Am I safe now (high jack this log and my Bitdefender log)

Am I safe now (high jack this log and my Bitdefender log)

Hello
I just went through the scanning procedures to remove malware and such from (http://forums.majorgeeks.com/showthread.php?t=35407).

I am posting my high jack this log and my Bitdefender log, to see if you can tell me if my system is now free of any of the problems I was encountering.

To give you some background info, this computer was infected with a Trojan a few months back. The Trojan dumped tons of spyware on my computer. A few days later I had a friend that did a good job at removing the trojan and most of the spyware that it placed on my computer. But I have had a recurring problem with the following spyware (Aproposmedia, Cydoor, Targetsaver). They cause my computer to crash about 2 times a day. I was running two anti-viruses on my computer for well over a year. One was AVG and the other was anti-vir. But after reading information on this web board I see that this was a mistake and that I should only be running one so I uninstalled AVG.

So I have followed all of the removal instructions from this web board the best I could. So any additional help and tips would be great.

Thanks

 

my Bitdefender log

 

Have HJT fix the below 2 entries and your HJT log will be clean.

After you complete the above, please download AproposFix by Swandog46

Save it to your desktop or to another folder of its own, but do NOT run it yet!

Now reboot your computer in Safe Mode! (You must be in safe mode or this fix will not work.)

Once in Safe Mode, double-click aproposfix.exe which will give you a chice of where to unzip/install the program to). This is called the Destination folder in the window that popsup. So either install it to the Desktop or the folder where you downloaded the aproposfix.exe file to. It will create a new folder named aproposfix. Open the aproposfix folder and double click on RunThis.bat to run the fix. Follow the prompts.

When the tool is finished, reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file that has been created in the aproposfix folder.

 

ok.... any more????

 

Let's go ahead and run one more scan, please see the below thread on how to install and run Ewido Security Suite.

• Running Ewido Security Suite ...

 

Ok it said it did not find any thing … this is the log and I did another high jack this log as well…. any more????

 

Your HJT log looks good, you can uninstall Ewido now. Also, I would recommend you run CCleaner to cleanup ant junks files.

Are you having any current problems?

 

As of right now I have no problems… so it looks like everything has been cleaned out… if I have any more problems with it crashing in the next few days I will post back.

Thank you for your help

 

Your Welcome!

You should see this article on How to Protect yourself from malware!

Surf Safely!

 

Ok .. I forgot to Disable System Restore before I did a reboot . I was not thinking right…. so I notice after I do a reboot that Microsoft anti spy ware is not up in the right hand side of my task bar. So I open up Microsoft anti spy ware and do a scan and it finds Aproposmedia. So what should my next step be? start all over? Or is there another spot I should start at? Or any other program to run?

 

First, uninstall MSAS so it wont block anything to do with this fix. Download and run the AproposFix as requested a few post back.

Afterwards attach this log.

 

ok .. the AproposFix log and a new high jack this log.

 

You can now reinstall MSAS, can you advise what was being detected?

 

MSAS just called it Aproposmedia.

 

After you reinstall MSAS, see if it still detects it. If it does see what you can find out about the detection, (registry entry, file).

 

The first scan I just did with MSAS crashed out the computer. (I was still on line when I did the scan)
The second scan gave me this (the computer had restarted and I did this scan... not online)

Aproposmedia (browser modifier)

HKEY_LOCL_MACHINE\Software\aprps

HKEY_LOCL_MACHINE\Software\aprps\Client PartnerIdWB.VER2



MSAS information
AproposMedia

Type: Adware
Adware is generally software that displays advertisements. Some advertisers may covertly install adware on your system and generate a stream of unsolicited advertisements that can clutter your desktop and affect your productivity. The advertisements may also contain pornographic or other material that you might find inappropriate. The extra processing required to track you or to display advertisements can tax your computer and hurt your system performance.

Category: Browser Modifier
Software that changes browser settings, such as the homepage, without adequate consent.

Threat level: Severe
Severe-risk items have an extreme potential for harm, such as a security exploit, and should be removed.

Author: Peopleonpage, Inc

Description: AproposMedia is a browser modifier that installs with PeopleOnPage (POP). AproposMedia displays pop-up advertisements and changes browser settings.

 

What should my next step be

 

Once again, uninstall MSAS so it will not block this fix. Afterwards reboot into Safe Mode and follow the below.

Before you start this, print or save these instructions because you will need to CLOSE ALL browsers, even the one your reading in now.

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Next, run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

After you complete the above, reboot and let me know how things are running.

 

Just finished everything.
Things look like they are running fine, but for the most part it is always fine right up until it crashes. Since the first post I have had it crash 2 times so I figure if it is not fixed it will crash before this time tomorrow. Do you have any other steps for me to do until then? Should I reinstall MSAS? Or should I wait a day or so?

 

When you say "crash" what are you referring to?

 

Sometime in the afternoon or early morning, the computer will give a blue screen of death. Don’t know what the error is because system will reboot (not like I would know what the error meant anyway). I figure that this is my antivirus or the anti-spywear attempting to stop the AproposMedia program but I don’t know. I do know that sometimes it will crash if I do the deep scan setting in MSAS. It will find AproposMedia then it will say its looking to try to figure out what it will do with it and then it will freeze and then give blue screen and restart. Now it does not always do that and I have deleted AproposMedia every other day since September. Sometimes MSAS will find Cydoor and or Targetsaver, but MSAS will always find AproposMedia. And when I had AVG on my system, avg would freeze sometimes and then the computer would go to blue screen and restart.

 

Next time you see the blue screen, copy down the EXACT error message including the "0x00000". Copy as much information as you can.

Please see the below thread on how to install and run Spy Sweeper.

Running Spy Sweeper...

 

I used Spy Sweeper at one point (back when this first happened) I uninstalled it after the trial was done. So this time when I went to reinstall it … I was told my trial period is up.. so it looks like I cant use that again without paying. If I see the blue screen again I will try to copy something down. But it is gone so fast (and most the time I am not at the computer) so I don’t know how much I will get to copy.

 

Please download Blacklight to its own folder...

F-Secure Blacklight

After download is complete, double click to run the program. Click "Accept" to procede. Then click SCAN to begin scanning your system.

Once the scan is complete it will attempt to clean the found infections. There should be a log in the folder that you ran the program from, attach this log to your next post and then follow the below.

Please see the below thread on how to run WinPfind and attach the log.

• Running WinPfind by OldTimer

 

should i do this in safe mode? or normal?

 

Doesn't really matter.

 

black light log.. and i am now starting WinPfind

 

my winpfind log

 

Download Pocket KillBox

• Save it to your desktop or a place easy to find.
• Do not run it yet

Please look in Add or Remove Programs for the following and Uninstall them if found:

Ewido

Spy Sweeper

Next, copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

C:\WINDOWS\pqJol ← This may be a file or it may be a folder, delete whichever you find!

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\system32\bajea.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system\ftitho.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, attach a fresh HJT log and let me know how things are running.

 

my new HJT log

 

Scan with HJT and have it fix the below two entries:

O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

After you fix the above entries, your logs will be clean.

Are you having any further problems?

 

Ok a new HJT log (just in case)
It looks like my computer is running fine now. If it crashes again I will come back and let you know.

Now that it looks like all malware is gone should I disable system restore and reboot? And then re-enable system restore?

And then should I reinstall MSAS

Or is there something I should do first?

 

Personally, I dont use MSAS because its still in BETA which means still has a few bugs in it. I use AVG, ZoneAlarm and Spy Sweeper and havn't had any problems however it's up to you whether you install it or not.

Yes, disable System Restore, reboot and then re-enable system restore. After you have completed the above, let me know of any problems and if the BSOD message comes back copy the exact message and post it here.

 

Thank you for all of your help
If I have any more problems with it crashing in the next few days I will post back and let you know

 

Your Welcome!

You should see this article on How to Protect yourself from malware!

Surf Safely!

 

Well it crashed again today.
The blue screen was only up for a split second. So I got the best info I could from it.

It went something like this…
0x0000(at lest this many zeros maybe more and then) 50 0x0000 0x0000



that’s what I know I saw. There could have been more to it and I am sure there was more on the screen. I know that’s not much but the screen is gone so fast that I would have to have a camera for a brain to figure out everything.

I have also noticed something strange. When I reinstalled MSAS it still had my settings from before I had uninstalled it…. Including how many times it has removed spy wear. I would think that uninstalling it would have removed this information? Could MSAS be saving part of the malwear? I know that it is a beta program and that there are other programs I should use, but it is free,,,, and I have no money so free is good for me.

MSAS also found apropos media again … but this just made the computer crash again. So that makes 2 times today.


Another thing I have noticed (especially when I am online) ….. when I am sitting idle my mouse curser will flicker into the hour glass … it will do this a lot … like something is opening or just working to do something.


Any more ideas what I should do?
I would hate to have to reformat this computer.

 

If possible I need the EXACT error message, all of the digits.

It sounds as if MSAS is causing some of your problems, I would do away with it for a while and see how things run. Also see about getting Spyware Blaster & Spyware Guard for a little more protection. They run very little resources and protect you very well. If you want to purchase something SpySweeper is for sure the best there is for malware protection. Make sure your OS & AV are up-to-date and active.

For the detection, copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

If you like, run WinPFind again and attach the log, just to see if anything has returned.

 

Ok
This is my WinPFind log…

The blue screen was only up for a split second but if it happens again I will try to get more numbers.

So I have uninstalled MSAS and after doing so I see that it still keeps files on the hard drive even after uninstalling it…. So I deleted those files.

I have also installed SpywareGuard and SpywareBlaster. If there are any instructions for me to know about how to run these programs the correct way pleas let me know. Or if there is some thing special I need to set.


I still need to update windows. I am on 56k dial up so I normally wait till I drag my computer over to my friends house (he has cable) … but I will start the up date tonight if you fell I need to.

Another thing … a few post back you told me to delete C:\WINDOWS\pqJol when you told me to do this I did not find that file. But I had my antivirus up (I use anti vir ) and it showed last scanned file as C:\WINDOWS\pqJol . So I went and looked and now it is sitting there. Should I delete it now? Or not? I should add that anti vir is doing nothing to it… but it scans it every few files.

 

Those two programs, you simply update and enable all protection. That's all you have to do, they do everything for you.

Do this quick like, download RegSrch.zip

Unzip the archive to your desktop and double click on the VBS file.
(If your AntiVirus alerts, allow the script to run.

Now enter Aprps and post back with the results in this thread (call it regsrch.txt).

 

Ok my regsrch log

 

Download the AproposFix by Swandog46 or locate it from before.

Reboot into Safe Mode!

Locate the following file and delete it, be sure you have the viewing of hidden files and folders enabled.

C:\WINDOWS\pqJol

Now Click Start > Run > type in regedit

Navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Aprps

Right click on Aprps and select PERMISSIONS. Click on EVERYONE and select FULL CONTROL. Click OK to exit!

Now right click on Aprps and delete it!

After you complete the above, run the fix tool and attach the log to your next post.

 

I could not select FULL CONTROL for the settings under CREATOR OWNER

 

I apologize for the confusion, when I said "Everyone" I meant the username not literally everyone.

Try it again and see if you can manually remove them.

 

I don’t think it worked I can still see

C:\WINDOWS\pqJol
And
HKEY_LOCAL_MACHINE\SOFTWARE\Aprps

 

it wont let me post the log... tells me i have posted it before

 

Delete that file, it won't come back. Did you delete the registry entries?

To attach them, rename them if that doesnt work, get new logs.

 

Hi
Sorry but I don’t think I was specific enough with my last post. I did delete the file C:\WINDOWS\pqJol and I removed the registry entries ...and i ran the fix tool. . I have actually attempted this several times but when I boot back into normal mode, the file and the registry entries come back. I think I am following a step the wrong way or I have not given you the right information. So I will run you through what has happened: when I boot into safe mode, I have two choices... Administrator, which requires no password and the second is Lord Vigo. The setting Lord Vigo requires a password and is the normal login that I use when I have windows in normal mode (this way people in my house don’t get on my computer and get online without me knowing). Now I have attempted to remove the problem in both modes with the same results. When I go back to normal windows mode they come back… so I think I am doing a step wrong.

When I go to the regedit

and then Navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Aprps

then I Right click on Aprps and select PERMISSIONS. …. But I do not have an EVERYONE setting…????

when I go to permissions, I do not have the setting for EVERYONE …but I do have the following under the (Group or user names)

Administrators (OFTHEDEAD\administrator)
Creator owner
Lord Vigo (OFTHEDEAD\ Lord Vigo)
System
Users (OFTHEDEAD\ Users)

I can set FULL CONTROL for all of them except
Creator owner


I hope that this is the info you need to see what I am doing wrong… I don’t know where I am supposed to put the setting for FULL CONTROL …. And I cant set the setting FULL CONTROL to the (Creator owner) setting.

 

As for attaching the log… it will not let me, even if I change the name.. I have even reinstalled the fix and did the scan all over… then I changed the name… and it still will not let me post the log…

This is what I just got the last time I tried with a brand new scan and a new name that I had never tried before.

Upload Errors
newlognot old log.txt:You have already attached this file in thread

 

Please download Blacklight to its own folder...

F-Secure Blacklight

After download is complete, double click to run the program. Click "Accept" to procede. Then click SCAN to begin scanning your system.

Once the scan is complete it will attempt to clean the found infections. There should be a log in the folder that you ran the program from, attach this log to your next post along with a fresh HJT log.

 

Here are the logs you asked for