Adware AGAIN!!

Welcome to Majorgeeks!

I hope you have disable Windows Firewall (Norton probably did it for you but you should check). You must only run one software firewall. Ad-Aware free provides no protection. Spybot does not provide any full malware blocking unless you run Teatime which we do not recommend. What are you running?

This is not an issue for this forum as it is not malware. But read the below for more info and you may want to just uninstall this update using Add/Remove programs.

http://www.microsoft.com/technet/security/Bulletin/ms06-015.mspx

http://www.microsoft.com/windowsxp/expertzone/newsgroups/reader.mspx?dg=microsoft.public.windowsupdate&tid=f836f340-c560-4554-a9e7-6bf3fb7d491d&lang=en&cr=US&p=1

For you malware problems, see below.

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis
​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
  • Bitdefender
  • Panda Scan
  • HijackThis

.

 

Sometimes the starting number is very high, if it actually goes beyond about 3 hours then stop it and run these two scan instead and attach their logs as requested. (These are not online scans!)
Running Spy Sweeper

Running Ewido Anti-Malware

But you don't have the Windows firewall if it is disabled!

 

You have a ton of malware installed. You seem to be a malware collector. We need some more info before we can work up a full procedure.

Let's get an installed programs list from HijackThis!

• Run HijackThis, click Open the Misc Tools section
• Click Open Uninstall Manager
• Click Save List (generates uninstall_list.txt)
• Click Save, to save it to a file where you can find it.
• Attach the uninstall_list.txt file to your next message.

 

Uninstall the below old versions of Sun Java because you already have the latest 5.0 update 6 installed.
J2SE Runtime Environment 5.0 Update 2
Java 2 Runtime Environment, SE v1.4.2_05
Java 2 Runtime Environment, SE v1.4.2_06

Also uninstall the below which where mentioned in step 0 of the READ & RUN ME.
Viewpoint Manager (Remove Only)
Viewpoint Media Player

Also uninstall the below SafeSurfing malware:
IRISmon

Make sure viewing of hidden files is enabled (per the tutorial).
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O4 - HKCU\..\Run: [kbdsys] C:\WINDOWS\system32\kbdsys.exe
O4 - HKCU\..\RunOnce: [kbdsys] C:\WINDOWS\system32\kbdsys.exe
O16 - DPF: {4FA3D392-9349-4D85-8FB9-18733534CFE3} (SpyBouncer.SBDownloader) - http://www.spybouncer.com/downloader/gdownloader.ocx
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) - 0
O20 - AppInit_DLLs: iniwin32.dll

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\apsi <--- the whole folder
C:\Program Files\Cas <--- the whole folder
C:\Program Files\DNS <--- the whole folder
C:\PROGRAM FILES\CasStub <--- the whole folder
C:\PROGRAM FILES\E2G <--- the whole folder
C:\PROGRAM FILES\Lycos <--- the whole folder
C:\PROGRAM FILES\Media Gateway <--- the whole folder
C:\PROGRAM FILES\sf <--- the whole folder
C:\PROGRAM FILES\COMMON FILES\Download <--- the whole folder
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\vidctrl <--- the whole folder
C:\TEMP\FLEOK <--- the whole folder
C:\WINDOWS\system32\iniwin32.dll
C:\WINDOWS\SYSTEM32\atmtd.dll
C:\WINDOWS\system32\biU.exe
C:\WINDOWS\SYSTEM32\bk.exe
C:\WINDOWS\SYSTEM32\data.~
C:\WINDOWS\system32\ezPopStub.exe
C:\WINDOWS\system32\iniwin32.dll
C:\WINDOWS\system32\InstallerV5.exe
C:\WINDOWS\system32\kbdsys.exe
C:\WINDOWS\SYSTEM32\pdrpdb.dll
C:\WINDOWS\SYSTEM32\tsuninst.exe
C:\WINDOWS\system32\xmltok.dll.off
C:\WINDOWS\SYSTEM32\Xcite.dll
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho
C:\WINDOWS\alchem.ini
C:\WINDOWS\kwv2.dat
C:\WINDOWS\optimize.exe
C:\WINDOWS\pf78.exe
C:\WINDOWS\pi1_36.exe
C:\WINDOWS\unstall.exe
C:\WINDOWS\usta32.ini
C:\WINDOWS\woinstall.exe
C:\WINDOWS\etb <--- the whole folder[/COLOR]
C:\WINDOWS\inf\biU.inf
C:\WINDOWS\T3duZXIA\SWuqQwQlSSxZrItv1J64IcPZfOT.vbs
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Unnstall MS Windows Defender because it may be getting in our way. Then reboot before continuing.

Download - Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate.


Run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click OK.

Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

C:\Program Files\E2G\IeBHOs.dll
C:\WINNT\system32\iniwin32.dll


If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself. However BOOT INTO SAFE MODE during this reboot and do not run anything but what I request. DO NOT open any browsers!

Now in safe mode, run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O20 - AppInit_DLLs: iniwin32.dll

Now exit HJT
Run Windows Explorer and double check to make sure the below files are all deleted (some we already got with killbox):
C:\Program Files\E2G <--- the whole folder
C:\WINNT\system32\iniwin32.dll

Now reboot into normal mode and after reboot double check the same HJT entries I had you fix above and if any still remain, fix them again a second time.

Now attach a new HJT log and tell me how these steps went.

Also tell me how things are working!

 

Did you set Killbox to Delete on Reboot? Sounds like you used Standard File Kill!

 

• Go here and download and install Registrar Lite
• Run it, copy and paste the below line to reglite's address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

• Click the "go" tab
• You should see the "Appinit_Dlls" value on the right side panel
• Make sure the Windows key is selected in the left window pane
• Rename the Folder Windows to NotWindows highlighted as a light blue (some people call it light purple) folder in the left hand pane of reglite. You rename it by right clicking on it and selecting rename.
• Now Double Click AppInit_DLLs in the right window pane and clear the data value. That is delete the C:\WINNT\system32\iniwin32.dll information from the value box. Now Click Apply and OK to set.
• Now Rename the NotWindows folder back to its original name Windows
• Reboot you PC into safe mode and see if you can delete the C:\WINNT\system32\iniwin32.dll file. If you cannot delete it, see if you can right click on it and select rename. Change it to iniwin32.ddd
• While in safe mode run HijackThis and fix the below line if still found:

O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O20 - AppInit_DLLs: iniwin32.dll

• Reboot into normal mode and attach a new HJT log and tell me how these steps went.