Slimshield popup

I got this after Win 98 SE boots up or at various times thereafter (big red square with a black one inside of it telling me I have spyware and I should download and install Slimshield to get rid of it or the actual download site for Slimshield comes up)
Have done all the pre screens and all was clean http://forums.majorgeeks.com/showthread.php?t=35407.

 

After doing ALL of the READ ME if you still have a problem:

Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, INCLUDING YOUR WEB BROWSER, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder for example C:\Program Files\HJT

 

Ok here's the log. Hopefully we can get rid of this thing!!
Bill

 

There are no signs of you doing the online scans. Doing this will remove a lot of these infections you have.

Follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

After doing the above steps, reboot and attach a new HJT log.

 

Hi BJgarrick
Ok here we go again. I did run the scans previously though. I wonder if the fact that Slimshield kept pooping up during the scans had anything to do with it. Happened once during this last set of scans. Hopefully things will be as successful as the problem during the week you helped me with.
Bill

 

Please allow me some time to post you a fix as you have many nasties!

 

OK, take your time. Hopefully this thing will clear out as It's showing up continuously.

Bill

 

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.



Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

LOADER32.EXE

RAM.EXE


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O4 - HKLM\..\Run: [loader32] C:\WINDOWS\LOADER32.EXE
O4 - HKLM\..\Run: [Qot] C:\WINDOWS\SYSTEM\Ram.exe
O4 - HKLM\..\Run: [Sts] C:\WINDOWS\Nve.exe
O4 - HKLM\..\Run: [Akg] C:\WINDOWS\SYSTEM\Nne.exe
O4 - HKLM\..\Run: [Mbb] C:\WINDOWS\Vld.exe
O4 - HKLM\..\Run: [Cot] C:\WINDOWS\Cko.exe
O4 - HKLM\..\Run: [Dbq] C:\WINDOWS\SYSTEM\Ufb.exe
O4 - HKLM\..\Run: [Rnb] C:\WINDOWS\Suf.exe
O4 - HKLM\..\Run: [Eov] C:\WINDOWS\Hca.exe
O4 - HKLM\..\Run: [Acq] C:\WINDOWS\Gqi.exe
O4 - HKLM\..\Run: [Kaq] C:\WINDOWS\Jmj.exe
O4 - HKLM\..\Run: [Mpj] C:\WINDOWS\Sct.exe
O4 - HKLM\..\Run: [Mhb] C:\WINDOWS\Uhl.exe
O4 - HKLM\..\Run: [Sji] C:\WINDOWS\SYSTEM\Atl.exe
O4 - HKLM\..\Run: [Ina] C:\WINDOWS\Kmm.exe
O4 - HKLM\..\Run: [Sbr] C:\WINDOWS\Tjq.exe
O4 - HKLM\..\Run: [Pmd] C:\WINDOWS\Hqq.exe
O4 - HKLM\..\Run: [Evn] C:\WINDOWS\SYSTEM\Mrd.exe
O4 - HKLM\..\Run: [Rfp] C:\WINDOWS\Bml.exe
O4 - HKLM\..\Run: [Qbb] C:\WINDOWS\SYSTEM\Ovr.exe
O4 - HKLM\..\Run: [Egg] C:\WINDOWS\Eik.exe
O4 - HKLM\..\Run: [Vqm] C:\WINDOWS\SYSTEM\Rde.exe
O4 - HKLM\..\Run: [Dgv] C:\WINDOWS\SYSTEM\Jro.exe
O4 - HKLM\..\Run: [Otf] C:\WINDOWS\SYSTEM\Vho.exe
O4 - HKLM\..\Run: [Dmv] C:\WINDOWS\Tmf.exe
O4 - HKLM\..\Run: [Mtd] C:\WINDOWS\SYSTEM\Ton.exe
O4 - HKLM\..\Run: [Nls] C:\WINDOWS\SYSTEM\Oil.exe
O4 - HKLM\..\Run: [Aut] C:\WINDOWS\Grn.exe
O4 - HKLM\..\Run: [Aet] C:\WINDOWS\SYSTEM\Jar.exe
O4 - HKLM\..\Run: [Fjf] C:\WINDOWS\Gek.exe
O4 - HKLM\..\Run: [Gkp] C:\WINDOWS\SYSTEM\Aoc.exe
O4 - HKLM\..\Run: [Nrn] C:\WINDOWS\SYSTEM\Oeb.exe
O4 - HKLM\..\Run: [Ldo] C:\WINDOWS\Sdg.exe
O4 - HKLM\..\Run: [Dls] C:\WINDOWS\Jhl.exe
O4 - HKLM\..\Run: [Ngc] C:\WINDOWS\Sbq.exe
O4 - HKLM\..\Run: [Iaq] C:\WINDOWS\SYSTEM\Ped.exe
O4 - HKLM\..\Run: [Pav] C:\WINDOWS\Che.exe
O4 - HKLM\..\Run: [Jqo] C:\WINDOWS\Jbt.exe
O4 - HKLM\..\Run: [Ckl] C:\WINDOWS\SYSTEM\Tgg.exe
O4 - HKLM\..\Run: [Ihb] C:\WINDOWS\Gjt.exe
O4 - HKLM\..\Run: [Epo] C:\WINDOWS\SYSTEM\Lph.exe
O4 - HKLM\..\Run: [Fci] C:\WINDOWS\SYSTEM\Jmv.exe
O4 - HKCU\..\Run: [Sts] C:\WINDOWS\Nve.exe
O4 - HKCU\..\Run: [Akg] C:\WINDOWS\SYSTEM\Nne.exe
O4 - HKCU\..\Run: [Mbb] C:\WINDOWS\Vld.exe
O4 - HKCU\..\Run: [Cot] C:\WINDOWS\Cko.exe
O4 - HKCU\..\Run: [Dbq] C:\WINDOWS\SYSTEM\Ufb.exe
O4 - HKCU\..\Run: [Rnb] C:\WINDOWS\Suf.exe
O4 - HKCU\..\Run: [Eov] C:\WINDOWS\Hca.exe
O4 - HKCU\..\Run: [Acq] C:\WINDOWS\Gqi.exe
O4 - HKCU\..\Run: [Kaq] C:\WINDOWS\Jmj.exe
O4 - HKCU\..\Run: [Mpj] C:\WINDOWS\Sct.exe
O4 - HKCU\..\Run: [Mhb] C:\WINDOWS\Uhl.exe
O4 - HKCU\..\Run: [Sji] C:\WINDOWS\SYSTEM\Atl.exe
O4 - HKCU\..\Run: [Ina] C:\WINDOWS\Kmm.exe
O4 - HKCU\..\Run: [Sbr] C:\WINDOWS\Tjq.exe
O4 - HKCU\..\Run: [Pmd] C:\WINDOWS\Hqq.exe
O4 - HKCU\..\Run: [Evn] C:\WINDOWS\SYSTEM\Mrd.exe
O4 - HKCU\..\Run: [Rfp] C:\WINDOWS\Bml.exe
O4 - HKCU\..\Run: [Qbb] C:\WINDOWS\SYSTEM\Ovr.exe
O4 - HKCU\..\Run: [Egg] C:\WINDOWS\Eik.exe
O4 - HKCU\..\Run: [Vqm] C:\WINDOWS\SYSTEM\Rde.exe
O4 - HKCU\..\Run: [Dgv] C:\WINDOWS\SYSTEM\Jro.exe
O4 - HKCU\..\Run: [Otf] C:\WINDOWS\SYSTEM\Vho.exe
O4 - HKCU\..\Run: [Dmv] C:\WINDOWS\Tmf.exe
O4 - HKCU\..\Run: [Mtd] C:\WINDOWS\SYSTEM\Ton.exe
O4 - HKCU\..\Run: [Nls] C:\WINDOWS\SYSTEM\Oil.exe
O4 - HKCU\..\Run: [Aut] C:\WINDOWS\Grn.exe
O4 - HKCU\..\Run: [Aet] C:\WINDOWS\SYSTEM\Jar.exe
O4 - HKCU\..\Run: [Fjf] C:\WINDOWS\Gek.exe
O4 - HKCU\..\Run: [Gkp] C:\WINDOWS\SYSTEM\Aoc.exe
O4 - HKCU\..\Run: [Nrn] C:\WINDOWS\SYSTEM\Oeb.exe
O4 - HKCU\..\Run: [Ldo] C:\WINDOWS\Sdg.exe
O4 - HKCU\..\Run: [Dls] C:\WINDOWS\Jhl.exe
O4 - HKCU\..\Run: [Ngc] C:\WINDOWS\Sbq.exe
O4 - HKCU\..\Run: [Iaq] C:\WINDOWS\SYSTEM\Ped.exe
O4 - HKCU\..\Run: [Pav] C:\WINDOWS\Che.exe
O4 - HKCU\..\Run: [Jqo] C:\WINDOWS\Jbt.exe
O4 - HKCU\..\Run: [Ckl] C:\WINDOWS\SYSTEM\Tgg.exe
O4 - HKCU\..\Run: [Ihb] C:\WINDOWS\Gjt.exe
O4 - HKCU\..\Run: [Epo] C:\WINDOWS\SYSTEM\Lph.exe
O4 - HKCU\..\Run: [Fci] C:\WINDOWS\SYSTEM\Jmv.exe

O15 - Trusted IP range: 67.19.185.246


Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:


C:\WINDOWS\LOADER32.EXE
C:\WINDOWS\Nve.exe
C:\WINDOWS\Vld.exe
C:\WINDOWS\Cko.exe
C:\WINDOWS\Suf.exe
C:\WINDOWS\Hca.exe
C:\WINDOWS\Gqi.exe
C:\WINDOWS\Jmj.exe
C:\WINDOWS\Sct.exe
C:\WINDOWS\Uhl.exe
C:\WINDOWS\Kmm.exe
C:\WINDOWS\Tjq.exe
C:\WINDOWS\Hqq.exe
C:\WINDOWS\Bml.exe
C:\WINDOWS\Eik.exe
C:\WINDOWS\Tmf.exe
C:\WINDOWS\Grn.exe
C:\WINDOWS\Gek.exe
C:\WINDOWS\Sdg.exe
C:\WINDOWS\Jhl.exe
C:\WINDOWS\Sbq.exe
C:\WINDOWS\Che.exe
C:\WINDOWS\Jbt.exe
C:\WINDOWS\Gjt.exe
C:\WINDOWS\Nve.exe
C:\WINDOWS\Vld.exe
C:\WINDOWS\Cko.exe
C:\WINDOWS\Suf.exe
C:\WINDOWS\Hca.exe
C:\WINDOWS\Gqi.exe
C:\WINDOWS\Jmj.exe
C:\WINDOWS\Sct.exe
C:\WINDOWS\Uhl.exe
C:\WINDOWS\Kmm.exe
C:\WINDOWS\Tjq.exe
C:\WINDOWS\Hqq.exe
C:\WINDOWS\Bml.exe
C:\WINDOWS\Eik.exe
C:\WINDOWS\Tmf.exe
C:\WINDOWS\Grn.exe
C:\WINDOWS\Gek.exe
C:\WINDOWS\Sdg.exe
C:\WINDOWS\Jhl.exe
C:\WINDOWS\Sbq.exe
C:\WINDOWS\Che.exe
C:\WINDOWS\Jbt.exe
C:\WINDOWS\Gjt.exe

C:\WINDOWS\SYSTEM\Lph.exe
C:\WINDOWS\SYSTEM\Jmv.exe
C:\WINDOWS\SYSTEM\Tgg.exe
C:\WINDOWS\SYSTEM\Ped.exe
C:\WINDOWS\SYSTEM\Aoc.exe
C:\WINDOWS\SYSTEM\Oeb.exe
C:\WINDOWS\SYSTEM\Jar.exe
C:\WINDOWS\SYSTEM\Ton.exe
C:\WINDOWS\SYSTEM\Oil.exe
C:\WINDOWS\SYSTEM\Rde.exe
C:\WINDOWS\SYSTEM\Jro.exe
C:\WINDOWS\SYSTEM\Vho.exe
C:\WINDOWS\SYSTEM\Ovr.exe
C:\WINDOWS\SYSTEM\Mrd.exe
C:\WINDOWS\SYSTEM\Atl.exe
C:\WINDOWS\SYSTEM\Ufb.exe
C:\WINDOWS\SYSTEM\Nne.exe
C:\WINDOWS\SYSTEM\Lph.exe
C:\WINDOWS\SYSTEM\Jmv.exe
C:\WINDOWS\SYSTEM\Tgg.exe
C:\WINDOWS\SYSTEM\Ped.exe
C:\WINDOWS\SYSTEM\Aoc.exe
C:\WINDOWS\SYSTEM\Oeb.exe
C:\WINDOWS\SYSTEM\RAM.EXE
C:\WINDOWS\SYSTEM\Nne.exe
C:\WINDOWS\SYSTEM\Ufb.exe
C:\WINDOWS\SYSTEM\Atl.exe
C:\WINDOWS\SYSTEM\Mrd.exe
C:\WINDOWS\SYSTEM\Ovr.exe
C:\WINDOWS\SYSTEM\Rde.exe
C:\WINDOWS\SYSTEM\Jro.exe
C:\WINDOWS\SYSTEM\Vho.exe
C:\WINDOWS\SYSTEM\Jar.exe
C:\WINDOWS\SYSTEM\Ton.exe
C:\WINDOWS\SYSTEM\Oil.exe


NEXT:
Run CCleaner


Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

Hi Bjgarrick,
All done. So far the thing hasn't shown itself

Bill

 

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Do another scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.


O4 - HKLM\..\Run: [Mtd] C:\WINDOWS\SYSTEM\Ton.exe
O4 - HKLM\..\Run: [Ldo] C:\WINDOWS\Sdg.exe
O4 - HKLM\..\Run: [Fdr] C:\WINDOWS\SYSTEM\Jnt.exe
O4 - HKLM\..\Run: [Usf] C:\WINDOWS\Oed.exe
O4 - HKLM\..\Run: [Med] C:\WINDOWS\Bim.exe
O4 - HKLM\..\Run: [Tbt] C:\WINDOWS\SYSTEM\Bip.exe
O4 - HKLM\..\Run: [Svv] C:\WINDOWS\Btk.exe
O4 - HKLM\..\Run: [Slj] C:\WINDOWS\Qvb.exe
O4 - HKLM\..\Run: [Ugs] C:\WINDOWS\SYSTEM\Mjc.exe
O4 - HKLM\..\Run: [Nsp] C:\WINDOWS\SYSTEM\Dae.exe
O4 - HKLM\..\Run: [Mkq] C:\WINDOWS\Hcc.exe
O4 - HKLM\..\Run: [Ure] C:\WINDOWS\SYSTEM\Avh.exe
O4 - HKLM\..\Run: [Vdu] C:\WINDOWS\Ipf.exe
O4 - HKLM\..\Run: [Cme] C:\WINDOWS\SYSTEM\Qmn.exe
O4 - HKLM\..\Run: [Ikt] C:\WINDOWS\SYSTEM\Ilo.exe
O4 - HKLM\..\Run: [Jep] C:\WINDOWS\Lfh.exe
O4 - HKLM\..\Run: [Oku] C:\WINDOWS\Let.exe
O4 - HKCU\..\Run: [Eov] C:\WINDOWS\Hca.exe
O4 - HKCU\..\Run: [Acq] C:\WINDOWS\Gqi.exe
O4 - HKCU\..\Run: [Ihb] C:\WINDOWS\Gjt.exe
O4 - HKCU\..\Run: [Sdb] C:\WINDOWS\Nfe.exe
O4 - HKCU\..\Run: [Hht] C:\WINDOWS\Uju.exe
O4 - HKCU\..\Run: [Vvd] C:\WINDOWS\Miq.exe
O4 - HKCU\..\Run: [Ccr] C:\WINDOWS\SYSTEM\Ddr.exe
O4 - HKCU\..\Run: [Fdr] C:\WINDOWS\SYSTEM\Jnt.exe
O4 - HKCU\..\Run: [Usf] C:\WINDOWS\Oed.exe
O4 - HKCU\..\Run: [Med] C:\WINDOWS\Bim.exe
O4 - HKCU\..\Run: [Tbt] C:\WINDOWS\SYSTEM\Bip.exe
O4 - HKCU\..\Run: [Svv] C:\WINDOWS\Btk.exe
O4 - HKCU\..\Run: [Slj] C:\WINDOWS\Qvb.exe
O4 - HKCU\..\Run: [Ugs] C:\WINDOWS\SYSTEM\Mjc.exe
O4 - HKCU\..\Run: [Nsp] C:\WINDOWS\SYSTEM\Dae.exe
O4 - HKCU\..\Run: [Mkq] C:\WINDOWS\Hcc.exe
O4 - HKCU\..\Run: [Ure] C:\WINDOWS\SYSTEM\Avh.exe
O4 - HKCU\..\Run: [Vdu] C:\WINDOWS\Ipf.exe
O4 - HKCU\..\Run: [Cme] C:\WINDOWS\SYSTEM\Qmn.exe
O4 - HKCU\..\Run: [Ikt] C:\WINDOWS\SYSTEM\Ilo.exe
O4 - HKCU\..\Run: [Jep] C:\WINDOWS\Lfh.exe
O4 - HKCU\..\Run: [Oku] C:\WINDOWS\Let.exe

O15 - Trusted IP range: 67.19.185.246

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:


Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file badentryfix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the badentryfix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!


NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\SYSTEM\Qmn.exe
C:\WINDOWS\SYSTEM\Ilo.exe
C:\WINDOWS\SYSTEM\Avh.exe
C:\WINDOWS\SYSTEM\Mjc.exe
C:\WINDOWS\SYSTEM\Dae.exe
C:\WINDOWS\SYSTEM\Bip.exe
C:\WINDOWS\SYSTEM\Ddr.exe
C:\WINDOWS\SYSTEM\Jnt.exe
C:\WINDOWS\SYSTEM\Qmn.exe
C:\WINDOWS\SYSTEM\Ilo.exe
C:\WINDOWS\SYSTEM\Avh.exe
C:\WINDOWS\SYSTEM\Mjc.exe
C:\WINDOWS\SYSTEM\Dae.exe
C:\WINDOWS\SYSTEM\Bip.exe
C:\WINDOWS\SYSTEM\Jnt.exe
C:\WINDOWS\SYSTEM\Ton.exe

C:\WINDOWS\Sdg.exe
C:\WINDOWS\Oed.exe
C:\WINDOWS\Bim.exe
C:\WINDOWS\Btk.exe
C:\WINDOWS\Qvb.exe
C:\WINDOWS\Hcc.exe
C:\WINDOWS\Ipf.exe
C:\WINDOWS\Lfh.exe
C:\WINDOWS\Let.exe
C:\WINDOWS\Hca.exe
C:\WINDOWS\Gqi.exe
C:\WINDOWS\Gjt.exe
C:\WINDOWS\Nfe.exe
C:\WINDOWS\Uju.exe
C:\WINDOWS\Miq.exe
C:\WINDOWS\Oed.exe
C:\WINDOWS\Bim.exe
C:\WINDOWS\Btk.exe
C:\WINDOWS\Qvb.exe
C:\WINDOWS\Hcc.exe
C:\WINDOWS\Ipf.exe
C:\WINDOWS\Lfh.exe
C:\WINDOWS\Let.exe


NEXT:
Run CCleaner

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows

1) Download TrojanHunter

2) Install TrojanHunter, At the end of the install setup will prompt you to update definitions. Please do so!

3) Once installed and updated, select drive C:\ and do a Full Scan. Remove all found infections.


After doing ALL of the above reboot and attach a fresh HJT log.

 

Thanks for the help Bjgarrick. I'm calling it a night, midnight here and I have to work tomorrow. Will do the rest tomorrow night. It hasn't shown up since I did the last bunch of deletions. Installed and played a little of a game and rebooted twice to check it out. Thanks again

Bill

 

Dont reboot too many times, you need to do this before rebooting so we can make sure they dont repeat and come back as something different.

 

Hi Bjgarrick
The reason for the reboots was it was required for a game install. Then I thought I was through for the day but had to go back on. Also Slimshield seemed to show itself alot after the system booted up so it was a good check as it hasn't shown up since the last large set of deletions. What I don't understand is how all that stuff appeared including Slimshield since the problem last week with Google. It never showed up with Adaware, Spybot or Counterspy (the #1 Spyware detector and eliminator out there according to tests done by PC World Magazine, tested 10 products). Also had Spyblaster and Counterspy's spyware blockers running, stopping Spyware from entering the computer. So I'd love to know how that huge amount of stuff got through. Will do the additional deletions tonight and send you a new log file.
Thanks again!!! I think it's gone!
Bill

 

Dont know how it all got thru but it did, and it was a LOT!

Will be awaiting new log

 

OK, Bjgarrick, here it is. Hopefully this will be the last one. Thanks for all your help.

Bill

 

There are a few more we need to try and remove again. Was you able to run TrojanHunter sucessfully? If so, what was the results?


Go ahead and scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O4 - HKLM\..\Run: [Poc] C:\WINDOWS\SYSTEM\Ipe.exe
O4 - HKLM\..\Run: [Eva] C:\WINDOWS\SYSTEM\Ugd.exe
O4 - HKLM\..\Run: [Hov] C:\WINDOWS\Tfe.exe
O4 - HKLM\..\Run: [Odc] C:\WINDOWS\Rqv.exe
O4 - HKCU\..\Run: [Poc] C:\WINDOWS\SYSTEM\Ipe.exe
O4 - HKCU\..\Run: [Eva] C:\WINDOWS\SYSTEM\Ugd.exe
O4 - HKCU\..\Run: [Hov] C:\WINDOWS\Tfe.exe
O4 - HKCU\..\Run: [Odc] C:\WINDOWS\Rqv.exe

O15 - Trusted IP range: 67.19.185.246
(Did you do the registry fix I posted?)

Again, make sure All Browser Windows are Closed when you Click FIX.


NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:


C:\WINDOWS\SYSTEM\Ipe.exe

C:\WINDOWS\SYSTEM\Ugd.exe

C:\WINDOWS\Tfe.exe

C:\WINDOWS\Rqv.exe


NEXT:
Run CCleaner


Reboot to Normal Windows


Download the following items:
(Note: Save to Desktop for now.)

L2MeFix Tool

Generic Detection Tool - NT/2000/XP

VX2.BetterInternet Finder XP/2k - Version Msg126

Pocket KillBox

DO NOT USE ANY OF THESE TOOLS UNTIL TOLD TO!


Now with the L2MeFix Tool on your Desktop, and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log.

NOTE:Please do not run any other options or files in the l2mfix Folder!

Please save the l2mfix log and attach it to your post.

NOW:

Unzip the Generic Detection Tool to a safe folder of your choice and run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Please attach that Log along with the L2MeFix Log & a fresh HJT Log.

 

Hi Bjgarrrick,
I did the registry fix and Trojan Hunter found nothing on my system. Will do the next step tonight. The Slimshield problem seems to be totally wiped out. Thanks again for all your time on this.

Bill

 

Will be awaiting the results.

 

Hi Bjgarrick,
Deleted all the files and ran CCleaner. Couldn't do the other stuff as I have 98 SE and those are all for XP including L2Me fix (attempted to run it and said not for 98). Here is the Hijackthis log.
Bill

 

Crap! I did it again, so used to Win98 allow me a moment and I will post you Win98 tools.

 

Download the following items:

Pocket KillBox

Generic Detection Tool - 9x/ME

VX2 Finder - Version Msg126 for 9x

NOW:

Unzip the Generic Detection Tool to a safe folder of your choice and run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Attach this log as an attachment to your post.


Allow me a moment to check your HJT log. Go ahead and procede with the Generic Detection Log.

 

Have you recently installed any security updates, this seems odd running and also starting on boot?

 

Thanks Star!

 

ok here's the Find log. What do I do with the other 2 programs? In answer to your question I did a Windows Update and installed the latest patches.
Bill

 

Lets start by doing this:

Open VX2Finder and Click on the "Find Vx2.BetterInternet" button.

Then click on these buttons in the right pane unless they are not enabled:

UserAgent$ Button

Guardian.reg

Restore Policy

Allow Machine to Reboot.

Please download "StartDreck", from here: http://www.niksoft.at/_data/startdreck.zip

Unzip to its own folder and start the program,
Press 'Config'
Press 'Unmark All'
Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes
Press 'Ok'
Press 'Save' and select the location to save the log file
(default is the same folder as the application)

Please attach the log in this thread along with a current HJT log.

 

Hi Bjgarrick,
V2 found nothing. Here are the 2 log files you requested.

Bill

 

I have requested a second set of eyes on this case, he will join us in a bit. Hang in there

 

Hey Chas,

Don't know if BJ caught that earlier bit about SlimShield, so I thought I'd add a link to some additional info.

TROJ_SPYWAD.A

PP

 

Ok Chaslang and Philliephan,
All requested files deleted. Housecall ran and found 2 files with Troj_spywad.A. One deleted by Housecall and one deleted by me by booting into Widows XP and deleting it from my 98 Se drive from there. Deleted Desktop.HTML (that seems to reppear though). Did the registry edit from the trend micro site also. So far seems ok. Slimshield has not popped up. Here's the Hijackthis file. Thanks for all your help
Bill

 

I don't f----in believe it!! I go away from the computer to have dinner and what's staring me in the face when I come back?? Slimshield???@!!Q!! Yep Desktop,html is back from the dead also. HELP!!!!

 

ok, let's try again. All have been eliminated except that trusted iP thing, deleted 3 x keeps showing up, Hopefully this time. Thanks for the time with this.

Bill

 

OK Chaslang will do tonight. Do I run Spybot before or after I run Hijackthis with log save? This is one nasty sucker!! Housecall said it was connected to 2 files both of which were the 3 letter variety. The thing is one of those didn't have a recent input date (Gls.exe) as if it connected to that file and somehow the date didn't change (1999 I think). I ran Housecall again and it showed up again went to delete it and got message "can't because Windows is using it" or something to that effect. Ran Hijackthis and was able to delete from the check off list along with 2 others that I didn't catch in Windows Explorer, Checked again and they were gone. That's when I ran Hijackthis again for the latest log I sent you.

Bill

 

Hi Chaslang,
I ran Deldomains and all's clear. Did Spybot. Here is the Hijack log. Slimshield seems to be totally gone. Thanks for all your help!!

Bill

 

Hi Chaslang.
All's clean. Desktop.HTML (this is the actual Slimshield boot file) and no 3 letter files. Thanks again for the help in restoring my system.

Bill