MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 03-12-05, 00:47
DxSPG DxSPG is offline
Private E-2
 
Join Date: Mar 2005
Posts: 7
Thanks: 0
Thanked 0 Times in 0 Posts
Default Can't get rid of AdWare

I followed your guys' thread about basic spyware and adware removal, and I'm still getting popups whenever I browse on the web.

One thing, though, that I wasn't able to do was download the latest Windows updates. I've tried so many of Microsoft's solutions that I just stoped caring about downloading them, but now I feel they are crucial for me to have. If any of you guys can help me, whenever I try to download the updates via Windows Updater, it goes through the downloading process with each update, but always fails to install the update at the very end. Also, each sequential attempt at downloading the updates gives me the same results. I've even tried downloading them one at a time, 2 at a time, etc. but with no success.

Other than that, I believe I've followed your guys' basic removal tips pretty closely, but these popups keep coming up. I have run HiJack This and have included it as an attachment. I know your rules say to not post until after some exchanges, but because of my work and obligations, I probably can only check these forums once a day or less.

Thank you in advance for your help, and if there is anything that I did wrong or should'nt have done in this post please let me know.
Attached Files
File Type: log hijackthis.log (8.2 KB, 7 views)
Reply With Quote
Sponsored links
  #2  
Old 03-12-05, 01:43
bjgarrick's Avatar
bjgarrick bjgarrick is offline
MajorGeeks Admin - Malware Expert
 
Join Date: Oct 2004
Location: Southern Alabama
Posts: 16,069
Thanks: 0
Thanked 224 Times in 221 Posts
Default Re: Can't get rid of AdWare

First:

Please EXTRACT HijackThis from the ZIP File to a Safer location. Here's how:

To create a new folder:
Click START > My Computer > Local Disc C: > Program Files
Now, RightClick on an Empty Area and select New > Folder & name it HijackThis and ENTER

To Extract HijackThis:
Now, Right Click your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder
(C:\Program Files\HJT) and click Next.

Now run HJT from there. Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

The reason HJT needs its own safe folder is so that backups will be safely preserved. That way, if a mistake is made in the removal process, the mistakenly deleted entry can be restored.

Second:

Please make sure ALL browsers are closed when running HJT.

C:\Program Files\Internet Explorer\iexplore.exe

Third:

Download the following items:

KILL 2 ME.zip

L2MeFix Tool

Generic Detection Tool - NT/2000/XP

VX2.BetterInternet Finder XP/2k - Version Msg126

Pocket KillBox

LSP-Fix

DO NOT USE ANY OF THESE TOOLS UNTIL TOLD TO!

Fourth:

After you download the tools, Run LSP-Fix

Check the Box labeled "I know what I'm doing" and then click on the files dolsp.dll & aklsp.dll (in the “Keep” section) to select them.

Then, Select the >> button to move dolsp.dll & aklsp.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.

(Note: If the files dolsp.dll & aklsp.dll is already in the remove section, then just click FINISH.)

Fifth:

Please look in Add or Remove Programs for the following and Uninstall them if found:

ISTsvc

Weather Bug

Viewpoint

Media Pass

WildTangent

wsxsvc



Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.



Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

ViewMgr.exe

ixsgparq.exe

Weather.exe

istsvc.exe


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\system32\vmss\vmss.exe
O4 - HKLM\..\Run: [eedtkF] C:\WINDOWS\ixsgparq.exe
O4 - HKLM\..\Run: [sixtysix] C:\WINDOWS\sixtypopsix.exe
O4 - HKLM\..\Run: [uzbjgfai] c:\windows\system32\uzbjgfai.exe
O4 - HKLM\..\Run: [p76X34i] mpepl.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPassK.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [prutjct] C:\WINDOWS\system32\prutjct.exe
O4 - HKCU\..\Run: [Ywp7RQG9P] mriacypt.exe

O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: (no name) - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)

O16 - DPF: ChatSpace Full Java Client 3.1.0.218 - http://64.85.20.102/Java/cfs31218.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) -http://www.gocyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/039bf951b9dd885...p/RdxIE601.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/support/includes/cabs/si.cab

O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\en46l1hs1.dll
O20 - Winlogon Notify: Reinstall - C:\WINDOWS\system32\ir6ml5j11.dll


Again, make sure All Browser Windows are Closed when you Click FIX.


Sixth:

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:


C:\Program Files\Media Pass ←–– Delete this whole folder if it exist!

C:\Program Files\AWS ←–– Delete this whole folder if it exist!

C:\Program Files\WildTangent ←–– Delete this whole folder if it exist!

C:\WINDOWS\system32\vmss ←–– Delete this whole folder if it exist!

C:\WINDOWS\system32\wsxsvc ←–– Delete this whole folder if it exist!

C:\WINDOWS\ixsgparq.exe

C:\WINDOWS\sixtypopsix.exe

C:\WINDOWS\farmmext.exe

C:\WINDOWS\system32\uzbjgfai.exe

C:\WINDOWS\system32\prutjct.exe

C:\WINDOWS\System32\shdocvw.dll

C:\WINDOWS\system32\ir6ml5j11.dll

C:\WINDOWS\system32\en46l1hs1.dll

C:\WINDOWS\system32\dolsp.dll

C:\WINDOWS\system32\aklsp.dll

mpepl.exe ←–– Search for this file and delete when found!

mriacypt.exe ←–– Search for this file and delete when found!


NEXT:
Run CCleaner

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin


And Click OK.

Reboot to Normal Windows

Seventh:

Download and install Microsoftฎ Windows AntiSpyware during the install make sure you get any updates BUT BEFORE YOU START THE SCAN: Print or save these instructions locally now because you will have to be disconnected with no browsers open in the following steps.

Please make sure ALL Browser Windows are Closed and also you should physically disconnect from the Internet by unplugging your cable. Do not reconnect or open a browser again until requested.

Now allow the Microsoft Antispyware program to run a full scan. After it completes, reboot again in normal boot mode and continue the below steps.

Eighth:

Run the L2MeFix Tool

Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log. Attach this log!

NOTE: Please do not run any other options or files in the l2mfix Folder!

Ninth:

Now run the Generic Detection Tool - NT/2000/XP

Extract all the files from the Generic Detection Tool into its own folder. Then run find.bat. Post the log it creates back here as an attachment to your post.

After doing these scans above, DO NOT REBOOT!



After doing the above, Post a new Hijack This log, l2mfix log, and the Generic Detection Tool log.

Good Luck!
Reply With Quote
  #3  
Old 03-12-05, 14:04
DxSPG DxSPG is offline
Private E-2
 
Join Date: Mar 2005
Posts: 7
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Can't get rid of AdWare

I followed your instructions closely, but after the Sixth step when I rebooted into normal Windows mode, my program "explorer.exe" doesn't initialize. I even try to manually initialize it through Task Manager, but with no success. I'm respoding on a friends computer because I can't browse the internet or my files. I can only browse my computer files through Task Manager, but still I don't know what went wrong. When my computer boots, all I see is my desktop picture, and I can only open files thorugh Task Manager.

Please, is there any way to fix my explorer.exe program because now I can't really use my computer. Also I've turned off System Restore when I got my computer about 2 years ago so there is no go to point.
Reply With Quote
  #4  
Old 03-12-05, 14:17
bjgarrick's Avatar
bjgarrick bjgarrick is offline
MajorGeeks Admin - Malware Expert
 
Join Date: Oct 2004
Location: Southern Alabama
Posts: 16,069
Thanks: 0
Thanked 224 Times in 221 Posts
Default Re: Can't get rid of AdWare

Quote:
Originally Posted by DxSPG
I followed your instructions closely, but after the Sixth step when I rebooted into normal Windows mode, my program "explorer.exe" doesn't initialize. I even try to manually initialize it through Task Manager, but with no success. I'm respoding on a friends computer because I can't browse the internet or my files. I can only browse my computer files through Task Manager, but still I don't know what went wrong. When my computer boots, all I see is my desktop picture, and I can only open files thorugh Task Manager.

Please, is there any way to fix my explorer.exe program because now I can't really use my computer. Also I've turned off System Restore when I got my computer about 2 years ago so there is no go to point.
Did you follow step 4, exactly as it is?

Did you run into any problems during the first few steps?
Reply With Quote
  #5  
Old 03-13-05, 16:01
DxSPG DxSPG is offline
Private E-2
 
Join Date: Mar 2005
Posts: 7
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Can't get rid of AdWare

Quote:
Originally Posted by bjgarrick
Did you follow step 4, exactly as it is?

Did you run into any problems during the first few steps?
As far as I know, I did all the steps with no problems, up until I had to reboot into normal Windows mode. I made sure to delete all the registries that were listed, as well as any files/folders as well. I closed all browser windows too like your directions stated. Still don't know what is wrong because my explorer.exe still won't start up.
Reply With Quote
Sponsored links
  #6  
Old 03-13-05, 19:41
bjgarrick's Avatar
bjgarrick bjgarrick is offline
MajorGeeks Admin - Malware Expert
 
Join Date: Oct 2004
Location: Southern Alabama
Posts: 16,069
Thanks: 0
Thanked 224 Times in 221 Posts
Default Re: Can't get rid of AdWare

Quote:
Originally Posted by DxSPG
I made sure to delete all the registries that were listed,
What registry entries did you delete? Are you talking about the O4 lines in HJT?

What EXACTLY happens when you boot into normal mode?
Reply With Quote
  #7  
Old 03-14-05, 12:15
DxSPG DxSPG is offline
Private E-2
 
Join Date: Mar 2005
Posts: 7
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Can't get rid of AdWare

Quote:
Originally Posted by bjgarrick
What registry entries did you delete? Are you talking about the O4 lines in HJT?

What EXACTLY happens when you boot into normal mode?
What happens "exactly" when I start my computer (this even happens in safe mode) is that the blue screen that prompts me to enter my password shows up as usual. I enter my password, and as the blue screen is there saying that Windows is loading my settings, a prompt window pops up saying that "explorer.EXE failed to initiate" or something like that, leaving me with only the option to click an "Ok" button. It then finishes loading and displays my desktop ONLY, no menu bar or desktop icons, meaning explorer.exe didnt load up.

Also, when I try to initialize explorer.exe via Task Manager, it doesn't initialize then either. As far as I know I followed everything your post said exactly as is (including the deletion of ALL the registry keys listed). I am not blaming you for my computer's mishap nor am I angry, I just hope you guys can help me fix it.

Are there any registry keys that are crucial to explorer.exe's ability to function? I can run the majority of my programs (except for Internet Explorer "iexplore") still, so I think I may be able to re-enter some registry keys, although I don't have much knowledge with computers.
Reply With Quote
  #8  
Old 03-14-05, 15:25
bjgarrick's Avatar
bjgarrick bjgarrick is offline
MajorGeeks Admin - Malware Expert
 
Join Date: Oct 2004
Location: Southern Alabama
Posts: 16,069
Thanks: 0
Thanked 224 Times in 221 Posts
Default Re: Can't get rid of AdWare

Quote:
Originally Posted by DxSPG
As far as I know I followed everything your post said exactly as is (including the deletion of ALL the registry keys listed)
Are you referring to the O4 - HKLM\..\Run: entries in HJT, or did you delete some other registry entries?
Reply With Quote
  #9  
Old 03-15-05, 11:47
DxSPG DxSPG is offline
Private E-2
 
Join Date: Mar 2005
Posts: 7
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Can't get rid of AdWare

Quote:
Originally Posted by bjgarrick
Are you referring to the O4 - HKLM\..\Run: entries in HJT, or did you delete some other registry entries?
No, I only checked the box next to the registry keys that you listed for the HiJack This program to Fix. For all the registry keys you listed in your instructions, I went back to HiJackThis and checked the boxes next to their names and clicked Fix when I was done. I'm not exactly sure if that is "deleting" them or what, but I used HiJackThis to "fix" all the registry keys you listed. Also, as far as I know, I didn't "delete" or "fix" any other registry keys than the ones you listed.
Reply With Quote
  #10  
Old 03-17-05, 13:52
DxSPG DxSPG is offline
Private E-2
 
Join Date: Mar 2005
Posts: 7
Thanks: 0
Thanked 0 Times in 0 Posts
Default Explorer.exe not initializing. Blank Desktop

http://forums.majorgeeks.com/showthread.php?t=57495
This link was to a thread I had previously received help in removing spyware from my computer, but if you read it, after around the Sixth step in bigarrick's help post, my explorer.exe program fails to initialize when Windows starts up. This leads to a screen showing only my desktop picture (no desktop icons or menu bar) and doesn't even allow me to right-click. I have to run every program I want out of Task Manager, and still "explorer.exe" won't initialize manually.

My comps specs are: OS - Windows XP, Processor - 2.4 Ghz, Hard drive - 80GB, well its an HP laptop model "hp pavilion ze5300" if you want to know the other specs.

When windows is loading my settings, a window pops up with the title "explorer.EXE - Application Error" and the body says "The application failed to initialize properly (0xc0000022). Click on OK to terminate the program." As I have no choice but to click the OK button, another window pops up with the title "RUNDLL" saying "An exception occured while trying to run "C:\WINDOWS\system32\MWSTDFMT.DLL" ,DllGetVersion" or something like that. Also I have no choice but to click OK to terminate the program.

I have tried searching for ways to fix explorer.exe, and one way I heard about was to re-apply Service Pack 2, which I had installed on my computer a while back, to fix "explorer.exe" and other programs. The thing is, though, is that I would have to run Windows Update thorugh Internet Explorer on my comp, but "explorer.exe" and "iexplore.exe" don't function on my computer. I did however, ask Microsoft to send me a Service Pack 2 CD hopefully to be able to restore my programs. Is there any truth to this method? Are there any other ways for me to fix my computer without having to restore it?
Reply With Quote
Sponsored links
  #11  
Old 03-17-05, 19:16
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,140
Thanks: 61
Thanked 7,571 Times in 4,072 Posts
Default Re: Explorer.exe not initializing. Blank Desktop

I'm merging this back into your original thread so that BJ can continue working with you. Try to stay with your original post and in the same forum unless some one asks you to post your question in another forum.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #12  
Old 03-18-05, 00:16
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,140
Thanks: 61
Thanked 7,571 Times in 4,072 Posts
Default Re: Explorer.exe not initializing. Blank Desktop

Let's see if you can do the below!
First let's open a command prompt window if you can. Click Start, Run and enter cmd and click OK.
You can do similar from Task Manager if need be. Then at the command prompt execute the following commands:

cd C:\WINDOWS\system32
regsvr /u MWSTDFMT.DLL
attrib -r -h -s MWSTDFMT.DLL
ren MWSTDFMT.DLL MWSTDFMT.DDD

Note: in the below commands the first only has one > , the second must have two >>
dir /AH /ON /Q c:\windows\system32 > c:\sys32HS-list.txt
dir /AS /ON /Q c:\windows\system32 >> c:\sys32HS-list.txt

C:\WINDOWS\SoftwareDistribution\Download
exit

Okay now see if there is away you can get the c:\sys32HS-list.txt file attached back here. (Copy to another PC via floppy or whatever). Tell me if you have any problems with doing any of these steps. Any error messages?

Now reboot and let's see if there is any affect. Do you still get a message about the MWSTDFMT.DLL file.

Can you download programs elsewhere and transfer them to this PC?

Now can you do a file search on this PC ...probably not. What I want to do is look in
C:\WINDOWS\SoftwareDistribution\Download
and under one of the folders under here. You may be able to find another copy of explorer.exe for you WinXP2. If you cannot search, you may need to do this from the command prompt.

Also in message # 2, the following file should never have been deleted C:\WINDOWS\System32\shdocvw.dll

shdocvw.dll is a library used by Windows applications to add basic file and networking operations.

If you really deleted it we need to get it back too! If you cannot find a copy on your system to copy back to the system32 folde, you can try downloading the one in the following link to see if it helps: http://www.dll-files.com/dllindex/dl....shtml?shdocvw
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter

Last edited by chaslang; 03-18-05 at 00:53..
Reply With Quote
  #13  
Old 03-18-05, 23:39
DxSPG DxSPG is offline
Private E-2
 
Join Date: Mar 2005
Posts: 7
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Can't get rid of AdWare

The link you provided for me to regain my shdocvw.dll file did the trick. Now my explorer.exe starts up on a reboot just fine! As for the MWSTDFMT.DLL thing, when I type any of the commands with it, there is a message saying that the file no longer exists, although I don't think it is a problem anymore because when I bootup Windows, there is no more pop up windows saying anything about this file.

Thank you very much for your help :D
Reply With Quote
  #14  
Old 03-19-05, 00:11
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,140
Thanks: 61
Thanked 7,571 Times in 4,072 Posts
Default Re: Can't get rid of AdWare

You're welcome! But I would recommend posting a follow up HJT log just to double check things.
I glad we got you back running again!
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 10:11.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger