Spyware problems, just lots of problems and need help

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by sprtfrk22, Mar 25, 2005.

  1. sprtfrk22

    sprtfrk22 Private E-2

    many problems. i'll start with one:
    Party poker...Adware? i'm not sure but i need it gone from my computer but it won't let me uninstall because it says cannot run with DOS or something like that so i went and deleted the files but don't know if it will leave the registry. need help on that or comments.

    next, i have spy bot S&D. i got on aol and i didn't realize it but aol spy zapper found a keylogger thing so i blocked that and then downloaded aol spyware protection. It already found 6 problems, i just ran spy bot right before i signed on aol and downloaded it. its still searchin and i'll post the results when its done.

    another thing is viewpoint. i was reading on this site that someone had some trouble a program. well i went to add/remove programs and found something similiar: viewpoint media player, and viewpoint manager (remove only). Should i remove these two?

    DANG, here's another thing. this problem keeps coming back and coming back. i need it all gone at once to rid this dang computer of spyware and all that other junk. shopathomeselect cash back is now on the programs list but it wasn't there earlier today. Should i remove it?

    ok here's what aol spyware found: Apropos Media, lLookup, HUNTBAR (OH KNOW ITS BACK AGAIN...i've gotten rid of this thing like 5 times in the past 10 days yet keeps on comin back), Activity Logger 2.0, DyFuCa, MicroGaming...this all slipped past spy bot...i am really disturbed about activity logger 2.0, i just blocked a different keylogger found by aol spyzapper, which runs everytime i sign on. so i'm blockin those.

    watch, i guarentee that if i run spy bot and aol spyware protection, i will find more stuff. i mean it just won't stop. i've been at it with all this stuff for about 6 days in-depth getting rid of this. its way time consuming and need a lot of help.

    anyway i think its from activeX? should i remove this and everything related to it?

    and windows media connect is also in my programs and wonder if i should remove it? and iQfx2? and windows media connect?

    I have just learned that AOL spyware doesn't work when blockin the key logger so i downloaded spyhunter 2.0. it found 50 problems in the registry and 3 cookies, all of the registry problems are wild tangent...game driver i think. i remember downloading that but i don't use it anymore so i'll just remove it. umm 53 things with winactive, should i fix those? i'm just doin scanning right now with spyhunter 2.0. i'll put a log on for you to show you and then u can tell me what i need to fix or delete.
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Viewpoint Media is something AOL sneaks right by you and installs along with a bunch of other things that you did not ask for nor do you need (including WildTangent). Uninstall Viewpoint Media and/or Viewpoint Manager using Add/Remove programs. Also uninstall anything for WildTangent if found.
    You should also uninstall SpyHunter because it had been on a list of rogue/suspect spyware removal tools for quite some time and while it has improved it still does not remove anything unless you buy it. You do not need it. See: http://www.spywarewarrior.com/rogue_anti-spyware.htm

    What you need to do is run our clean up procedures, which I'll give below.

    - Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal Make sure you check version numbers and get all updates.

    - Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


    After doing ALL of the above you still have a problem:

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
  3. sprtfrk22

    sprtfrk22 Private E-2

    I just ran all the procedures. It found a lot of stuff and I removed it all...mostly manually.

    Symantec helped a lot:

    C:\WINDOWS\Downloaded Program Files\bridge.inf is infected with Adware.WinFavorites COULD NOT FIND ANYTHING
    C:\WINDOWS\Downloaded Program Files\NavInst2.ocx is infected with Adware.NavHelper COULD NOT FIND


    When I went to find these they weren't in the folder. I ran the symantec overnight and when I went to delete them they weren't there. Anything suspicious?

    Do you have any suggestions for firewalls or better virus scans that are free?

    Thanks for your help. I really appreciate it.
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    They are there. You just cannot see them using Windows Explorer. Either do it from a command prompt or use a tool like: ExplorerXP

    You should have post the HJT log as requested.
     
  5. sprtfrk22

    sprtfrk22 Private E-2

    Oops...yes i forgot to attach the hijackerThis log...its attached now.

    No they are not...ok well how do i do a command prompt? but i downloaded explorerXP and removed the last two.

    and do you guys send popups to my screen? because everytime i'm on this site i get atleast one every 10 minutes...My mom was on all day and didn't get one. just got this one:
    http://adopt.hbmediapro.com/adopt.hbm?l=LB_DELFIN_JAN2005&sz=pop&redir=1&nmv=1&nrsz=0&r=h&rnd=3288

    if u find anything wrong...please tell me and if u have any information and a new virus scan or firewall...please post. thanks
     

    Attached Files:

  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No popups come from MG's. The problem is that you are still infected. That is why I asked for the follow up HijackThis log.

    Download LSP - Fix

    Now run LSP-Fix.

    Check the Box labeled "I know what I'm doing" and then click on the connwsp.dll file (in the “Keep” section) to select it.

    Then, Select the >> button to move connwsp.dll into the Remove section.

    Now, click the Finish Button. When the Repair Summary box appears, click OK.

    Now follow the steps below.

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
    C:\WINDOWS\system32\picsvr\picsvr.exe

    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O4 - HKLM\..\Run: [cxin] C:\DOCUME~1\James\LOCALS~1\Temp\~MySetup.exe
    O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
    O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\system32\picsvr\picsvr.exe
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL (file missing)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL (file missing)
    O9 - Extra button: (no name) - {1B7AE680-87FA-11D4-AF0B-0050BF17E519} - (no file) (HKCU)
    O9 - Extra button: Dell Home - {6EB4B300-AC7A-11D3-AF0A-708357C10000} - http://www.dell.com/ (file missing) (HKCU)
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
    O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\system32\nsvsvc <--- the whole folder <---- Note: do not delete C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\picsvr <--- the whole folder
    C:\Documents and Settings\James\Local Settings\Temp\~MySetup.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST).

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
  7. sprtfrk22

    sprtfrk22 Private E-2

    O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing

    when i ran HJT...010 couldn't be found...don't know why. but i continued as followed.

    C:\Documents and Settings\James\Local Settings\Temp\~MySetup.exe

    this item also wasn't there...i'm now switching back to normal setup and i'll post the attachment in a few minutes.
     
  8. sprtfrk22

    sprtfrk22 Private E-2

    attached hjt
     

    Attached Files:

  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The first item was fixed by using LSP-fix. I left it in HJT as a backup.
    In the second item, HJT probably was able to remove the file when it fixed that O4 line. We leave in the delete manual instructions again as a backup because somethings will not be deleted by HJT.

    So how is everything working!
     
  10. hardrive

    hardrive Private First Class

    I'm not sure about WildTangent, but I just looked up some information on Viewpoint Media Player and I got a different point of view about it. According to the forum page from the link below, VMP is suppose to be "an application designed to better your internet experience" and is suppose to be "safe and not spyware or a bug." Click on the link below and scroll down to michael_tzez's post, time stamped: Jan 13 2005, 06:08.

    http://www.neowin.net/forum/lofiversion/index.php/t245560.html
     
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Very few people use it and just about everyone can get along without it. It is just more crap that AOL has running on your PC all the time even when it is not needed.
     
  12. hardrive

    hardrive Private First Class

    Re: Viewpoint Media Player and 3D Effect

    If it's the program that provides the 3D effect as the poster stated in the link that I provided, I'm all for it. :)
     
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Viewpoint Media Player and 3D Effect

    It is only required for sites who program specifically for that application. Rather rare I would think. The only way most people get this on their PC's is from AOL. If it were such an important component it would be more universally required. I have never gone to one website where I have needed it accept for the link you just posted.

    IMHO it is just more stuff from AOL that is not needed. That's the same way I feel about AOL too.
     
  14. sprtfrk22

    sprtfrk22 Private E-2

    chaslang-
    YOUR HELP WAS GREAT. My internet speed has doubled, nearly tripled. I ran symantec's online scan again because when i was looking at the thing i saved it read it ran like 6 times and it was cancelled? Don't know how because i was sleeping, I left it ranning overnight. It found one thing, an uninstaller so my brother deleted it. It works great now. This site is very helpful and I'll use it for future references. Thanks so much. OH yeah and do you have any suggestions for firewalls or anything? mcafee seems not to be working for me all that well.

    PS-
    I feel exactly how you feel about AOL. Only used for a chatting tool. I mean not even good for mail or anything. Peice of garbage. I don't know why my dad still has it around. I don't even use it anymore. It is the one that started my computer messup when i downloaded the 9.0 security version.
     
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member


MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds