Spyware problems (roings, media motor)

I have tried with little success to remove certain spyware. The main culprits appear to be Roings? and mediamotor. I don't know if these work together. I also have a file folder in c:\windows call srchasst that I can't delete. Roing always show up on adaware. I have deleted it there and the roimoi in the registry. It appears to redirect itself every time you delete it. Also when I click on certain online links the "click yes to run mediamotor" box comes up.
I run adaware/spybot s&d regularly. I also have followed the post on installing and running stinger, ccleaner etc that is pinned on this site. I stopped short of installing hijackthis because I am not that knowledgable on this and wanted to get advice first.
Anything you guys know on this or can help me with will be greatly appreciated. Thanks.

 

Hi Brogers,

Did you try the Online Scans prescribed in the Cleanup Tutorial?

Once you have exhausted all of those resources, then the next step is HijackThis. So, go ahead and send us a HijackThis Log. Please be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!

If you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I’ve been pretty busy with work lately, but somebody will try to take a look when they get a chance.

Best
PP

 

Thanks for the quick reply. I did run all the online scans. Attached is my HJT log. Some of the entries look a little peculair, but I let you guys be the judge of that. Thanks for your help.

 

Hi Brogers,

Sorry, I'm really rushed right now, so pardon the brief instructions! I'll leave your 016 items alone.

You should Uninstall Spykiller as it is a Rogue app.

Scan with HijackThis and Check the boxes for the following:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.ezfastsearch.com/index2.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: jimmyhelp.CBrowserHelper - {DBE791E6-6850-4A93-B5A1-8BA76723B4FF} - C:\WINDOWS\wofx.dll

O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

O9 - Extra button: Support - {1271EEF4-E773-4EF6-8F50-4184B9589416} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {26329D1A-2CB3-4E37-B2F9-96B05807F58B} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {47B4D70E-4F73-4A98-823C-0B8F1446CB1A} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com/ (file missing) (HKCU)

Make sure ALL Browser Windows are Closed when you Click FIX.

Now, boot to Safe Mode and Delete the following, should they remain. Note that you need to be able to view Hidden Files:

C:\Program Files\SpyKiller ---> Folder
C:\WINDOWS\SYSTEM\blank.htm
C:\WINDOWS\wofx.dll

Reboot, rescan and attach a fresh log. Somebody will take a look as time permits.

PP

 

OK, all items were fixed. Here is new HJT log. None of the three files at the bottom of your last post were there. Its good to get rid of that stuff. The roings is still showing up after running ad-aware though. I can attach that log if its helpful. Thanks for your help and I understand you're pushed for time.

 

Hi Brogers,

Your HJT log looks good. Go ahead and attach the Ad-aware log and I'll take a look when time permits.

I take it things are running OK and you are just worried that this keeps showing in your Ad-aware log?

PP

 

Thanks. Here's the Ad-aware log. What worries me is that when I click on certain links on web pages (today it was the store locater for Target), I get a window that pops on that tell me to click yes to run media motor. If you click yes it runs a bunch of spyware, but if you don't if freezes up IE. I read online that this media motor could be involved with, or being launched by the roings.

 

Hi Brogers,

It looks like Ad-aware is triggering on the registry entry. If you feel up to it, you could use regedit to delete the offending key.

Also, if you fear more Roings on your machine, try using Windows Explorer to run a search of your machine for Roings and Media Motor.

PP

 

All clear, thanks a lot for your help. You can close this out if you need to. I really appreciate it.