Spyware and trojan help

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Okay! Make sure you follow the steps properly and attach the log.

 

You need to update your virus defintions. This is a known bug in McAfee Virusscan program.

 

LimeShop is known to contain adware. You should uninstall it.
I would also uninstall Party Poker (if it had an uninstall).


Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\APPLICATION DATA\ERAB.EXE


After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {39A73277-B810-0EC2-8753-645579FB7947} - C:\WINDOWS\SYSTEM\GXA.DLL (file missing)
O2 - BHO: (no name) - {FD38E89E-7050-0C86-7D21-79C2CA5F469E} - C:\WINDOWS\SYSTEM\PVJUW.DLL (file missing)
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKCU\..\Run: [Eute] C:\WINDOWS\Application Data\erab.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PROGRAM FILES\PARTYPOKER\IEEXTENSION.DLL
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PROGRAM FILES\PARTYPOKER\IEEXTENSION.DLL

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\APPLICATION DATA\ERAB.EXE
C:\PROGRAM FILES\PARTYPOKER <--- the whole folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Your log is clean! To help keep it that way you need to run ALL the steps in the below thread (especially ones that you have not already done - you need a firewall ASAP).

How to Protect yourself from malware!