Tech Support Forum - View Single Post

**POADB** · 07-06-2005, 12:53 PM

Before you do anything else, please create a folder for HijackThis and put it in a permanent folder (like C:\HJT) instead of the Temp folder. This is required because HijackThis will create backups and we don't want them to be deleted.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Please download ETRemover.zip

WARNING!! This tool should be run from safe mode only. It will not be able to delete files in use by Windows, so running it from a regular windows session is useless. A readme is included with complete details on the tool and the malware it removes.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click 'Kill process' for each one if they are still listed (they shouldn't be - but double check):

C:\WINDOWS\system32\poker3.exe
C:\Program Files\Media Gateway\MediaGateway.exe
C:\WINDOWS\system32\poker3.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\texhp.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\WINDOWS\system32\msxct.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\180searchassistant\salm.exe
C:\WINDOWS\system32\asn08h69.exe
C:\Documents and Settings\MBK\434.exe
C:\Documents and Settings\MBK\434.exe
C:\Documents and Settings\MBK\434.exe
C:\Documents and Settings\MBK\434.exe
C:\Documents and Settings\MBK\434.exe
C:\Documents and Settings\MBK\434.exe
C:\Documents and Settings\MBK\434.exe
C:\Documents and Settings\MBK\434.exe
C:\Documents and Settings\MBK\434.exe
C:\Documents and Settings\MBK\434.exe
C:\Documents and Settings\MBK\434.exe
C:\Documents and Settings\MBK\434.exe
C:\Documents and Settings\MBK\434.exe
C:\Documents and Settings\MBK\434.exe
C:\Documents and Settings\MBK\434.exe
C:\Documents and Settings\MBK\434.exe
C:\Documents and Settings\MBK\434.exe

Run ETRemover Now!!

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Media Gateway
ISTsvc
Internet Optimizer
BullsEye Network
Media Access
180searchassistant
SideFind

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R3 - Default URLSearchHook is missing
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Qp5QLZR] C:\WINDOWS\texhp.exe
O4 - HKLM\..\Run: [checkrun] c:\windows\system32\eliteirv32.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [salm] c:\program files\180searchassistant\salm.exe
O4 - HKLM\..\Run: [cbofyd] C:\WINDOWS\cbofyd.exe
O4 - HKLM\..\Run: [asn08h69] C:\WINDOWS\system32\asn08h69.exe
O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] poker3.exe
O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] poker3.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000080.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\system32\poker3.exe
C:\Program Files\Media Gateway\
C:\WINDOWS\system32\poker3.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\ISTsvc\
C:\WINDOWS\texhp.exe
C:\Program Files\Internet Optimizer\
C:\Program Files\BullsEye Network\
C:\WINDOWS\system32\msxct.exe
C:\Program Files\Media Access\
C:\Program Files\180searchassistant\
C:\WINDOWS\system32\asn08h69.exe
C:\Documents and Settings\MBK\
C:\WINDOWS\nem220.dll
C:\WINDOWS\EliteToolBar\
C:\WINDOWS\cbofyd.exe
C:\Program Files\Common Files\mc-58-12-0000080.exe
C:\Program Files\SideFind\

Restart and run a new HijackThis scan. Save the log file and post it here.

Please run an online virus scan at Panda ActiveScan. Save the results and bring them with you in your next post.

07-06-2005, 12:53 PM	#2 (permalink)
POADB Moderator, Microsoft Support Join Date: Jul 2004 Location: United Kingdom Posts: 6,209 OS: XP SP2	Before you do anything else, please create a folder for HijackThis and put it in a permanent folder (like C:\HJT) instead of the Temp folder. This is required because HijackThis will create backups and we don't want them to be deleted. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Please download ETRemover.zip WARNING!! This tool should be run from safe mode only. It will not be able to delete files in use by Windows, so running it from a regular windows session is useless. A readme is included with complete details on the tool and the malware it removes. Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click 'Kill process' for each one if they are still listed (they shouldn't be - but double check): C:\WINDOWS\system32\poker3.exe C:\Program Files\Media Gateway\MediaGateway.exe C:\WINDOWS\system32\poker3.exe C:\Program Files\Common Files\services.exe C:\Program Files\ISTsvc\istsvc.exe C:\WINDOWS\texhp.exe C:\Program Files\Internet Optimizer\optimize.exe C:\Program Files\BullsEye Network\bin\bargains.exe C:\WINDOWS\system32\msxct.exe C:\Program Files\Media Access\MediaAccess.exe C:\Program Files\Media Access\MediaAccK.exe C:\Program Files\180searchassistant\salm.exe C:\WINDOWS\system32\asn08h69.exe C:\Documents and Settings\MBK\434.exe C:\Documents and Settings\MBK\434.exe C:\Documents and Settings\MBK\434.exe C:\Documents and Settings\MBK\434.exe C:\Documents and Settings\MBK\434.exe C:\Documents and Settings\MBK\434.exe C:\Documents and Settings\MBK\434.exe C:\Documents and Settings\MBK\434.exe C:\Documents and Settings\MBK\434.exe C:\Documents and Settings\MBK\434.exe C:\Documents and Settings\MBK\434.exe C:\Documents and Settings\MBK\434.exe C:\Documents and Settings\MBK\434.exe C:\Documents and Settings\MBK\434.exe C:\Documents and Settings\MBK\434.exe C:\Documents and Settings\MBK\434.exe C:\Documents and Settings\MBK\434.exe Run ETRemover Now!! Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: Media Gateway ISTsvc Internet Optimizer BullsEye Network Media Access 180searchassistant SideFind Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R3 - Default URLSearchHook is missing O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe O4 - HKLM\..\Run: [Qp5QLZR] C:\WINDOWS\texhp.exe O4 - HKLM\..\Run: [checkrun] c:\windows\system32\eliteirv32.exe O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe" O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe O4 - HKLM\..\Run: [msxct] msxct.exe O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe O4 - HKLM\..\Run: [salm] c:\program files\180searchassistant\salm.exe O4 - HKLM\..\Run: [cbofyd] C:\WINDOWS\cbofyd.exe O4 - HKLM\..\Run: [asn08h69] C:\WINDOWS\system32\asn08h69.exe O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] poker3.exe O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] poker3.exe O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000080.exe O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll O15 - Trusted Zone: http://ny.contentmatch.net (HKLM) Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINDOWS\system32\poker3.exe C:\Program Files\Media Gateway\ C:\WINDOWS\system32\poker3.exe C:\Program Files\Common Files\services.exe C:\Program Files\ISTsvc\ C:\WINDOWS\texhp.exe C:\Program Files\Internet Optimizer\ C:\Program Files\BullsEye Network\ C:\WINDOWS\system32\msxct.exe C:\Program Files\Media Access\ C:\Program Files\180searchassistant\ C:\WINDOWS\system32\asn08h69.exe C:\Documents and Settings\MBK\ C:\WINDOWS\nem220.dll C:\WINDOWS\EliteToolBar\ C:\WINDOWS\cbofyd.exe C:\Program Files\Common Files\mc-58-12-0000080.exe C:\Program Files\SideFind\ Restart and run a new HijackThis scan. Save the log file and post it here. Please run an online virus scan at Panda ActiveScan. Save the results and bring them with you in your next post. __________________