need help downloader trojan, etc

I have been working on a computer trying to remove adware and spyware that is on it. I found that I had downloader trojan and several others. I can't seem to find the main file to delete programs off this computer. This computer is used at home. I have enclosed the hijack this file could you please let me know if there is a file (s) that should also be removed. I am no expert and was unsure of which of these files that I needed to keep and what I could safely remove.

Thanks
Logfile of HijackThis v1.99.1
Scan saved at 2:32:37 PM, on 4/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

C:\Documents and Settings\linda chupp\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

 

Hi Pierce,

You are running HijackThis unsafely (see instructions below). Also, you should start with the Cleanup Tutorial HERE:

READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan and Virus Removal

There are only a few of us Volunteers who regularly offer advice in this forum. Running through the above Tutorial will remove a lot of stuff that would otherwise clog a HijackThis Log and will save us valuable time.

Please let us know the steps that you are able to complete and the ones that give you problems. Note that you need to be in Safe Mode with System Restore OFF (if you have it) and have the Viewing of Hidden Files ENABLED as per the instructions in the link. Make sure to do the Online Scans.

Post back and let us know how you fared. Also, send us a HijackThis Log. Please be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99.1) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis ! Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99.1

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

PP

 

I have downloaded and ran all of the spyware programs you suggested. When I ran the scan at Symantec it said that i had 2 viruses adware.elitebar and adware.1stbar. I was unable to remove these. I have enclosed the hijack this log. Also in running the programs you suggested it said that I had dso exploit (5 files) and i instructed it to fix those. Ran trend micro virus scan and avg (which i have installed on this computer) Both of those said there were no viruses found. Any help would be appreciated.
Thanks

Also-I am unable to change the wallpaper on the desktop. I have tried different themes and changing the color but it stays blue and the themes dont change the wallpaper.

 

I located on your website the link to download the elite toolbar remover. I think this has done the trick but I still need to figure out what has happened so that the desktop wallpaper can be changed. Any help is greatly appreciated

 

Hi Pierce,

Some notes before we begin:

1 - You are still running HijackThis unsafely. You MUST Extract it to a safe folder before continuing!!

To create a new folder:
Click START > My Computer > Local Disc C: > Program Files
Now, RightClick on an Empty Area and select New > Folder & name it HijackThis and ENTER ​

To Extract HijackThis:
Now, RightClick your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder (C:\Program Files\HijackThis)and click Next. ​

2- It looks like you are running both Norton and AVG at the same time. If this is the case, you should choose 1 and remove the other!

3- You have to get rid of Blubster - If it is not already responsible for your current problems, it is begging to give you more.

4- Spybot - Search and Destroy DSO Exploit Fix will address SpyBot's DSO Exploit bug.


Now, let's clean up ypur HJT Log. We'll deal with desktop afterward.
Please look in Add or Remove Programs for the following and Uninstall them if found:

Blubster
Ebates_MoeMoneyMaker

Please print out these instructions so that you can operate with All Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

rpen.exe
prytect.exe
prytect.exe

Now scan with HijackThis and Check the Boxes for the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll (file missing)
O2 - BHO: (no name) - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - (no file)
O2 - BHO: (no name) - {0B8615F3-DF37-F3EF-1A33-DC38023A9098} - C:\WINDOWS\System32\kib.dll
O2 - BHO: (no name) - {12E27C2C-ADD5-482C-913D-359AF979E6A5} - (no file)

O4 - HKCU\..\Run: [Usrr] C:\WINDOWS\System32\rpen.exe
O4 - HKCU\..\Run: [prytect] C:\WINDOWS\system32\prytect.exe
O4 - HKCU\..\Run: [Jo5sRRfmO] lanptnet.exe

O8 - Extra context menu item: Blubster Support - file://C:\Program Files\BlubsterSupport\System\Temp\blubstershop_script0.htm
O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/script/actions/review.htm

O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 66.197.161.149

O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\zeta.exe
C:\WINDOWS\System32\rpen.exe
C:\WINDOWS\system32\prytect.exe
C:\WINDOWS\dlmax.dll
C:\WINDOWS\System32\kib.dll
C:\WINDOWS\System32\lanptnet.exe

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know of any problems you may have encountered with the above instructions and how your computer is running now. I will try to check back when time permits.

Best luck
PP

 

Ok I followed your instructions for hijack this and have it in program file folder. I deleted Norton and left AVG. Ran Spybot and removed files it found. I also cleaned up hjt log. I have attached a copy of the hijack this log. I believe the computer is much better-don't have all the pop ups that i was having. The only problem that I have left is not being able to change the wallpaper on the desktop. It did have a page on it that had a clickable link for spyware removal but is not a wallpaper that I put on the computer. I changed the color of the background and now have not been able to change anything on the wallpaper.

 

Sorry I didn't put the hjt log on last post. I think I have lost my mind because there is nowhere that I see where I can browse to post an attachment to this reply!

 

lol... scroll down past "submit reply" to additional options on your reply screen.

 

Under additional options it says "attach files" but there is no button below it to attach any attachments???? What the heck??????? I have another computer here and when I go to reply I can see the button to be able to attach files but it is not on the other computer. They are separate computers and the only thing shared is the internet connection (roadrunner)

 

lol... u click manage attachments and a new window opens which allows u to browse and upload your files. If that window isnt opening maybe a blocker on your pc is killing it?

 

Ok this is a real odd one. I opened Netscape and the button to manage uploads is there but not when I use internet explorer. Any ideas? I have attached my
hjt log.
Thanks

 

Hi Pierce,

Your HJT Log looks better. Just have it fix this line:

O4 - HKCU\..\Run: [prytect] C:\WINDOWS\system32\prytect.exe

and doublecheck to make sure C:\WINDOWS\system32\prytect.exe is gone. If it remains, RightClick it and check its Property and Version info and see if it is "read only." Let me know what you find.

As for the desktop problem, Chaslang and BJGarrick have come up with a fix for it. Before trying it, please try the following and see if it has any effect:

Go Start > Control Panel > Display Properties > Desktop Tab > Customize Desktop button > Web tab.
Now, Uncheck ALL boxes.
Click OK and exit out and try to set your own background.


If that doesn't produce results, try Chas & BJ's fix:

Download FixDeskTop.Zip to a folder where you can locate it. And then extract the fixdesktop.reg file from the ZIP file. Double click on the fixdesktop.reg file and when prompted to add the changes into registry say yes.

Then, post back with the results and we'll see what remains to be done!
I'll try to check back as time permits.

PP

 

Got rid of the file in hjt log. Couldn't find prytect.exe anywhere. I tried the fix for the wallpaper and I still cannot change the wallpaper. All the other problems I was having seem to be fixed and I greatly appreciate the help. If i can just get this wallpaper problem solved then i will be done working on this darn thing (for now) lol.

 

Grrrrrrrrr!!! I have restarted the computer and now I am getting a "found new hardware wizard" that keeps coming up for :

sm bus controller
ethernet controller
multimedia audio controller
video controller (vga compatible)
What is going on now? I am working on the computer for the boss's sister so I don't have any disks that she would have for this computer. It is an emachine. Any ideas now? Also still cannot change the wallpaper. I am about ready to throw this computer into the highway and let a semi run over it!

 

Hi Pierce,

I have asked Chaslang to take a look since he is more familiar with this baddie than I and I am not sure exactly what his fix encompasses and what is left to be tried. Hang in there!

PP

 

Ok first I found all the drivers and got all the things that came up under "found new hardware" installed. I looked for a file called desktop.html and I could not find one-only found on c drive desktop.ini I tried to use the deskfix you had link to and when i opened it it said "cannot import, specified file is not a registry script. You can only import binary registry files from within the registry editor. Now what???

 

I have also now noticed that when i go to startand then search that there is nowhere for me to click to search for files, folders,etc. It opens up a window and has search at the top but on the left where you would click what you are wanting to search there is nothing there. I was going to try to search for the desktop.html but am unable to.

 

Ok i have done the deskfix-there are actually 3 people who use this computer and i have done the deskfix on each one. when i log onto each one out of the three i can change the desktop for 1 of them. am i going to need to do a hjt log for each user? the other 2 people i cannot change their desktops-i have ran the cc cleaner, spybot, etc on each person. there were several files under one of the names. do you want me to post a log for each user? maybe that is what the problem is with desktop?

 

I have attached a hjt log from another user of this computer. I have been thru all the scanning steps with spybot, cc cleaner,etc from the beginning of this thread. I am aware of how to search for a file, but when i go to start and then click search it opens up a window and at the left it says search companion but there are no buttons or anything so that i can tell it what i am searching for and where to look. Also, the desktop is not locked.
Thanks

 

Ok system restore is disabled and have done all the fixes with it disabled. And I have hidden file viewing enabled. When I ran HJT and looked for those processes there were not listed for me to be able to kill. I scanned with hjt and removed the R3 URLsearchHook but the 04 uua.exe and the 04aplheoik.exe were not showing. I went ahead and went into safe mode and deleted the whole folder x3yy but the uua.exe file was nowhere to be found. I have attached antoher hjt log from the last user of this computer. Will I also need to go into administrator under safe mode to do any changes? I got no errors for the files I did delete. I also make sure when running hjt that it is the only thing open-i print your instructions out and then go back and run the hjt with nothing opened. Also when i go to start and then search-it opens a window and there is a box to the left that says "search companion" and the magnifying glass is depressed when i click on the magnifying glass the search companion box on the left disappears. when the search companion box is open there is just an empty box but nowhere to type anything. also when i open search the very top of the window to the left only has what looks like a file that is opened but says nothing at the top.
Thanks

 

Sorry I forgot to post the new hjt log for the user we were working on. I have attached to this one. The hjt file i posted on last entry was a new one for the last user on this computer that we have not worked on yet.

 

I have gotten everything back to normal again! I can change the wallpaper on each account! Thanks a million! Now I need help with one last thing. Like I have said earlier when i click on start and then search it opens up a window and at the top left there is just a picture of a folder opened. on the left there is a box that says search companion-it is there when i click on the magnifying glass- but there are no links anywhere to tell it where or what i want to search for. When i click on the magnifying glass again the search companion window on the left closes. beside the magnifying glass there is a folder and if i click on it-in the left window it opens up folders like: desktop, my documents,etc. The only way i can do a search is clicking on those folders and i have to do a manual search and cannot instruct it to search files and folders, etc for any specific files. Any ideas?

 

Fantastic! That did the trick. One last question. Did you have a chance to look at the last 2 hjt logs that I posted? Just wanted to make sure there is nothing left that I need to delete before I give this computer back to the boss's sister. I thank you for all the help you have given me the computer is doing so much better.
Stacey

 

Again a big thank you for all of your help on getting this computer going again. I have attached hopefully the last hjt log that I will need to post! I did not find the 04 tv media\tvm.exe in the log nor did I find when going into safe mode the aue.exe, faf.exe or akh.exe. I do not know why wmplayer appeared the way that it did. I left that file alone, should I delete or just leave it?

Thanks a bundle!
Stacey

 

I am not sure why that came up in hjt log because I didn't run the program. I cleaned the files you told me to and then ran cc cleaner and that was it.
Thanks again
Stacey

 

run hijackthis and after than results are:

Edit by chaslang: Unrequested inline log remove. Please do not thread hijack. Post in your own thread after reading the Announcement and reading and running the steps in the sticky threads.


please help me!!!!! my desktop is locking, my mouse right click is off. please help me!!!!!!