Can't get rid of AdWare

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by DxSPG, Mar 12, 2005.

  1. DxSPG

    DxSPG Private E-2

    I followed your guys' thread about basic spyware and adware removal, and I'm still getting popups whenever I browse on the web.

    One thing, though, that I wasn't able to do was download the latest Windows updates. I've tried so many of Microsoft's solutions that I just stoped caring about downloading them, but now I feel they are crucial for me to have. If any of you guys can help me, whenever I try to download the updates via Windows Updater, it goes through the downloading process with each update, but always fails to install the update at the very end. Also, each sequential attempt at downloading the updates gives me the same results. I've even tried downloading them one at a time, 2 at a time, etc. but with no success.

    Other than that, I believe I've followed your guys' basic removal tips pretty closely, but these popups keep coming up. I have run HiJack This and have included it as an attachment. I know your rules say to not post until after some exchanges, but because of my work and obligations, I probably can only check these forums once a day or less.

    Thank you in advance for your help, and if there is anything that I did wrong or should'nt have done in this post please let me know.
     

    Attached Files:

  2. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    First:

    Please EXTRACT HijackThis from the ZIP File to a Safer location. Here's how:

    To create a new folder:
    Click START > My Computer > Local Disc C: > Program Files
    Now, RightClick on an Empty Area and select New > Folder & name it HijackThis and ENTER

    To Extract HijackThis:
    Now, Right Click your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder
    (C:\Program Files\HJT) and click Next.

    Now run HJT from there. Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

    The reason HJT needs its own safe folder is so that backups will be safely preserved. That way, if a mistake is made in the removal process, the mistakenly deleted entry can be restored.

    Second:

    Please make sure ALL browsers are closed when running HJT.

    C:\Program Files\Internet Explorer\iexplore.exe

    Third:

    Download the following items:

    KILL 2 ME.zip

    L2MeFix Tool

    Generic Detection Tool - NT/2000/XP

    VX2.BetterInternet Finder XP/2k - Version Msg126

    Pocket KillBox

    LSP-Fix

    DO NOT USE ANY OF THESE TOOLS UNTIL TOLD TO!

    Fourth:

    After you download the tools, Run LSP-Fix

    Check the Box labeled "I know what I'm doing" and then click on the files dolsp.dll & aklsp.dll (in the “Keep” section) to select them.

    Then, Select the >> button to move dolsp.dll & aklsp.dll into the Remove section.

    Now, click the Finish Button. When the Repair Summary box appears, click OK.

    (Note: If the files dolsp.dll & aklsp.dll is already in the remove section, then just click FINISH.)

    Fifth:

    Please look in Add or Remove Programs for the following and Uninstall them if found:

    ISTsvc

    Weather Bug

    Viewpoint

    Media Pass

    WildTangent

    wsxsvc



    Please print out these instructions so that you can operate with All Browser Windows CLOSED.

    Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.



    Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

    ViewMgr.exe

    ixsgparq.exe

    Weather.exe

    istsvc.exe


    Now scan with HijackThis and Check the Boxes for the following:

    Make sure All Browser Windows are Closed when you Click FIX.

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
    O4 - HKLM\..\Run: [vmss] C:\WINDOWS\system32\vmss\vmss.exe
    O4 - HKLM\..\Run: [eedtkF] C:\WINDOWS\ixsgparq.exe
    O4 - HKLM\..\Run: [sixtysix] C:\WINDOWS\sixtypopsix.exe
    O4 - HKLM\..\Run: [uzbjgfai] c:\windows\system32\uzbjgfai.exe
    O4 - HKLM\..\Run: [p76X34i] mpepl.exe
    O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
    O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPassK.exe
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
    O4 - HKCU\..\Run: [prutjct] C:\WINDOWS\system32\prutjct.exe
    O4 - HKCU\..\Run: [Ywp7RQG9P] mriacypt.exe

    O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    O9 - Extra button: (no name) - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)

    O16 - DPF: ChatSpace Full Java Client 3.1.0.218 - http://64.85.20.102/Java/cfs31218.cab
    O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
    O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) -http://www.gocyberlink.com/winxp/CheckDVD.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/039bf951b9dd885c3b23/netzip/RdxIE601.cab
    O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/support/includes/cabs/si.cab

    O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\en46l1hs1.dll
    O20 - Winlogon Notify: Reinstall - C:\WINDOWS\system32\ir6ml5j11.dll


    Again, make sure All Browser Windows are Closed when you Click FIX.


    Sixth:

    Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:


    C:\Program Files\Media Pass ←–– Delete this whole folder if it exist!

    C:\Program Files\AWS ←–– Delete this whole folder if it exist!

    C:\Program Files\WildTangent ←–– Delete this whole folder if it exist!

    C:\WINDOWS\system32\vmss ←–– Delete this whole folder if it exist!

    C:\WINDOWS\system32\wsxsvc ←–– Delete this whole folder if it exist!

    C:\WINDOWS\ixsgparq.exe

    C:\WINDOWS\sixtypopsix.exe

    C:\WINDOWS\farmmext.exe

    C:\WINDOWS\system32\uzbjgfai.exe

    C:\WINDOWS\system32\prutjct.exe

    C:\WINDOWS\System32\shdocvw.dll

    C:\WINDOWS\system32\ir6ml5j11.dll

    C:\WINDOWS\system32\en46l1hs1.dll

    C:\WINDOWS\system32\dolsp.dll

    C:\WINDOWS\system32\aklsp.dll

    mpepl.exe ←–– Search for this file and delete when found!

    mriacypt.exe ←–– Search for this file and delete when found!


    NEXT:
    Run CCleaner

    Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
    Temporary Files
    Temporary Internet Files
    Recycle Bin


    And Click OK.

    Reboot to Normal Windows

    Seventh:

    Download and install Microsoft® Windows AntiSpyware during the install make sure you get any updates BUT BEFORE YOU START THE SCAN: Print or save these instructions locally now because you will have to be disconnected with no browsers open in the following steps.

    Please make sure ALL Browser Windows are Closed and also you should physically disconnect from the Internet by unplugging your cable. Do not reconnect or open a browser again until requested.

    Now allow the Microsoft Antispyware program to run a full scan. After it completes, reboot again in normal boot mode and continue the below steps.

    Eighth:

    Run the L2MeFix Tool

    Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log. Attach this log!

    NOTE: Please do not run any other options or files in the l2mfix Folder!

    Ninth:

    Now run the Generic Detection Tool - NT/2000/XP

    Extract all the files from the Generic Detection Tool into its own folder. Then run find.bat. Post the log it creates back here as an attachment to your post.

    After doing these scans above, DO NOT REBOOT!



    After doing the above, Post a new Hijack This log, l2mfix log, and the Generic Detection Tool log.

    Good Luck! :)
     
  3. DxSPG

    DxSPG Private E-2

    I followed your instructions closely, but after the Sixth step when I rebooted into normal Windows mode, my program "explorer.exe" doesn't initialize. I even try to manually initialize it through Task Manager, but with no success. I'm respoding on a friends computer because I can't browse the internet or my files. I can only browse my computer files through Task Manager, but still I don't know what went wrong. When my computer boots, all I see is my desktop picture, and I can only open files thorugh Task Manager.

    Please, is there any way to fix my explorer.exe program because now I can't really use my computer. Also I've turned off System Restore when I got my computer about 2 years ago so there is no go to point.
     
  4. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Did you follow step 4, exactly as it is?

    Did you run into any problems during the first few steps?
     
  5. DxSPG

    DxSPG Private E-2

    As far as I know, I did all the steps with no problems, up until I had to reboot into normal Windows mode. I made sure to delete all the registries that were listed, as well as any files/folders as well. I closed all browser windows too like your directions stated. Still don't know what is wrong because my explorer.exe still won't start up.
     
  6. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    What registry entries did you delete? Are you talking about the O4 lines in HJT?

    What EXACTLY happens when you boot into normal mode?
     
  7. DxSPG

    DxSPG Private E-2

    What happens "exactly" when I start my computer (this even happens in safe mode) is that the blue screen that prompts me to enter my password shows up as usual. I enter my password, and as the blue screen is there saying that Windows is loading my settings, a prompt window pops up saying that "explorer.EXE failed to initiate" or something like that, leaving me with only the option to click an "Ok" button. It then finishes loading and displays my desktop ONLY, no menu bar or desktop icons, meaning explorer.exe didnt load up.

    Also, when I try to initialize explorer.exe via Task Manager, it doesn't initialize then either. As far as I know I followed everything your post said exactly as is (including the deletion of ALL the registry keys listed). I am not blaming you for my computer's mishap nor am I angry, I just hope you guys can help me fix it.

    Are there any registry keys that are crucial to explorer.exe's ability to function? I can run the majority of my programs (except for Internet Explorer "iexplore") still, so I think I may be able to re-enter some registry keys, although I don't have much knowledge with computers.
     
  8. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Are you referring to the O4 - HKLM\..\Run: entries in HJT, or did you delete some other registry entries?
     
  9. DxSPG

    DxSPG Private E-2

    No, I only checked the box next to the registry keys that you listed for the HiJack This program to Fix. For all the registry keys you listed in your instructions, I went back to HiJackThis and checked the boxes next to their names and clicked Fix when I was done. I'm not exactly sure if that is "deleting" them or what, but I used HiJackThis to "fix" all the registry keys you listed. Also, as far as I know, I didn't "delete" or "fix" any other registry keys than the ones you listed.
     
  10. DxSPG

    DxSPG Private E-2

    Explorer.exe not initializing. Blank Desktop

    http://forums.majorgeeks.com/showthread.php?t=57495
    This link was to a thread I had previously received help in removing spyware from my computer, but if you read it, after around the Sixth step in bigarrick's help post, my explorer.exe program fails to initialize when Windows starts up. This leads to a screen showing only my desktop picture (no desktop icons or menu bar) and doesn't even allow me to right-click. I have to run every program I want out of Task Manager, and still "explorer.exe" won't initialize manually.

    My comps specs are: OS - Windows XP, Processor - 2.4 Ghz, Hard drive - 80GB, well its an HP laptop model "hp pavilion ze5300" if you want to know the other specs.

    When windows is loading my settings, a window pops up with the title "explorer.EXE - Application Error" and the body says "The application failed to initialize properly (0xc0000022). Click on OK to terminate the program." As I have no choice but to click the OK button, another window pops up with the title "RUNDLL" saying "An exception occured while trying to run "C:\WINDOWS\system32\MWSTDFMT.DLL" ,DllGetVersion" or something like that. Also I have no choice but to click OK to terminate the program.

    I have tried searching for ways to fix explorer.exe, and one way I heard about was to re-apply Service Pack 2, which I had installed on my computer a while back, to fix "explorer.exe" and other programs. The thing is, though, is that I would have to run Windows Update thorugh Internet Explorer on my comp, but "explorer.exe" and "iexplore.exe" don't function on my computer. I did however, ask Microsoft to send me a Service Pack 2 CD hopefully to be able to restore my programs. Is there any truth to this method? Are there any other ways for me to fix my computer without having to restore it?
     
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Explorer.exe not initializing. Blank Desktop

    I'm merging this back into your original thread so that BJ can continue working with you. Try to stay with your original post and in the same forum unless some one asks you to post your question in another forum.
     
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Explorer.exe not initializing. Blank Desktop

    Let's see if you can do the below!
    First let's open a command prompt window if you can. Click Start, Run and enter cmd and click OK.
    You can do similar from Task Manager if need be. Then at the command prompt execute the following commands:

    cd C:\WINDOWS\system32
    regsvr /u MWSTDFMT.DLL
    attrib -r -h -s MWSTDFMT.DLL
    ren MWSTDFMT.DLL MWSTDFMT.DDD

    Note: in the below commands the first only has one > , the second must have two >>
    dir /AH /ON /Q c:\windows\system32 > c:\sys32HS-list.txt
    dir /AS /ON /Q c:\windows\system32 >> c:\sys32HS-list.txt

    C:\WINDOWS\SoftwareDistribution\Download
    exit

    Okay now see if there is away you can get the c:\sys32HS-list.txt file attached back here. (Copy to another PC via floppy or whatever). Tell me if you have any problems with doing any of these steps. Any error messages?

    Now reboot and let's see if there is any affect. Do you still get a message about the MWSTDFMT.DLL file.

    Can you download programs elsewhere and transfer them to this PC?

    Now can you do a file search on this PC ...probably not. What I want to do is look in
    C:\WINDOWS\SoftwareDistribution\Download
    and under one of the folders under here. You may be able to find another copy of explorer.exe for you WinXP2. If you cannot search, you may need to do this from the command prompt.

    Also in message # 2, the following file should never have been deleted C:\WINDOWS\System32\shdocvw.dll

    shdocvw.dll is a library used by Windows applications to add basic file and networking operations.

    If you really deleted it we need to get it back too! If you cannot find a copy on your system to copy back to the system32 folde, you can try downloading the one in the following link to see if it helps: http://www.dll-files.com/dllindex/dll-files.shtml?shdocvw
     
    Last edited: Mar 18, 2005
  13. DxSPG

    DxSPG Private E-2

    The link you provided for me to regain my shdocvw.dll file did the trick. Now my explorer.exe starts up on a reboot just fine! As for the MWSTDFMT.DLL thing, when I type any of the commands with it, there is a message saying that the file no longer exists, although I don't think it is a problem anymore because when I bootup Windows, there is no more pop up windows saying anything about this file.

    Thank you very much for your help :D
     
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome! But I would recommend posting a follow up HJT log just to double check things.
    I glad we got you back running again! ;)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds