ATPartners.inf
C:\WINDOWS\Downloaded Program Files\flash.inf
C:\WINDOWS\inf\biini.inf
C:\WINDOWS\system32\BO2810040510.exe
C:\WINDOWS\system32\jjj.exe.tcf
C:\WINDOWS\system32\ongbypyi.dll
C:\WINDOWS\system32\PreUninstallQL.exe
C:\WINDOWS\system32\SplWbr.dll
C:\WINDOWS\system32\teosvzvc.dll
C:\WINDOWS\system32\windows.html
C:\WINDOWS\system32\WinNB57.dll
C:\WINDOWS\system32\xhwxcqqa.dll
C:\WINDOWS\system32\xmltok.dll
C:\WINDOWS\SYSTEM32\INNERADINSTALL.LOG
C:\WINDOWS\SYSTEM32\qlink32.dll
C:\WINDOWS\SYSTEM32\WinNB57.dll
C:\WINDOWS\SYSTEM32\winnet.ini
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho
C:\WINDOWS\180ax_gdf.dat
C:\WINDOWS\bar.exe
C:\WINDOWS\sepsd.bin
C:\WINDOWS\unstall.exe
C:\WINDOWS\usta33.ini
C:\WINDOWS\sb32mon.dll
C:\WINDOWS\weirdontheweb_topc.exe

5. Please run IstFix.

6. Double click on LQFix program u downloaded.
A doswindow will open and close again, this is normal.

7. Run the program CleanUp!

8. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

9. Please post the Active scan log and a fresh HiJackThis log. Let me know how your computer is running.

[Advertisements]

Logfile of HijackThis v1.99.1
Scan saved at 1:02:19 PM, on 9/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AIM+\AIM+.exe
C:\PROGRA~1\AIM95\aim.exe
C:\Documents and Settings\Lauren\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] "C:\Program Files\AIM+\AIM+.exe" -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Intel Centrino2 - Unknown owner - C:\WINDOWS\System32\VsTaskMngr.exe (file missing)
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe




Incident Status Location

Adware:adware/virtualbouncer No disinfected C:\WINDOWS\SYSTEM32\INNERVBINSTALL.LOG
Adware:adware/favoriteman No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\ATPartners.inf
Adware:adware/sidesearch No disinfected C:\PROGRAM FILES\Lycos
Adware:adware/xupiter No disinfected C:\PROGRAM FILES\COMMON FILES\SQ
Adware:adware/maxifiles No disinfected C:\PROGRAM FILES\COMMON FILES\Windows
Adware:adware/elitebar No disinfected C:\Documents and Settings\Lauren\Favorites\Finances & Business
Adware:adware/cws No disinfected C:\Documents and Settings\Lauren\Favorites\Going Places
Adware:adware/wupd No disinfected Windows Registry
Adware:Adware/NetPals No disinfected C:\WINDOWS\Downloaded Program Files\ATPartners.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Downloaded Program Files\flash.inf


running good

[bubble00]

Logfile of HijackThis v1.99.1
Scan saved at 1:02:19 PM, on 9/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AIM+\AIM+.exe
C:\PROGRA~1\AIM95\aim.exe
C:\Documents and Settings\Lauren\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] "C:\Program Files\AIM+\AIM+.exe" -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Intel Centrino2 - Unknown owner - C:\WINDOWS\System32\VsTaskMngr.exe (file missing)
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe




Incident Status Location

Adware:adware/virtualbouncer No disinfected C:\WINDOWS\SYSTEM32\INNERVBINSTALL.LOG
Adware:adware/favoriteman No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\ATPartners.inf
Adware:adware/sidesearch No disinfected C:\PROGRAM FILES\Lycos
Adware:adware/xupiter No disinfected C:\PROGRAM FILES\COMMON FILES\SQ
Adware:adware/maxifiles No disinfected C:\PROGRAM FILES\COMMON FILES\Windows
Adware:adware/elitebar No disinfected C:\Documents and Settings\Lauren\Favorites\Finances & Business
Adware:adware/cws No disinfected C:\Documents and Settings\Lauren\Favorites\Going Places
Adware:adware/wupd No disinfected Windows Registry
Adware:Adware/NetPals No disinfected C:\WINDOWS\Downloaded Program Files\ATPartners.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Downloaded Program Files\flash.inf


running good

[Excal]

Please remove the following folders using Windows Explorer (if present):

C:\PROGRAM FILES\Lycos
C:\PROGRAM FILES\COMMON FILES\SQ
C:\PROGRAM FILES\COMMON FILES\Windows
C:\Documents and Settings\Lauren\Favorites\Finances & Business
C:\Documents and Settings\Lauren\Favorites\Going Places

Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\SYSTEM32\INNERVBINSTALL.LOG
C:\WINDOWS\Downloaded Program Files\ATPartners.inf
C:\WINDOWS\Downloaded Program Files\flash.inf

let me know how everything is running after this, I think we might have it



Excal

[Excal]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.