Green Ad Text & Popup Searches

You should uninstall SpyHunter as it used to be considered a rogue/suspect spyware removal tool. Now that title is gone but it is not considered to be very good. If you have the trial version, it is just wasting system resource because it will not fix anything.

Please run our cleanup procedures below.


- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

It's About:Buster not about:blank. about:blank is the hijacker. It is not corrupted you just did not put it in its own folder or you do not have the files required to run it. You do not need it anyway. The READ ME tells you that About:Buster and HSremove are only for specific hijacker problems which you did not say you have.

If you have completed the READ ME, post the HJT log I asked for.

 

Is there a reason you did not run the online scans as specified in the READ ME FIRST. They are not optional scans.

 

Please remember to exit browsers (G:\Program Files\Internet Explorer\IEXPLORE.EXE) before running HJT.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
G:\WINNT\System32\ap9h4qmo.exe
G:\Program Files\Media Access\MediaAccK.ex

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - G:\WINNT\System32\rtneg.dll
O2 - BHO: ToolHelper - {CDEEC43D-3572-4E95-A2A5-F519D29F00C0} - G:\PROGRA~1\ADVANC~1\Toolbar.dll (file missing)
O4 - HKLM\..\Run: [gah95on6] G:\WINNT\System32\gah95on6.exe
O4 - HKLM\..\Run: [Media Access] G:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [ap9h4qmo] G:\WINNT\System32\ap9h4qmo.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971CanadaInc/ie/bridge-c18.cab

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
G:\WINNT\System32\rtneg.dll
G:\WINNT\System32\ap9h4qmo.exe
G:\WINNT\System32\gah95on6.exe
G:\Program Files\Media Access <--- the whole folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

You should have HJT fix the below two lines:
O9 - Extra button: Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://G:\Program%20Files\Advanced%20Email%20Extractor%20PRO\AeePMsie.dll/page.html (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Advanced Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://G:\Program%20Files\Advanced%20Email%20Extractor%20PRO\AeePMsie.dll/page.html (file missing) (HKCU)

After that, you should be clean!

Now you should run the steps in the below thread (the ones not done yet) to help keep you clean:

How to Protect yourself from malware!

 

You're welcome! We do not normally close threads (unless I get too many people starting to post in them after the fact that do not belong there).

 

The READ ME tells you to do the online scans in normal boot mode if you cannot run them in safe mode.

Exactly what came back?

Did you ever do the steps in How to Protect yourself from malware! as I requested in message # 10?

 

Please attach a new HijackThis log! Is system restore disabled or enabled?

 

You have not completed all the steps in How to Protect yourself from malware!

The first step is to go to Microsoft Update. You have not done that. There are newer Service Packs for Windows 2000 than you are running. You may need other updates too.

 

You have a bunch of problems back that we previously fixed. It would seem that you are surfing on the same bad websites and download things you should not.

Use Add/Remove programs to uninstall (if found)
EMS Free Surfer Companion

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - G:\WINNT\System32\nsw28.dll
O4 - HKLM\..\Run: [huwdzc] g:\winnt\system32\huwdzc.exe
O4 - HKLM\..\Run: [ap9h4qmo] G:\WINNT\System32\ap9h4qmo.exe
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - G:\Program Files\EMS Free Surfer Companion\FS30.exe
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - G:\Program Files\EMS Free Surfer Companion\FS30.exe
O9 - Extra button: Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://G:\Program%20Files\Advanced%20Email%20Extractor%20PRO\AeePMsie.dll/page.html (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Advanced Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://G:\Program%20Files\Advanced%20Email%20Extractor%20PRO\AeePMsie.dll/page.html (file missing) (HKCU)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971CanadaInc/ie/bridge-c2.cab

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
G:\WINNT\System32\nsw28.dll
g:\winnt\system32\huwdzc.exe
G:\WINNT\System32\ap9h4qmo.exe
G:\Program Files\EMS Free Surfer Companion

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

I think I had Free Surfer confused with something else. It should be OK!

Do not use Limewire unless you want to keep having problems like this!

Did you fix that stuff? Did it stay fixed?

 

Experience! And some searching when not sure.

You're welcome. But you should post the follow up HJT log requested so we can be sure the problems are gone.