Can't shake: cxtpls_loader.exe, ilalni.exe

thedirewolf · May 2, 2005

I’m trying to clean up a friend’s computer that was totally unprotected and being occupied by pretty much the whole Trojan Army. Using the usual tools, I’ve managed to get rid of most of it and I’m no longer getting popups from About: blank or ads1 or anybody else. There are still problems I can’t seem to resolve, however.

First I noticed a file called ilalni.exe (yes, that’s the correct spelling) in Hijack This which I could not identify. I ran WinPatrol and it couldn’t tell me anything about it either, so I concluded that it couldn’t be anything good. Unfortunately, everytime I try to kill it with Hijack This, it comes right back (as does Windows Messenger, which I had disabled with Shoot the Messenger and then when that didn’t work, through the registry using these instructions:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FB7199A
B-79BF-11d2-8D94-0000F875C541}\InProcServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FB7199A
B-79BF-11d2-8D94-0000F875C541}\LocalServer32

For both, in the right pane, right click Default/Modify/Delete the value data.

This has always worked for me in the past, but Messenger keeps reactivating. I manually deleted ilalni.exe several times and it finally stopped showing up in the folder, but Hijack This and WinPatrol still pick it up every time and show it to be in the same location.

Next I discovered quite by chance this folder: C:\!Submit, which contained cxtpls_loader.exe and HookPopup.dll, which had gone undetected by Adaware, Spybot, Spysubtract, and HijackThis.

Also, Norton found this file and considered it a problem, even though its size is 0 kb:
C:\Documents and Settings\Me\Local Settings\Temp\JETD793.tmp.

I’ve been working on this almost nonstop for 3 days and I’m losing it fast.

Any ideas, anyone?

Thanks

chaslang · May 2, 2005

Please follow the steps below:

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above you still have a problem:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

By the way, the C:\!submit folder is from using PocketKillbox. It stores backups and files for submission to be checked out there. They are all safe to delete.

thedirewolf · May 5, 2005

Thank you so much for your response. Before posting here I began by running Adaware, SpySubtract and Spybot, which got rid of a ton of stuff (nearly 14,000 critical objects in Adaware. I then installed SpywareBlaster, Norton Systemworks and Nortron Firewall, adjusted the security levels in IE, deleted all temp internet files and cookies, and ran the Norton VirusScan.

After posting my message and receiving your reply, I followed your instructions and did it all twice. I didn’t take notes from the first House Call scan , but everything else is pretty well documented as follows:

FIRST SCANS-

SYMANTEC VIRUS SCAN:
C:\WINDOWS\SYSTEM32\dqoqa.dll is infected with Adware.QoolAid
C:\WINDOWS\SYSTEM32\dqxqodb.exe is infected with Adware.QoolAid
C:\WINDOWS\SYSTEM32\ilalni.exe is infected with Adware.QoolAid CAN’T SEE IN FOLDER
C:\WINDOWS\SYSTEM32\q17i9a4j.exe is infected with Adware.SAHAgent
C:\WINDOWS\SYSTEM32\sbebgst.dll is infected with Adware.QoolAid
C:\WINDOWS\SYSTEM32\winup2date.dll is infected with Adware.QoolAid
C:\WINDOWS\SYSTEM32\wygyv.dat is infected with Adware.QoolAid
C:\WINDOWS\SYSTEM32\Cache\cxtpls_loader.exe is infected with Spyware.Apropos
C:\WINDOWS\SYSTEM32\Cache\EDow_AS2_r.exe is infected with Adware.Websearch
C:\WINDOWS\SYSTEM32\Cache\ysbinstall_1002828.exe is infected with SecurityRisk.Downldr
C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll is infected with Adware.EliteBar
C:\WINDOWS\Downloaded Program Files\ClientAX.dll is infected with Adware.ZangoSearch CAN’T SEE IN FOLDER
C:\WINDOWS\backup\T\50429000.DAT is infected with SecurityRisk.Downldr
C:\RECYCLER\S-1-5-21-1206458564-2761713048-594688902-1005\Dc83.exe is infected with Adware.SAHAgent CAN’T SEE IN FOLDER
C:\Program Files\Common Files\wmqw\wmqwm.exe is infected with Adware.TargetSaver
C:\Documents and Settings\Me\My Documents\System Security\backups\backup-20050430-000307-472.dll is infected with Adware.Bookedspace
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rcuc.exe is infected with Adware.QoolAid

Can’t get rid of C:\Elite Toolbar

TROJAN SCAN RESULTS:
C:Windows\System32\ilalni.exe Trojan Downloader.Win32.Qoologic.i
C:Windows\System32\sbebgst.dll Trojan Downloader.Win32.Qoologic.i
C:!Submit\dqxqodb.exe Trojan Downloader.Win32.Qoologic.i
Coc & Set\All Users\Start Menu\Programs\Startup\rcuc.exe Trojan Downloader.Win32.Qoologic.i
C:Windows\System32\dqoqa.dll Trojan Downloader.Win32.Qoologic.i
C:Windows\System32\ dqxqodb.exe Trojan Downloader.Win32.Qoologic.i
C:Windows\System32\wygyv.dat Trojan Downloader.Win32.Qoologic.i
C:\Windows\Downloaded Prog. Files\ClientAX.dll Adware 180Solutions.g
C:\Recycler\S-1-5-21-1206458564-2761713048-59468902-1005\Dc83.exe Adware Sahat.m
C:\Doc & Set\Me\My Doc\System Security\12mfix\Process.exe not-a-virus Riskware.Tool.Processor.20

a² Report
Filename Diagnosis
C:\Documents and Settings\Me\My Documents\System Security\l2mfix\Process.exe not-a-virus:RiskWare.Tool.Processor.20
C:\RECYCLER\S-1-5-21-1206458564-2761713048-594688902-1005\Dc83.exe AdWare.Sahat.m
C:\WINDOWS\Downloaded Program Files\ClientAX.dll AdWare.180Solutions.g
C:\WINDOWS\SYSTEM32\dqxqodb.exe Trojan-Downloader.Win32.Qoologic.i
C:\WINDOWS\SYSTEM32\wygyv.dat Trojan-Downloader.Win32.Qoologic.i

SECOND SCANS-

HOUSE CALL: TROJ QLOGIC A uncleanable deleted

SYMANTEC VIRUS SCAN
C:\Windows\System32\ilalni.exe is infected with Adware.QoolAid
C:\Windows\System32\sbebgst.dll is infected with Adware.QoolAid
C:\Windows\System32\dqoqa.dll is infected with Adware.QoolAid
C:\Windows\System32\Ineyne.exe is infected with Adware.DealHelper
C:\Windows\System32\ sbebgst.dll is infected with Adware.QoolAid
C:\!Submit\dqxqodb.exe is infected with Adware.QoolAid
C:\Doc & Set\Me\My Doc\System Security\backups\backup-20050430-000307- 472.dll is infected with Adware.Bookedspace
C:\Doc & Set\All Users\Start Menu\Programs\Startup\rcuc.exe in infected with Adware.QoolAid

dqoqa.dll, sbebgst.dll, rcuc.exe, and ilalni.exe not visible in folder,
!Submit is all of a sudden not visible either and Elite Toolbar is back. Deleted it, for all the good it’ll do.

STINGER: found nothing.

ADAWARE: found nothing.

SPYBOT: found nothing.

WIN PATROL: ilalni.exe and rcuc.exe still there
Looked in Windows\!Submit and dqxqodb.exe is back. Killed with KillBox, but I’ve already tried that several times before and it keeps coming back.

BITDEFENDER: found nothing

Couldn’t load RavAntivirus in spite of resetting security levels to their requested level.

WINDOWSECURITY TROJAN SCAN:
C:\Windows\System32\ilalni.exe
C:\Windows\System32\sbebgst.dll
C:\Windows\System32\dqoqa.dll
C:\Windows\System32\dqxqodb.exe
C:\Windows\System32\ilalnie.exe
C:\Windows\System32\ sbebgst.dll
C:\Windows\System32\wygyv.dat

A-SQUARED:
C:\Windows\System32\dqxqodb.exe
C:\Windows\System32\wygyv.dat
“deleted” both

AVAST:
5/5/2005, 12:43:21 PM
Memory scanning started...
No virus body found in memory.
Memory scanning finished (29.0s).
----------
Files scanning started...
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll... file could not be scanned!
No virus body found.
Files scanning finished (43141 files, 0 infected, 2498.2s).
Drives scanned: C:

ADS Spy: found nothing

NORTON SYSTEM WORKS: found but couldn’t fix C:\Doc & Set\Me\Local Settings\Temp\JET18A3.tmp

WIN PATROL: no longer shows anything suspicious

After reboot-

HIJACK THIS: still shows ilalni.exe

C:\Windows\System32\dqxqodb.exe and C:\Windows\System32\wygyv.dat are back in Windows Explorer

After another reboot, rcuc.exe shows up again in WinPatrol.
Checked in C:\Windows\System32, found dqoqa.dll and sbebgst.dll have returned.

Ran Hijack This one more time for your perusal.

Thanks again, I sincerely appreciate the help.
Richard

chaslang · May 6, 2005

You have a few nasty items on your system that require some special steps to remove. Before we do that, you must disable Spybot's Teatimer as it will possible block some of our changes.

To disable TeaTimer, run Spybot and click Mode and select Advanced Mode. Then click Tools and select Resident. Now in the right window pane, uncheck TeaTimer.
Also while this is open, in the left column now select IE Tweaks and then in the right pane make sure all the Miscellaneous locks are unchecked.
Now quit Spybot!

Download and run: EliteToolbar Remover

Download Pocket Killbox and save it to its own folder where you can find it.

Read thru the below steps and make sure you understand them before starting. Ask questions if you have any before starting.

Run Killbox by double clicking on the killbox.exe file.

Check the following boxes:

Standard File Kill
End Explorer Shell While Killing file

Copy & paste (you must use copy & paste - typing will give an error) the full path of each of the files below (one at a time - see directions after the list) into the Full Path of File to Delete box.
C:\WINDOWS\SYSTEM32\dqoqa.dll
C:\WINDOWS\SYSTEM32\dqxqodb.exe
C:\Windows\System32\Ineyne.exe
C:\WINDOWS\SYSTEM32\ilalni.exe
C:\WINDOWS\SYSTEM32\q17i9a4j.exe
C:\WINDOWS\SYSTEM32\sbebgst.dll
C:\WINDOWS\SYSTEM32\winup2date.dll
C:\WINDOWS\SYSTEM32\wygyv.dat
C:\WINDOWS\SYSTEM32\Cache\cxtpls_loader.exe
C:\WINDOWS\SYSTEM32\Cache\EDow_AS2_r.exe
C:\WINDOWS\SYSTEM32\Cache\ysbinstall_1002828.exe
C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
C:\WINDOWS\Downloaded Program Files\ClientAX.dll
C:\WINDOWS\backup\T\50429000.DAT
C:\RECYCLER\S-1-5-21-1206458564-2761713048-594688902-1005\Dc83.exe
C:\Program Files\Common Files\wmqw\wmqwm.exe
C:\Documents and Settings\Me\My Documents\System Security\backups\backup-20050430-000307-472.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rcuc.exe

With the full path to the file name in the Full Path of File to Delete textbox. The filename will appear under the box in a blue color to indicate it was found. Now Click the Red X and for the confirmation message that will appear, you will need to click Yes. If the file is successfully delete you will get a message of confirmation. Just click OK!
Do this for each of the files listed. Some will not be deleted. Make sure you keep a list of them.

Now for any files not deleted properly above (the ones you wrote down), do the below (if all of them deleted, skip these steps):
- in Killbox select the option to Delete on Reboot
- uncheck the option to End Explorer Shell While Killing file

Copy & paste the full path of each of the files you could not delete above into the box and then click the Red X and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? You will need to click No (since you are not finished adding all related files in yet).

When you do enter the last file name that needs to be deleted, click Yes on the last file.
Note: Killbox will let you know if the file does not exist.

Okay so now your PC should be reboot. If you get an error message about Pending Operations, just reboot your PC yourself.

After reboot run HJT and have it fix the below lines if they still exist:
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\ilalni.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

Now exit HJT and reboot one more time.
Now come back and tell me the results of the above and also post a new HJT log.

thedirewolf · May 6, 2005

For some reason I'm having a hard time getting this to go through. This is my 3rd attempt, I hope it takes this time. If I've somehow triple-posted, please accept my apology.

OK, here we go-

Ran ETRemover in safe mode. This came up on command prompt:

C:\Documents and Settings\Me\My Documents\System Security\ETRemover_V123>del c:\*tmp
Could not find c:\*tmp

C:\Documents and Settings\Me\My Documents\System Security\ETRemover_V123>del C:\DOCUME~1\Me\LOCALS~1\Temp\*.tmp/f
C:\DOCUME~1\Me\LOCALS~1\Temp\~DFB93.tmp
The process can not access the file because it is being used by another process.

C:\Documents and Settings\Me\My Documents\System Security\ETRemover_V123>del
C:\Windows\Prefetch\*.*
C:\Windows\Prefetch\*.*, are your sure? (Y/N)?

I selected Y
Logfile attached

Killbox (also in safe mode) found and deleted:
C:\WINDOWS\SYSTEM32\dqoqa.dll
C:\WINDOWS\SYSTEM32\dqxqodb.exe
C:\WINDOWS\SYSTEM32\ilalni.exe
C:\WINDOWS\SYSTEM32\sbebgst.dll
C:\WINDOWS\SYSTEM32\wygyv.dat
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rcuc.exe

The rest "doesn't seem to exist"

I re-entered them in "delete on reboot" mode, got the PendingFileRenameOperations message and rebooted manually.

On reboot, WinPatrol asked if wanted to allow ilalni.exe to autorun on startup. Selected no, obviously.

Poked around in Win Explorer and found the following:

In C:\Windows\System32-
Ineynedk.xml
Ineynek1.xml
Ineynek2.xml
Ineynek.xml
Ineyneu1.xml
Ineyneu2.xml
Ineyneu3.xml
Ineyneu.xml
q17i9a4j.ini
C:\WINDOWS\backup\T (empty folder)
C:\Program Files\Common Files\wmqw (empty folder)
C:\Documents and Settings\Me\My Documents\System Security\backups\backup-20050430-000307-472 (no extension)

Ran Hijack This, found and fixed:
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

Rebooted, ran Hijack This and attached log.

OK, can't seem to upload log from ETRemover, so here's the contents of the logfile:
Registry Log file generated by *** EliteToolbar Remover V.1.2.3 ***
06/05/2005 - 17:58:17

System info:

OS Platform: Microsoft Windows 2000
OS Version: 5.01.2600
OS Update: Service Pack 2
CPU Maker: GenuineIntel
CPU Model: x86 Family 15 Model 2 Stepping 4
CPU Speed: 2192 MHz

Running processes:

[system process] [SYSTEM]
system [SYSTEM]
smss.exe [\SystemRoot\System32\smss.exe]
csrss.exe [SYSTEM]
winlogon.exe [\??\C:\WINDOWS\system32\winlogon.exe]
services.exe [C:\WINDOWS\system32\services.exe]
lsass.exe [C:\WINDOWS\system32\lsass.exe]
svchost.exe [C:\WINDOWS\system32\svchost.exe]
svchost.exe [SYSTEM]
svchost.exe [C:\WINDOWS\System32\svchost.exe]
svchost.exe [SYSTEM]
svchost.exe [SYSTEM]
explorer.exe [C:\WINDOWS\Explorer.EXE]
spoolsv.exe [C:\WINDOWS\system32\spoolsv.exe]
ccproxy.exe [C:\Program Files\Common Files\Symantec Shared\ccProxy.exe]
ccsetmgr.exe [C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe]
cisvc.exe [C:\WINDOWS\system32\cisvc.exe]
ituneshelper.exe [C:\Program Files\iTunes\iTunesHelper.exe]
ccapp.exe [C:\Program Files\Common Files\Symantec Shared\ccApp.exe]
winpatrol.exe [C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe]
jusched.exe [C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe]
issvc.exe [C:\Program Files\Norton Personal Firewall\ISSVC.exe]
navapsvc.exe [C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe]
npfmntor.exe [C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe]
nprotect.exe [C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE]
sndsrvc.exe [C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe]
spbbcsvc.exe [C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe]
nopdb.exe [C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE]
svchost.exe [C:\WINDOWS\System32\svchost.exe]
symlcsvc.exe [C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe]
ccevtmgr.exe [C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe]
ipodservice.exe [C:\Program Files\iPod\bin\iPodService.exe]
alg.exe [SYSTEM]
cidaemon.exe [C:\WINDOWS\system32\cidaemon.exe]
cidaemon.exe [C:\WINDOWS\system32\cidaemon.exe]
iexplore.exe [C:\Program Files\Internet Explorer\iexplore.exe]
msmsgs.exe [C:\Program Files\Messenger\msmsgs.exe]
etremover_v123.exe [C:\Documents and Settings\Me\My Documents\System Security\ETRemover_V123\ETRemover_v123.exe]

------------------------------------------
HKLM -> UserInit in NT:

DWORD: AutoRestartShell = 1

DefaultUserName = Me

LegalNoticeCaption =

LegalNoticeText =

PowerdownAfterShutdown = 0

ReportBootOk = 1

Shell = Explorer.exe

ShutdownWithoutLogon = 0

System =

Userinit = C:\WINDOWS\system32\userinit.exe,

VmApplet = rundll32 shell32,Control_RunDLL "sysdm.cpl"

DWORD: SfcQuota = -1

allocatecdroms = 0

allocatedasd = 0

allocatefloppies = 0

cachedlogonscount = 10

DWORD: forceunlocklogon = 0

DWORD: passwordexpirywarning = 14

scremoveoption = 0

DWORD: AllowMultipleTSSessions = 1

DWORD: LogonType = 1

Background = 0 0 0

DefaultPassword =

DebugServerCommand = no

DWORD: SFCDisable = 0

WinStationsDisabled = 0

DWORD: HibernationPreviouslyEnabled = 1

DWORD: ShowLogonOptions = 0

AltDefaultUserName = Me

AltDefaultDomainName = CARIE

DefaultDomainName = CARIE

------------------------------------------
HKCU -> UserInit in NT:

ParseAutoexec = 1

ExcludeProfileDirs = Local Settings;Temporary Internet Files;History;Temp

DWORD: BuildNumber = 2600

------------------------------------------
HKLM -> UserInit:

* Registry key not found *

------------------------------------------
HKCU -> UserInit in NT:

* Registry key not found *

------------------------------------------
Running processes in NT / HKLM -> RUN (Autorun entries from Registry):

* Registry key not found *

------------------------------------------
Running processes in HKLM -> RUN (Autorun entries from Registry):

iTunesHelper = C:\Program Files\iTunes\iTunesHelper.exe

ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

WinPatrol = C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe

SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

------------------------------------------
Running processes in HKLM -> RUNONCE (Autorun entries from Registry):

* No values found *

------------------------------------------
Running processes in HKLM -> RUNONCEEX (Autorun entries from Registry):

* No values found *

------------------------------------------
Running processes in HKLM -> RUNSERVICES (Autorun entries from Registry):

* Registry key not found *

------------------------------------------
Running processes in HKLM -> RUNSERVICESONCE (Autorun entries from Registry):

* Registry key not found *

------------------------------------------
Running processes in NT / HKCU -> RUN (Autorun entries from Registry):

* Registry key not found *

------------------------------------------
Running processes in HKCU -> RUN (Autorun entries from Registry):

* No values found *

------------------------------------------
Running processes in HKCU -> RUNONCE (Autorun entries from Registry):

* No values found *

------------------------------------------
Running processes in HKCU -> RUNONCEEX (Autorun entries from Registry):

* Registry key not found *

------------------------------------------
Running processes in HKCU -> RUNSERVICES (Autorun entries from Registry):

* Registry key not found *

------------------------------------------
Running processes in HKCU -> RUNSERVICESONCE (Autorun entries from Registry):

* Registry key not found *

------------------------------------------
Running processes in HKLM -> Browser Helper Objects:

{53707962-6F74-2D53-2644-206D7942484F}
* No values in SubKey *

{AA58ED58-01DD-4d91-8333-CF10577473F7}
* No values in SubKey *

------------------------------------------
Programs in HKLM -> Common Startup:

* No programs in Common Startup *

------------------------------------------

Thanks, Richard

chaslang · May 6, 2005

I have to apologize! I had a cut and paste error on my part. I should not have requested that you fix the below entry for SpySubtract:
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe

If you use this program (is it the paid version), you should reinstall it to fix that.

Other than that you log is clean. Are you having any problems?

thedirewolf · May 7, 2005

No, it seems to functioning normally and I haven't seen a popup in several days.

I thank you, sir. This is an amazing and important service you folks provide and I'm very grateful to have found you. What can a person do to help support this site?

You rock.

Richard

chaslang · May 7, 2005

You're welcome! You can buy a Majorgeeks teashirt or sweatshirt. Also, an email of appreciation to the owners (see there names and email addresses here: http://www.majorgeeks.com/page.php?id=2 ) is always appreciated. Also send you friends here.

I would now recommend performing the steps in the below thread to help keep you clean:

How to Protect yourself from malware!

Log in or Sign up

Can't shake: cxtpls_loader.exe, ilalni.exe

thedirewolf Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

thedirewolf Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

thedirewolf Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

thedirewolf Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member