Tech Support Forum banner
Status
Not open for further replies.
1 - 3 of 3 Posts

· TSF Security Manager, Emeritus
Joined
·
42,952 Posts
Hello rpelkofsky,

Nice job. :smile: I'd like to run one more scan though to be sure nothing else is lingering:

Perform an online scan with Internet Explorer with Panda ActiveScan - requires Internet Explorer

  1. Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
  2. Click On 'Scan Now'
  3. Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
  4. Begin the scan by selecting My Computer
    * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
  5. If it finds any malware, it will offer you a report. Click on see report
  6. Then click Save report
  7. Post the contents of the report in your next reply along with another HijackThis log

* Turn off the real time scanner of any existing antivirus program while performing the online scan
 

· TSF Security Manager, Emeritus
Joined
·
42,952 Posts
Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Again, you should not have any open browsers when you are following the procedures below.

Download KillBox http://www.greyknight17.com/spy/KillBox.exe.

Download CleanUp! (Alternate Link if main link doesn't work) and install it. Do not run it yet.

Reboot into Safe Mode.(tapping F8 or F5)

Click START…RUN…Type in regedit to make backup copys of the registry

Start>>>Run>>> Type in regedt32. To make any changes to registry keys/folders involving any folder permissions. Now navigate to each of the following keys and delete the file/folder/entry I highlighted in RED

HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRE NTVERSION\INTERNET SETTINGS\ZONEMAP\DOMAINS\ARCHIVIOSEX.NET

HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRE NTVERSION\INTERNET SETTINGS\ZONEMAP\DOMAINS\SGRUNT.BIZ

If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C:

C:\WINDOWS\SYSTEM32\pharmacy.ico
C:\WINDOWS\SYSTEM32\sp32.xml
C:\WINDOWS\SATMAT.INI
C:\WINDOWS\loadclean.exe
C:\WINDOWS\SYSTEM\mac80ex.idf[msbe.dll]
C:\WINDOWS\SYSTEM\mac80ex.idf[Uninstall.exe]
C:\WINDOWS\SYSTEM\mac80ex.idf[bargains.exe]
C:\WINDOWS\SYSTEM\mac80ex.idf[adv.exe]
C:\WINDOWS\SYSTEM\mac80ex.idf[adx.exe]
C:\WINDOWS\JAVA\javainfo.exe
C:\WINDOWS\Downloaded Program Files\WinAdServX.dll
C:\temp\logo.gif


Start KillBox.
Go to the File menu, and choose Paste from Clipboard.
Verify that you've done this properly by clicking the dropdown-arrow next to the Full Path of File to Delete field. The filenames you pasted will be found in there.
Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File
* Unregister.dll Before Deleting" if it's not grayed out.
Click the RED X button.

Click [Yes] at the 'Delete on Reboot' prompt. Click [NO] at the Pending Operations prompt.

Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Reboot into Normal Mode and run another scan with Panda and post it here again.
 

· TSF Security Manager, Emeritus
Joined
·
42,952 Posts
Reboot into Safe Mode.

Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C:

C:\WINDOWS\SYSTEM32\retpdat32.xml
C:\!Submit\logo.gif


Start KillBox.
Go to the File menu, and choose Paste from Clipboard.
Verify that you've done this properly by clicking the dropdown-arrow next to the Full Path of File to Delete field. The filenames you pasted will be found in there.
Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File
* Unregister.dll Before Deleting" if it's not grayed out.
Click the RED X button.

Click [Yes] at the 'Delete on Reboot' prompt. Click [No] at the Pending Operations prompt.

Delete the following folder if it still exists:

C:\!Submit

Restart back into Normal Mode. If there aren't any more problems you should be all set. Please do the following:

Reset hidden/system files and folders

Windows 2000
===============
Open My Computer.
*Select the Tools menu and click Folder Options.
*Select the View tab.
*Select the Advanced settings box option.
*Select the Hidden files Folders.
*Deselect/I] the Show all files option.
Click Yes to confirm.
Click OK.

In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:
HOW DID I GET INFECTED IN THE FIRST PLACE? http://forums.net-integration.net/index.php?showtopic=3051
THE ANTI-SPYWARE TUTORIAL http://www.greyknight17.com/spyware.htm#prevent
MAKING INTERNET EXPLORER SAFER http://www.bleepingcomputer.com/forums/Making_Internet_Explorer_Safer-tut102.html

Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

More information and downloads are available at the following links:

Spyware Blaster to help prevent spyware from installing in the first place.
Spyware Guard to catch and block spyware before it can execute.
IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
 
1 - 3 of 3 Posts
Status
Not open for further replies.
Top