common hijacker and Igetnet...and very slow computer!

To help us to best help you, please follow the steps below closely and in the order given and do not skip anything. If you have any difficulty, please post back letting us know what steps you have completed, what you found while doing the scans if anything along with details about any problems you may have encountered in completing the steps. The more details you can provide the better. Don't be afraid to ask for additional help if you don't understand something!

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Please download the following tools and save them where you will be able to find them. I save stuff like this to a C:\downloads\Spyware-Stuff folder and I put each in their own subfolder. It makes it easy to find. Make sure you download them from the links below:

L2MeFix Tool

Generic Detection Tool - NT/2000/XP

VX2.BetterInternet Finder XP/2k - Version Msg126

Pocket KillBox

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Please print out these instructions now or save locally so that you can operate with All Browser Windows CLOSED.

Exit Browsers now before continuing


First Step:

Extract all the files from the Generic Detection Tool into its own folder.
Then run find.bat. Post the log it creates back here as an attachment (do it later when we reconnect).

Second Step:
Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log.

NOTE: Please do not run any other options or files in the l2mfix Folder!

Third Step:
Get a new HJT log.

Now reconnect and come back here and post as attachments the l2mfix log the find.bat log (normally already named output.txt) and the new HJT log (this will require two posts as only two attachments can be made in a message).Based on those logs, we will determine the next steps.

Please DO NOT REBOOT after scanning for these logs!! Otherwise problems may mutate and spread. Wait for me to get back to you with the next steps.

 

Note: the following should not be running when using HijackThis.

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Owner\Desktop\emulator\stinger.exe
C:\Program Files\CCleaner\ccleaner.exe

Also you need to stop using msconfig to control what is loading at startup. We need to see everything. Please run msconfig and set it to Normal Startup.

 

But you have not posted the logs. If you completed those steps from msg # 4, please post the logs.

 

Okay! Moving along! Here are the next steps! I know this is tedious but we are making progress and this next step is going to clean up a load of bad stuff.

Step 1:

Print or save these instructions locally now because you will have to be disconnected with no browsers open in the next step.

Please make sure ALL Browser Windows are Closed and also you should physically disconnect from the Internet by unplugging your cable.

Go to the L2MFix Folder on your Desktop and DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
Your computer will go bazonkers (now there's a great technical term!) for a bit, but just let it run. It should eventually spit out another log in Notepad. Please attach that log later when the remaining steps are completed.

Again, don't run any other files in the L2MFix folder.

Step 2:

Run "find.bat" from the Generic Detection Tool again!

Okay after doing the above DO NOT REBOOT. Now reconnect to the internet and come back here and post and attach the find.bat log along with the L2MeFix Log.

 

Okay! Getting better but have a bunch more to fix.

First I have a bunch of questions and comments!

You need to uninstall SpyHunter as it is on a list of rogue/suspect spyware removal tool.

Also if you do not use Viewpoint or Viewpoint Manager (crap from AOL) uninstall it too.
Also look in Add/Remove programs for the below and uninstall if found:
WildTangent
MiniBug
WeatherBug

Do you use Kontiki Secure Delivery? See http://www.auditmypc.com/process/khost.asp

Do you use Aim and AOL toolbars?

Do you know and use this IMT Labs Messenger Plugin? C:\Program Files\IMT Labs Messenger Plugin\Cloud.exe

Do you know at this executable is for? O4 - Startup: Sid Registration.lnk = E:\ATR1.exe

Is these next two items required for your ISP? Is your ISP PeoplePC
O4 - HKLM\..\Run: [PPCRunonce] C:\WINDOWS\System32\PPCRunOnce.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt

 

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe

After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll (file missing)
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [Tray Temperature] C:\DOCUME~1\Owner\LOCALS~1\Temp\MiniBug.exe 1
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [sgh1Ps.exe] C:\documents and settings\owner\local settings\temp\sgh1Ps.exe
O4 - HKLM\..\Run: [mswspl] C:\DOCUME~1\Owner\LOCALS~1\Temp\searchbarcash.exe
O4 - HKLM\..\Run: [d.exe] C:\documents and settings\owner\local settings\temp\d.exe
O4 - HKLM\..\Run: [8Ix.exe] C:\documents and settings\owner\local settings\temp\8Ix.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\n42u0ef9eh2.dll


After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\WildTangent <--- the whole folder
C:\Program Files\SpyHunter <--- the whole folder
C:\documents and settings\owner\local settings\temp <-- delete all files and sub-folders in this Temp folder.

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST).
Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Please answer my questions from message #13?

 

Okay! So look for uninstalls in Add/Remove programs for the below and uninstall:
Kontiki
PeoplePC

I think ATR1.exe may have something to do with Atari.
If you still do not know what it is for and are sure you don't need it, follow the steps below:
Have HijackThis fix the below line:
O4 - Startup: Sid Registration.lnk = E:\ATR1.exe

Then boot to safe mode and delete:
E:\ATR1.exe

Think about whether you really need all the crap AOL Tool Bars. I doubt it.

Post a new HJT log after all the above.

 

Okay since you said you do not use PeoplePC anymore we can fix the items related to it and also there are more. I see searchbarcash.exe still. Did you have a problem fixing that from my previous set of instructions.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [PPCRunonce] C:\WINDOWS\System32\PPCRunOnce.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [mswspl] C:\DOCUME~1\Owner\LOCALS~1\Temp\searchbarcash.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\ISP50 <--- the whole folder
C:\WINDOWS\System32\PPCRunOnce.exe
C:\Documents and Settings\Owner\Local Settings\Temp\searchbarcash.exe
C:\WINDOWS\kdx <--- the whole folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.
Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Okay! Log is clean. How are things working?

 

That's due to all the stuff you are running at startup! And you're welcome!

 

But you really do not need to have some of those items load. You can just run them when needed. Including all the crap from AOL. Most of it is not needed and why load it if you are not online. Also, why load Shareaza at startup. The below two are not needed at all:
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

Why do you need 3 instant messengers?
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

Why do you need all the tool bars:
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll