Tech Support Forum - View Single Post - Multiple pieces of Malware/Adware/Spyware...

Ried · 01-04-2006, 02:49 PM

Hello Ei8htBall1989 and welcome to TSF,

Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Download CleanUp! (Alternate Link if main link doesn't work) and install it. Do not run it yet.

Download fl.zip.
Extract the contents to a new folder on Desktop. Do not run it yet.

---------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.

---------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

STOPME~1
AdwareFilterToolBar

Run a scan in HijackThis. 'Check' each of the following if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.iomrhmimhgdt.com/KZe3t6V9...hTLRorRTF.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uzfumpjujrsjsxzovzjnduy.c...HqvLAMdl8.html
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {08857C95-5210-DD69-CAA5-543F490B51D0} - C:\PROGRA~1\STOPME~1\logo trans.exe (file missing)
O2 - BHO: (no name) - {53468933-CFCE-D931-9C9C-4FD98DDEC91C} - C:\DOCUME~1\ELIZAB~1\APPLIC~1\STOPME~1\logo trans.exe (file missing)
O3 - Toolbar: AdwareFilter - {1028F737-81E7-452B-A860-E50CAD90A08C} - C:\Program Files\AdwareFilterToolBar\AdwareFilter.dll
O4 - HKLM\..\Run: [BPK] C:\WINDOWS\System32\bpk.exe this is a key logger program--only fix if you did not install yourself. See this site: http://www.auditmypc.com/process/bpk.asp
O4 - HKCU\..\Run: [01 Enc] C:\DOCUME~1\ZACHSH~1\APPLIC~1\MEMOEA~1\MediaKeepLoud.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing
O16 - DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8} - http://goinnow.com/tl7000.dll
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/...ditControl.cab

Click 'Fix Checked' and close HijackThis.

---------------------------

Delete the following Folders if they still exist.

C:\PROGRA~1\STOPME~1
C:\Program Files\AdwareFilterToolBar
C:\DOCUME~1\ZACHSH~1\APPLIC~1\MEMOEA~1

---------------------------

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Standard CleanUp!"
*Uncheck the following:
-Delete Newsgroup cache
-Delete Newsgroup Subscriptions
-Scan local drives for temporary files
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.
Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!

Reboot into Normal Mode.

Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

Click Check Now & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Enter your e-mail address, country, and state & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and wants you to buy the program for removal as we will address this later.

Click on see report. Then click Save report

Please post that log in your next reply along with a new HijackThis log.

Go to the fl.zip you downloaded earlier. Within the folder, locate & double-click fl.bat.
It should produce a report at c:\findlop.txt. Post the contents of the report in your next reply.

01-04-2006, 02:49 PM	#2 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,995 OS: WinXP and Vista	Hello Ei8htBall1989 and welcome to TSF, Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Download CleanUp! (Alternate Link if main link doesn't work) and install it. Do not run it yet. Download fl.zip. Extract the contents to a new folder on Desktop. Do not run it yet. --------------------------- Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading: * select Show hidden files and folders. * Uncheck Hide protected operating system files (recommended) option. * Click Yes to confirm and then click OK. Next, please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. --------------------------- Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: STOPME~1 AdwareFilterToolBar Run a scan in HijackThis. 'Check' each of the following if they still exist (make sure not to miss any): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.iomrhmimhgdt.com/KZe3t6V9...hTLRorRTF.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uzfumpjujrsjsxzovzjnduy.c...HqvLAMdl8.html R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {08857C95-5210-DD69-CAA5-543F490B51D0} - C:\PROGRA~1\STOPME~1\logo trans.exe (file missing) O2 - BHO: (no name) - {53468933-CFCE-D931-9C9C-4FD98DDEC91C} - C:\DOCUME~1\ELIZAB~1\APPLIC~1\STOPME~1\logo trans.exe (file missing) O3 - Toolbar: AdwareFilter - {1028F737-81E7-452B-A860-E50CAD90A08C} - C:\Program Files\AdwareFilterToolBar\AdwareFilter.dll O4 - HKLM\..\Run: [BPK] C:\WINDOWS\System32\bpk.exe this is a key logger program--only fix if you did not install yourself. See this site: http://www.auditmypc.com/process/bpk.asp O4 - HKCU\..\Run: [01 Enc] C:\DOCUME~1\ZACHSH~1\APPLIC~1\MEMOEA~1\MediaKeepLoud.exe O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing O16 - DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8} - http://goinnow.com/tl7000.dll O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/...ditControl.cab Click 'Fix Checked' and close HijackThis. --------------------------- Delete the following Folders if they still exist. C:\PROGRA~1\STOPME~1 C:\Program Files\AdwareFilterToolBar C:\DOCUME~1\ZACHSH~1\APPLIC~1\MEMOEA~1 --------------------------- Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Standard CleanUp!" *Uncheck the following: -Delete Newsgroup cache -Delete Newsgroup Subscriptions -Scan local drives for temporary files Click OK Press the CleanUp! button to start the program. Reboot/logoff when prompted. Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! Reboot into Normal Mode. Perform an online scan with Internet Explorer with Panda ActiveScan click on "Free use ActiveScan" located on the top right hand corner Click Check Now** & a 'pop up' window shall appear. ensure that your pop up blocker doesn't block it Enter your e-mail address, country, and state & click Scan Now* ...begins downloading 8 MB Panda's ActiveX controls Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and wants you to buy the program for removal as we will address this later. Click on see report. Then click Save report Please post that log in your next reply along with a new HijackThis log. Go to the fl.zip you downloaded earlier. Within the folder, locate & double-click fl.bat. It should produce a report at c:\findlop.txt. Post the contents of the report in your next reply. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."