Can't remove Adware.Wheaterbug.A and others. Please help!

I have run many scans and found the following:

Adware.Wheaterbug.A (BitDefender)

Virtual Bouncer, Websearch Toolbar, Weird on the Web, Overpro.com, ILookup.Begin2Search (Spy Doctor)

None of these could be removed. Please advise. Thanks for your help!

 

Please follow standard cleanup procedures as given below:

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps below:



http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Following are the scans that have been performed and the results:

Spy Sweeper - Clean
Microsoft AntiSpyware - Clean
Trend Micro - Clean
Webroot Spy Audit - Clean
HSRemove - 8 items removed
Spy Doctor - Begin2Search, OverPro.com, Virtual Bouncer, Websearch Toolbar, Weird on the Web, ILookup.Begin2Search (these were not removed because I am not registered)
AdAware SE - Clean
Spybot - Avenue A, Inc., DoubleClick, Fastclick
Spyware Blaster - Clean
ADS Spy - Clean
CWShredder - Clean
AVG - Clean
BitDefender OnLine Scan - AOL Instant Messenger\AIM.exe=wise 0090=>wise 0008, Adware.Wheaterbug.A
RAV Antivirus OnLine Scan - Clean
Trojan Scan - Clean

All scans were completed.

HJT Log Attached. Thanks for your help.

 

Please use this HJT log instead of the one posted previously. I have now figured out how to extract the zipped files into a new folder.

 

Run the Panda Online Scan and attach the log once its complete.

 

Panda ActiveScan Log attached. Thank you!

 

Reboot into Safe Mode, navigate to and delete the following:
(These may be files or folders)

C:\WINDOWS\SYSTEM32\cache32_rtneg4

C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs

After you complete the above, reboot and let me know if any problems remain.

 

I deleted the files as instructed. The problems are worse now after rebooting. There are more ads and I'm getting more warnings from Sygate about application hijacking.

One file keeps trying to open but is blocked--General Host Process for Win32 Services (filename svchost.exe).

I think Firefox has already been hijacked and I am not using it. The application tries to open without my initiating it, then asks me to click on a file.

I think the antispyware programs installed on my computer are blocking many of the problems, but some are getting through.

Thanks for your help.

 

That's safe to allow, unless the svchost.exe is another location other than the System32 directory.

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.


Now come back here and post both logs as attachments.

 

I tried to attach the RKTool log but it isn't showing up here.

I was not able to run Qoologic, even after shutting down anti-spyware programs. Any suggestions?

Thanks for your help. I know you're busy.

 

Still trying to attach RKTools log. There is a message saying that I already attached the file in a previous thread (can't delete VX2 malware). This file has today's date in the file name. Now what?

 

Thank you for your response.

I tried several times again to attach the RKTools Log with different names. Still no luck! The last file name I tried was C:\8-19-05 MG Log.txt.

When I try to run Qoologic, I get the message, "The process cannot access the file because it is being used by another process."

 

Here is the RKTool Log and the Qoologic Log is attached. Thank you!

Inline log attached!

 

Both logs are clean, are you still getting the notification?

 

I'm getting more ads and my computer is slowing down and freezing at times.

 

Download this file: mwav.exe

This scan might take around 3+ hours to finish when set to scan everything.
I need you to run MWav by double-clicking on mwav.exe.
Put a check next to the below items before scanning:

• Memory
• Startup Folders
• Drive - All Local Drives
• Registry
• System Folders
• Services
• Include Sub-Directory
• Scan All Files

Please make sure ALL of these are checked, then press the Scan button. This typically will take hours to complete.

**NOTE*** Sometimes MWav will pause and it appears to be finished, but it isn't done. Just let it run until it says it's complete.

On the bottom portion of the window, you will see the lower panel where MWav is listing "infected items". When it's done scanning, please highlight everything in that lower panel and copy them by holding CTRL + C then paste the list in NOTEPAD using CTRL + V. After you complete this attach the log to your next post along with a fresh HJT log.

 

Thank you for your reply and detailed instructions. Is it best to run the scan in safe mode?

 

Thank you for your help! Attached is a fresh HJT Log. I've tried several times to attach the MWAV log. When it is uploading close to half way, a new page pops up saying, "The page cannot be displayed . . ." The file is 20.4 MB and my connection is dial-up. Any suggestions?

 

Thank you ChasLang for trying to help. I'm still having trouble uploading.

I compressed the MWAV file into a ZIP folder as directed and I still can't upload it. Now I am getting this message: "File too large. Limit for this filetype is 97.7 KB. Your file is 1.42 MB.

 

I ran a full scan with Ewido on 8/22 and it found "Spyware.Cookie.Esomniture." I do not have a registered version and it is about to expire or has already expired. Also, I believe Ewido has been hijacked. I have already deleted Spyware Doctor for the same reason.

I will try now to copy the MWAV file into Wordpad and look at the first few pages.

Thanks again for your help.

 

Well, I copied the MWAV log into Wordpad. It shows everything that was scanned for the whole 2-1/2 hours. The scan found 13 viruses. I must have done something wrong--I don't think this log is what BJ was asking for.

 

Here's what I found:

Thu Aug 25 15:11:55 2005 => System found infected with cws.therealsearch Spyware/Adware (waol.exe)! Action taken: No Action Taken.

Thu Aug 25 15:12:24 2005 => Offending file found: C:\WINDOWS\TEMP
Thu Aug 25 15:12:24 2005 => System found infected with WhenU.SaveNow Spyware/Adware (ads[1].htm)! Action taken: No Action Taken.

Thu Aug 25 15:12:26 2005 => Offending file found: C:\WINDOWS\TEMP
Thu Aug 25 15:12:26 2005 => System found infected with WhenU.SaveNow Spyware/Adware (show_ads[2].js)! Action taken: No Action Taken.

I realize now that I did not follow BJ's instructions to the end. When the log popped up, I thought that was what he wanted. I think I will have to start over tomorrow, run the scan again, and try to follow the instructions again.

Sorry!

 

I will run Ccleaner in safe mode now. Tomorrow I'll post again with the correct information from MWAV if I can and I'll post again.

Thanks so much for your help and patience.

 

One more question tonight. I ran Ccleaner in safe mode. However, I was told in the past to run it only with the default settings. The temporary files under System are not checked by default. Is it safe to run it with that box checked too?

 

The default settings for CCleaner, check ALL of the ones below:

• Internet Explorer
  [*]Windows Explorer
  [*]System
  [*]Firefox/Mozilla
  [*]Applications
  [*]Internet
  [*]Multimedia
  [*]Utilities
  [*]Windows

 

I ran Ccleaner with the default changed as instructed. It removed 165 megabytes of junk! Thank you.

Attached is the MWAV log. I think I did it right this time.

 

Download this trial version of Ewido Security Suite

• Install ewido security suite
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will have a window come up. One of the buttons on the left is to Update. Click the Update button.and then Start the Update. The update will start and a progress bar will show the updates being installed.
• After it completes the update, click the Scanner button

Now exit Ewido. Now print the below instructions or save them locally because I want you do have no browsers opened and also have no connection to the internet (unplug your cable) while doing the below.

Okay, reboot into safe mode and follow the steps below. (If you have any problems at all trying to get into safe mode to complete these steps, just run them in normal boot mode and make sure you tell me when you come back.)

Open up Ewido and do the following:

• Click on Scanner
• Then click Settings
• Under What to Scan? Select Scan every file
• Then click OK
• Click on Complete System Scan and the scan will start.
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files that are infected. Leave the defaults selections (to Remove and backup) and click OK. To save yourself some time, you can select Perform action with all infections and then click OK. With the option to scan every file, a lot of cookies will be removed.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop or anyplace you will be able to find it to upload here.

Reboot into normal mode and reconnect to the internet.

Come back here and post the Ewido Scan Report along with a fresh HJT log.

 

Attached are the requested logs. Thanks for your help!

 

Thank you for your response and for letting me know about BJ. I hope he is okay.

My programs are being hijacked one after another--Firefox, IE, Spyware Doctor (which I deleted), Spybot S&D, AVG, Ewido, and possibly others. It is very scary being on-line and I don't know how much longer I will be able to access MajorGeeks.

I am using Symantec utilities from a CD. All of the components, including the anti-virus program, were deleted several weeks ago, before I installed AVG.

Thanks again for your help.

 

Maybe I used the wrong word. However, the Sygate log shows application hijacking. I believe I am being tricked into clicking on popups that appear to be legitimate from anti-spyware programs that are installed on my computer. For example, I have a Sygate popup now saying "e guard [ewidoguard.exe] is trying to connect to update.ewido.net [85.10.237.9] using remote port 80 {HTTP - World Wide Web}. Do you want to allow this program to access the network?" If I click on it, it will appear on Sygate's log as an application hijack as it has in the past.

Also, Internet Explorer's opening page does not look exactly as it did before. The "e" graphic in the address line is similar, but not the same.

When I read e-mail on AOL, I get a message when it has loaded saying, "Done, but with errors on the page."

There are also popups at times when I am not on-line asking for example, if I want to connect to AOL Dialer. There is no cancel button. If I don't click on it, it just stays there.

That's about the best I can explain it at this point. I am far from an expert and I don't understand spyware, viruses, or people who would infect people's computers.

 

Here are examples of the items appearing in the Sygate log:

Application Hijacking has been detected
The application: C:\Program Files\Grisoft\AVG Free\avgcc.exe try to launch another application: C:\Program Files\Grisoft\AVG Free\avginet.exe to go to remote host guru.grisoft.com

Application Hijacking has been detected
The application: C:\Program Files\ewido\security suite\ewidoguard.exe try to launch another application: C:\Program Files\ewido\security suite\SecuritySuite.exe to go to remote host update.ewido.net

Are you saying that these are not problems?

Please forgive my ignorance re spyware. Your help is greatly appreciated.