Malaware/Spyware

Welcome to Majorgeeks!

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments. Make sure you follow step 7 correctly since you were running HijackThis improperly (directly from inside the ZIP file) in your first log. It will only delay you from getting help if you do not install it correctly.

Since you also have a Smitfraud infection, run this first: SpywareQuake Removal Procedure Attach the smitfiles.txt log later.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis



​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
  • Bitdefender
  • Panda Scan
  • HijackThis
  • smitfiles.txt from the SpywareQuake removal procedure

.

 

Running a fix for IE probably would not help. The malware you have is probably the root of your problems. I will start by giving you some steps to do with HijackThis but this will not completely fix you. You still will have to run the other steps later once we can get you connected to the Internet again.

However first, YOU MUST extract Hijackthis.exe from the ZIP file and install it into C:\Program Files\HJT as instructed in step 7 of the READ ME. If you do not do this before continuing, you will not get any backups of things we fix. Thus if a mistake is made, you could be in big trouble. Fix this now before continuing to the below.

Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\WINDOWS\inet20000\services.exe
C:\WINDOWS\System32\mssearchnet.exe
C:\WINDOWS\system32\nvctrl.exe
C:\WINDOWS\System32\xlolnsxb.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
F3 - REG:win.ini: run=C:\WINDOWS\inet20000\services.exe
O2 - BHO: Nothing - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - C:\WINDOWS\system32\hp8009.tmp
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20000\services.exe
O4 - HKLM\..\Run: [xlolnsxb] C:\WINDOWS\System32\xlolnsxb.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20000\services.exe
O4 - HKCU\..\Run: [xlolnsxb] C:\WINDOWS\System32\xlolnsxb.exe
O21 - SSODL: IEFilter - {E4F2B7C1-8A6B-4E12-BE39-406CBDB5C740} - C:\WINDOWS\system32\IEFilter.dll

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\inet20000 <--- the whole inet20000 folder
C:\WINDOWS\System32\mssearchnet.exe
C:\WINDOWS\system32\nvctrl.exe
C:\WINDOWS\System32\xlolnsxb.exe
C:\WINDOWS\system32\IEFilter.dll

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.