Had WildMedia - What's still on my machine?

OK,

I may be new, but I’m not dumb. Having seen an excellent example of a first post (many thanks, dazed&confused), let me try again with my second post.

My 18-year old Niece’s computer _was_ filled with a variety of adware and spyware. Her configuration is:

Windows 2000
Intel P2 366Mhz
768 Meg Ram
IE 5.5
System updated using Windows Update
SpySweeper = freshly downloaded, but not subscribed
Ad-Aware Personal SE = Updated
PestPatrol = Updated
System Restore = off
Hidden/System files, known extensions are shown
Network Security & Workstation Netlogon Services = Not found

I have scanned numerous times with the programs listed above, and with several of the online scanners that I have seen mentioned on this site (Stinger (from Aug 16, 2004), Ccleaner, About:Buster, CWShedder, SpywareBlaster, kill2me, hsremove, tauscan). These scans seem to have gotten rid of most of the parasites, but I have one remaining strange behavior: Every time I boot up, three windows pop up, two identical windows showing the “My Computer” directory, and one IE window which takes me to the website "http://www.affoundation.org/ind.html", whereupon the header for the IE window changes to “[ y E a K u K z ]”.

Currently, SpySweeper is reporting no Spyware found. Ad-Aware SE is reporting no Spyware found. PestPatrol reports “SpediaBar” - I have removed it multiple times, but it keeps showing up.

I am prepared to run HijackThis if/when necessary, but I will await your request to do so, and will post the log at the appropriate time.

- POIS9000

 

HijackThis! log attached. Computer is still exhibiting the same behavior.

-POIS9000

 

I've followed chaslang's links and run those programs. Neither reported anything suspicious. Computer is still experiencing the same problem. I am attaching the most recent HijackThis! log.

- POIS9000

 

Major,

Here’s a step by step listing of how I followed the directions in chaslang’s tutorial. I had already followed many of these steps before, but it looks like Symantec’s check made a difference – I had not done that one previously. Unfortunately, I’m still experiencing the browser opening to http://www.affoundation.org problem, and I’m stumped. I would greatly value your suggestions.

1) Startup
2) Opened services.msc
Did not find “Network Security Service” or “Workstation Netlogon Service”
3) Checked that viewing of hidden files and folders and extensions was enabled
Also unchecked hide file extensions
4) Downloaded tools (already had them)
5) Booted into Safe Mode (with Networking)
Would have booted into Safe Mode without networking, but your later instructions listed that I had to update SpywareBlaster, which requires networking.
6) Ran CCleaner
7) Ran Stinger (Aug 16, 2004 version) Nothing reported.
8) Ran Trend Micro’s Free Online Virus Scan, No viruses or Trojan Horses found.
9) Ran Symantec Security Check. Found 2 infected files.
C:\m.exe is infected with AOL.PWSteal.Trojan
C:\mar.exe is infected with AOL.PWSteal.Trojan
10) Deleted m.exe and mar.exe
11) Ran Ad-Aware SE (with VX2 plug-in). Nothing found.
12) Ran Spybot and immunized my system.
Spybot reported “The application or DLL C:\WINNT\system32\datastore.dll is not a valid Windows image. Please check this against your installation diskette.”
13) Ran CWShredder with update (after closing all browser windows). Reported system completely clean.
14) Ran Kill2me. No infections found.
Interesting point – when Kill2Me finished, it automatically opened a “My documents” folder, exhibiting similar behavior to the initial problem I am trying to resolve. I closed the window before continuing.
15) Ran about:Buster. No ADS found on system (both scans).
16) Ran HSRemove. No items removed.
17) Installed SpyBlaster. All protections enabled.
18) Rebooted. Much faster to bootup.
19) Popup window: “Are you sure you want to uninstall Media Tickets from your computer?”
20) Clicked Yes
21) Popup window: “Media Tickets has now been removed.”
22) Two My Documents folders appeared again. I moved to close them immediately. Subsequently, two popup boxes appeared, stating: “ElimiExplorer.e.exe has generated errors and will be closed by Windows. You will need to restart the program.”
23) Found ElimiExplorer.exe in the C:\WINNT\system32 directory and attempted to delete the program. (Note difference in filename as listed compared to popup box).
24) Was unable to delete – “Access is denied. The source file may be in use.”
25) Rebooted into safe mode with networking.
26) Attempted to delete ElimiExplorer.exe – Successful.
27) Found several other suspicious files in the C:\ directory. Deleted w.html, x.bat, x.html and PZ.exe.
28) Rebooted.
29) Computer did not open two My Documents windows, but it _did_ still open a browser connected to http://www.affoundation.org
30) Ran HJT. Log is attached to the following message (I typed this list on another computer while I was doing the scanning).

- POIS9000

 

Here's the HJT log.

 

I've removed a few programs, then removed all the pieces your suggested. Here's my updated HJT log. I will reboot and report if I have any other issues.

- POIS9000

 

Looks like that did it! I have no strange behavior upon boot, and everything seems to be working fine. Yee Ha! Thank you, Major and Chaslang for your patience in dealing with a newbie in this area.

- POIS9000