Bad Spyware Trouble

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by alexperry, Sep 26, 2004.

  1. alexperry

    alexperry Private E-2

    So I've been having a lot of spyware trouble recently, and I'm turning to you guys who can probably help me sort it out. My brother (irresponsible internet user that he is) got MSN Messenger Plus! and with it all the spyware programs that come too... I have tried valiantly to get rid of these programs over the past three days, but have had little success.

    I've used "Spybot: Search and Destroy," "Pest Patrol," "Spyware Nuker," and "Spyware Sweeper", and "Adaware" (and accompanying programs after reading your article about loading the computer back in to safe mode and then running the programs etc.) but there are still some left, and try as I might I can't get rid of them...

    And so now I turn to to more knowledgeable people, you. I'm getting pretty desperate now...I just want this stuff gone.

    Regards,

    Alex
     
    alexperry, Sep 26, 2004
    #1
  2. alexperry

    alexperry Private E-2

    Addendum:

    My main problem seems to be the "MySearchNow" toolbar. None of my programs seem to detect it, but I know it's there because I can *see* the bloody thing...

    Also, I think it's broken. I can't get it to close, whereas before I could...

    Regards,

    Alex
     
    alexperry, Sep 26, 2004
    #2
  3. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    These can also be found in add\remove programs under various names. I have had good luck removing from add\remove programs, then doing a complete scan.
     
    Major Attitude, Sep 26, 2004
    #3
  4. eclayton

    eclayton Sgt. Shorts-cough

    If I rememer corectly, Spyware Nuker actually puts spyware on your system.....:( Get rid of it immediatly. Not sure about Pest Patrol or Spyware Sweeper, but what I do know is that Ad-Aware and SpyBot are more than sufficient for removing spyware. Also get Spyware Blaster, which will keep spyware off your machine, and make sure you use Spybots Immunize feature to do the same thing.
     
    eclayton, Sep 26, 2004
    #4
  5. alexperry

    alexperry Private E-2

    Okay...Spyware Nuker is uninstalled...

    I can't really see anything out of place in the "Add/Remove Programs" file...should I be looking for something specific?

    I keep running Adaware, Spybot Search and Destroy and Pest Patrol, and none of them seem to be able to find the spyware that I can see at this very moment...and which is slowing down my browser a lot...
     
    alexperry, Sep 27, 2004
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You never mentioned the rest of the items here READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal.
    Have you run all the steps?

    If so, after reading the tutorial in this Sticky thread < Hijack This Tutorial And How To Post Your Log File >

    Post your HijackThis log as a .txt file attachment to your message. All running programs should be closed, including your web browser, e-mail, items in the tray, anything you can close... Close before running Hijack This!

    DO NOT run Hijack This from the Desktop, a temp folder or choose to run from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT
     
    chaslang, Sep 27, 2004
    #6
  7. alexperry

    alexperry Private E-2

    I followed all of the steps in the "Read Me First" thread to no avail and so...

    Attached is my "Hijack This!" Log...

    Alex
     

    Attached Files:

    alexperry, Sep 27, 2004
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Read the read bold print in my previous message again.

    You have these two items running:
    C:\Program Files\Internet Explorer\iexplore.exe
    c:\progra~1\intern~1\iexplore.exe

    That's two Internet Explorer sessions. Internet Explorer is a browser.

    Also I see no sign that you ran the TrendMicro online scan. Why did you skip it? Did you skip anything else?

    You should also go to this link: http://www.answersthatwork.com/Tasklist_pages/tasklist_m.htm
    and scroll down to MotiveSB.exe and read about this. It probably came from your ISP. I'm not saying that you absolutely must remove it (many place do say that) but you should look into disabling it from loading at startup by using msconfig. That way if it is needed for your connection to work properly you can just re-enable it.

    I will address other items in you log in my next message.
     
    chaslang, Sep 27, 2004
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.juzserfcnhkblwtltnodsvmfu.info/EshC/9Q7mkQKO9scRSd_lvACg06Ef_K/9LQNi0bNBO80nlhwYEo3pwxnO/x83bnY.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by BT Openworld
    O2 - BHO: (no name) - {0253959B-D928-DA59-A104-36D528CF110C} - C:\PROGRA~1\UPONLI~1\Obj owns.exe
    O4 - HKLM\..\Run: [Else scr] C:\PROGRA~1\IdleMpeg\Save store.exe
    O4 - HKLM\..\Run: [Cornantiheckgpl] C:\Documents and Settings\All Users\Application Data\burnusercornanti\OptionMeet.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1677e6e1e14e2d927420/netzip/RdxIE601.cab

    Boot in safe mode and use Windows Explorer to delete:
    C:\PROGRA~1\UPONLI~1\Obj owns.exe
    C:\PROGRA~1\IdleMpeg\Save store.exe
    C:\Documents and Settings\All Users\Application Data\burnusercornanti\OptionMeet.exe

    Reboot in normal mode and let me know how things are working.


    Questions:

    Do you know what this FlashInstaller program is? Is it something for you Alacatel Modem?
    O4 - HKLM\..\Run: [FlashInstaller] D:\flashstart.exe D:\D:\start.exe run

    Did you put the two below restrictions in place using SpyBot or another similar program?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
     
    chaslang, Sep 27, 2004
    #9
  10. alexperry

    alexperry Private E-2

    I had closed all the browser windows...I'm not stupid enough to ignore the big, fat red writing. I don't know why it said I didn't...maybe because Explorer had crashed a couple of times before-hand. I'll make sure nothing's running in Ctrl+Alt+Del when I next run "HijackThis!" (which should be in a couple of minutes to follow your instructions)

    I don't know what the Flash Installer is...I don't see how it could be connected to the modem...

    I'm pretty sure those restrictions are Spybot.
     
    alexperry, Sep 28, 2004
    #10
  11. alexperry

    alexperry Private E-2

    Well, I followed all your instructions. Some of the files didn't exist anymore, but Id run Adware a couple of times between when I posed the "HijackThis!" log and when I followed out the instructions so I assume those were swiped then.

    When I booted it in safe mode, the three files didn't exist. But what I did do was delete the whole "IdleMpeg" folder (which only seemed to appear on the first computer start-up after the spyware had been installed...go figure) and a folder called "up online great" whose empty contents and bizzare name made me doubt its right to be there...and the fact that it had been created at the same time as the "IdleMpeg" folder.

    I'm cautiously optimistic that it's gone...the brower's still a bit slow, but when I ran Adaware it found nothing (every time I ran it it found at least four things beforehand) and ran PestPatrol, which also found nothing...

    Obviously I'm holding out my judgement until the computer's been used and booted up a few more times...so I'll hold off my "Mega Thanks" until then. ;)

    Regards,

    Alex
     
    alexperry, Sep 28, 2004
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! Post another HJT log and let's make sure everything is gone.

    By the way, I guessing that FlashInstaller is most likely a program to upgrade the flash firmware on your Alcatel modem.
     
    chaslang, Sep 29, 2004
    #12
  13. alexperry

    alexperry Private E-2

    My cautious optimism remains...it hasn't come back...

    "HijackThis!" log attached.

    Alex
     

    Attached Files:

    alexperry, Sep 29, 2004
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Have HijackThis fix the below line (make sure all browsers are closed before fixing):

    O2 - BHO: (no name) - {0253959B-D928-DA59-A104-36D528CF110C} - C:\PROGRA~1\UPONLI~1\adminping.exe (file missing)

    Other than that, your clean.
     
    chaslang, Sep 29, 2004
    #14

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds