Attune

While cleaning the registry in my Windows '98 system, I notice Attune's presence. I've read here that this is a mild form of spyware. Should I delete this stuff??

 

Please follow standard cleanup procedures as given below:

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps below:



http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Actually, I've done that, bj. My log was reviewed by SPD and D3m3ntd of software forum on Tuesday regarding possible malware and they said I was clean. This Attune has been in my registry for as long as I can remember (years) and I just read a thread here today saying this was a mild form of spyware. That's why I posted. (My system is Windows '98.)

 

Okay, go ahead and attach a current HJT log so I can confirm your clean and we will go from there.

 

HJT log atttached.

 

HI BJ, Just wondering if you came up with anything on this yet.

 

Attach a fresh HJT log as the previous one is a few days old.

 

HJT Attached!

 

Not sure if this belongs here or not, but I see it in 2 other posts here which I cannot access. Anyway, I updated Spybot Sat. pm, ran it and came up with DSO Exploit. Ran it again and it was gone. Am I okay?

 

If it does not come back then you should be ok.

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files HJT\Common Files\Microsoft Shared\Stationery\Blank.htm

O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)

O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} -
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} -

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


After you complete the above, reboot and attach a fresh HJT log.

 

Okay BJ, all steps performed. However, I did get a "program has performed illegal function" after doing "cleanmgr", but appears cleaning took place as files are zeroed out. Fresh log attached. Thanks! (Windows '98)

 

In going thru my registry just now, I noticed a lot of items with sex in the title along with "coolweb search" related items. I thought I had this cleaned up. Is this normal?? I don't visit porn sites.

 

I'm attahing another log dated about 22 hours after the one below as
RO - HKCU\software\microsoft... HJT\common files that you had me delete is back. There is also a very similar entry of an 04 Rund1132 item.

 

Make that a very similar DOUBLE entry of an 04 Rund1132 item.

 

Forgot to attach the log.

 

You can have HJT fix the below entry:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files HJT\Common Files\Microsoft Shared\Stationery\Blank.htm


Are you having any current malware issues?

 

This is the item I had HJT fix once and then it came back. I have no malware issues that I know of other than the sex items and CWS crap reappearing in my registry. Is this normal? I manually cleaned out all I could find this am and nothing has come back yet. Also, can I manually delete all attune items (about 20) in my registry? Thanks for your help!

 

I would make a backup of the registry before I removed anything.

 

Yes, BJ, I'll backup my registry before deleting items. At this point, my questions are; (1) what do I do about Attune, and (2) is it normal to continue to get sex related items and CWS crap in my registry when I do not visit porn sites? Thanks for the help!

 

It's just about impossible to get each and every registry entry created from malware infections. Different programs will detect different things.

Download Spy Sweeper 4.0.3.405 and install it.

After you install make sure you get the updated spyware definitions. Then do a full sweep removing all infections. After you remove the infections with SpySweeper, reboot and see if things look better!

 

I've had Spy Sweeper for the last year and decided not to renew it last week when it ran out. It didn't pick up any of these items anyway. Nothing has so far. Actually, Web Root does not recommend the new version of SS for '98 as it takes forever to boot up. They told me to use the old version which I doubt they maintain very well at this point. That's why I let it go. I guess '98 is just getting too old for these companies to fool with.

 

The only other thing is to copy the keys here so I can confirm what your removing.

 

I'm don't know what you mean by copying the keys, BJ, but how about this? I go into IE programs and delete a file named Aveo which is Attune. Then I go into regedit and use "find" to locate all Attune items and delete them. There are about 20. Perhaps they won't be there after I delete the IE program. I don't know. Anyway, these are the only places I find this stuff. My registery will be backed up. What is you opinion of this? If you think I'm crazy, just tell me. You won't be the first to do so.
BTW, I have a thread in the software forum trying to find out if I can back up my registry ('98 Windows) other than by using "scanreg/restore" on boot up. No one has responded and I was wondering if you know.
Thanks again, BJ, for all your help on this.

 

In the registry you should be able to right click and select copy key name. If you’re comfortable with removing entries in the registry go ahead but be careful what you remove.

The file you mentioned can be deleted.

 

Okay, I've deleted all Attune that I can find, so we'll see how it goes now. The only problem, or possible problem, I see now pertains to Spyware Blaster. After protection is enabled, I can return at a later time and find that the protection status entitled "0 items have protection disabled" has been changed to reflect items where protection has been disabled. Do you know what might happening here? As always, many thanks!

 

Well, BJ, I just looked in my registry and see all the porn crap that I deleted is back. Do you, or does anyone else, have any idea where this comes from?

 

And COOLWEBSEARCH is also back in my registry. However, there is no additional items in my HJT log and it does not seem to affect my system's operation. I just can't get rid of it.

 

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

After you complete the above, reboot and let me know if anything was found.

 

I updated and ran scans with both. Spybot was clean and Ad-Aware SE came back with 5 negligible items (fixed) which were indicated as no threat with a TAC level of 0.

 

The problem is solved, BJ. I've just been informed that the CWS/porn entries are put in the registry by Spybot when you immunize. That's why they kept coming back after I would delete such items. Thanks very much for your help and sorry I wasted your time.