Fall Clean up time.....

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by KatFriday, Sep 4, 2006.

  1. KatFriday

    KatFriday Private E-2

    Hello MajorGeeks.com,

    I have finally come to the conclusion I cannot clean my computer by myself. I have gone through the 9 step procedure of the READ THIS FIRST and still find that my computer has an annoying iesettings window that pops up upon startup. I think I ran across another thread that someone else had this problem. So I have attached all the relevant logs and would appreciate your expert advice.


    I couldn't run bitdefender in safe mode but I was able to run panda in safemode.
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to attach the logs requested for GetRunKey and ShowNew

    You also need to run this: E2Give Removal Procedure
     
  3. KatFriday

    KatFriday Private E-2

    Thank you for looking at this. I ran the E2Give Procedure and here are the log files you asked for.

    Also, there was a key set to iesettingsupdate that I removed which seems to have stopped Internet explorer from opening that window upon start up. But, I want to make sure that I have removed all the bad stuff.

    thanks again.
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Start by downloading - - Pocket KillBox

    Extract it to its own folder somewhere that you will be able to locate it later.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R3 - Default URLSearchHook is missing
    O2 - BHO: SSL encrypt - {0B6899B6-1564-43e0-BD93-F7CF930A5E5C} - C:\WINDOWS\system32\nsc13.dll
    O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {A78860C8-EE1A-46DF-A97F-E3E6D433E80B} - C:\WINDOWS\system32\c0i1.dll
    O2 - BHO: Iconizer - {AA1A4F83-B4AC-4859-8C91-21DBE6C5625B} - C:\WINDOWS\system32\nodeipproc.dll (file missing)
    O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\system32\adrotate.dll (file missing)
    O2 - BHO: ComCap - {E1B2E864-8BFC-4072-AE11-924E0F8BBA96} - C:\WINDOWS\system32\comcap16.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
    O18 - Protocol: advert - {7DC356B2-7366-4F19-BF7A-4875F6AABEA0} - C:\WINDOWS\system32\nodeipproc.dll (file missing)
    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    Now back on Killbox's main window, Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.
    C:\WINDOWS\system32\inicfg32.dll
    c:\windows\system32\adrotate.dll
    c:\windows\system32\data.~
    c:\windows\system32\irsmkqag.dll
    c:\windows\unstall.exe
    C:\WINDOWS\media_motor_bundle.exe
    C:\WINDOWS\mirar.exe
    C:\WINDOWS\pop06ap2.exe
    C:\WINDOWS\system32\199_150_ni_1.exe
    C:\WINDOWS\system32\c0i1.dll
    C:\WINDOWS\system32\icon_mediamotor.exe
    C:\WINDOWS\system32\msrclr40.exe
    C:\WINDOWS\system32\nsd1463.dll
    C:\WINDOWS\system32\ts_mediamotor.exe
    C:\WINDOWS\up9.exeC:\WINDOWS\YazzleBundle-1119.exe
    C:\WINDOWS\system32\adrot-uninst.exe
    C:\WINDOWS\system32\uninstIcn.exe
    C:\WINDOWS\vfnaq.dll
    C:\WINDOWS\system32\comcap16.dll
    C:\WINDOWS\system32\nsc13.dll
    C:\WINDOWS\system32\iprnki.exe

    If Killbox does not reboot or if you get a Pending Operations type error message just click OK to continue and then just reboot your PC yourself.
    After reboot locate the below folder and delete it if found:
    c:\program files\E2G

    Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp
    C:\Documents and Settings\Kathleen\Local Settings\Temp

    Now attach a new HJT log and tell me how the steps went.
    Now downaload the current version of ShowNew and then attach a new log from ShowNew and a new log from GetRunKey.
    Make sure you tell me how things are working now!
     
  5. KatFriday

    KatFriday Private E-2

    Ok, I believe I have done what you have instructed. Though I realized that I skipped the registry update step and had to redo the rest of them. Anyway, my computer seems to be running much faster thanks to you guys. I did see that the 02 - BHO: cControl.....E2G\IeBHOs.dll is still there though.

    Also, I noticed that hiberfil.sys and pagefil.sys files in c:\ are really large files. Is this normal?

    Do you all really do this for a hobby? for fun? philanthropy? in any case, I appreciate it.
     

    Attached Files:

  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes it is normal! They are files used by Windows!

    All of the above! ;)

    Run Pocket Killbox and select File, Cleanup, Delete All Backups!

    You still have some files from E2Give showing up. The O2 BHO line you mentioned is not much of a problem since the file is deleted but the O20 AppInit_DLLS line with inicfg32.dll is a problem we must get fixed. You may need to uninstall Google Desktop to get this fixed (we will see) or you may have to reinstall Google Desktop after the fix because it could get broken. Please run the below tool (follow instructions on the download page) and attach the log:

    E2TakeOut


    You can just use HJT to fix the below line:
    O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)

    Then attach a new HJT log.
     
    Last edited: Sep 6, 2006

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds