Help, can't get rid of the spyware

Hi,
Tried to i.d. and get rid of spyware for days. Tried CWShredder, AdAware, Spybot Search/Destroy, SpySubtract, etc. Nothing finds it.

Yet StartupMonitor constantly warns that "the program 42HNQFX5S@X5SW has registered the executable C:\WINDOWS\SYSTEM\[garbled nonsense that changes].exe to run at system startup."

I'm starting to think that saying yes to the change would be less annoying than the freaking warning right smack in the middle of the page.

Will someone look over my Hijack log and tell me what to do?

Thanks!

 

Hi Arbeej,

Generally, it is a good idea to start with the Cleanup Tutorial below.

READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan and Virus Removal

There are only a few of us Volunteers who regularly offer advice in this forum. Running through the above Tutorial will remove a lot of stuff that would otherwise clog a HijackThis Log and save us valuable time.

Please let us know the steps that you are able to complete and the ones that give you problems. Note that you need to be in Safe Mode with System Restore OFF (if you have it) and have the Viewing of Hidden Files ENABLED as per the instructions in the link. Make sure to do the Online Scans.

Post back and let us know how you fared. Also, send us a HijackThis Log. Please be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99.1) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis! Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99.1

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I’ve been tied up with work lately and cannot visit this forum too often these days, but somebody will try to take a look when they get a chance.

Best luck
PP

 

Hello again,
Updated all my spyware detection programs, still nothing fixes this. Used the FAQ's advice on checking the files in Hijack This and was able to fix 8 spyware problems. However, the one I wrote about, the 42HNQFX5S@X5SW which Startup Monitor constantly warns about, refused to be fixed. I've tried numerous times but it will not go away.

I'm going to try to attach the hijack file. ::fingers crossed::

I will sure appreciate any help. This is driving me nuts.

Thanks!

 

The first thing PP will tell you is to update your HJT - it is out of date. Secondly
Place it in its own folder for example C:\Program Files\HJT

 

Indeed, OldThug!

Arbeej - Don't forget to do the Online Scans prescribed in the Cleanup Tutorial!!

PP

 

We do want you to submit another log, after you properly placed HJT in its own folder, and ran the online scans PP mentioned. We will then give you a fix.

 

Sorry I didn't understand about the separate folder. I think I've done it right now...? Did all those scans again... Still that same file shows up on Hijack This. I don't know what else to do.

 

Oh man, I am just getting frustrated beyond belief. I am so stressed out by this, and I've been working on it for hours at a time for two days, and I'm trying my best to do what y'all say. But clearly I'm not understanding 'cause you act as if I'm deliberately ignoring the advice. I just do not get it.

I didn't understand at first about Hijack This, but then I downloaded a fresh version and put it in c:\Program Files\HJT. Isn't that what I was supposed to do? There must be wires crossed somewhere because when I activate it, it also gives me a warning message that it's starting from a TEMP folder and needs to be in its own. I swear to God, it is in its own folder under Program Files.

And I'm baffled as to the "online scans I've been repeatedly told to perform." I have no idea what this means. I did say from the beginning I've been running all my spyware programs, updated versions all: AdAware, Spybot Search & Destroy, Coolweb Shredder, Spy Subtract. I tried to download all the programs on the FAQ list, but starting with AVERT Stinger and going down, each time I got a "page not displayed" message. What I have, I've run repeatedly.

If the scans mentioned in your post refer to something I've not mentioned, then I'm just too green to know what you mean.

I need help, and I'm doing my best. I do appreciate the volunteer service you guys offer, but I just don't know what I'm doing wrong, and I'm getting even more frustrated. Please, please walk me through this.

Again, I'm attaching my HJT log and I swear to God, it is in its own folder in Program Files.

Ok, I'm NOT attaching it 'cause it says I've already attached it once to my last post and it won't do it again. But please, will someone look at it?

 

Oh yes,

Regarding "http://www.memorywatcher.com/uninst.exe"...

I did try that link as suggested and files seemed to be loading, but I don't know what happened after that. Would it have downloaded to a file that I can't find? Did it finish its functions? Is there something else I should have done/need to do with it?

I'm not familiar with the program and don't know what to expect...

 

Hang in there arbeej. It is frustrating, we all understand. Take it one step at a time. If you don't understand how to do something just ask. Chaslang WILL get this fixed for you.

 

Whhhhhhheeeeeeeewwwwww... :EEP BREATHS::

The good news is, I think the sorry dawg of a file is gone... More in a mo...

You appear to be taking a rather long time to respond. What are you having a problem with? Do you still not understand something?

Long time, yes, had to take a breather, curse a bit, get a soft drink, check on my daughters, and come back to it -- after checking to see what downloaded properly, etc.


I see you do not understand very much about computers. Is that a reasonable assumption?

ROFL... Yes, a more than reasonable assumption. Hence the new bald patches bleeding on my scalp...

The online scans are part of the steps in the READ ME FIRST. See step 1 of the section titled: Scanning And Cleaning Steps: (note steps 1 thru 4 are NOT optional!)

The first thing I did was read the tutorial and follow as best I knew how. Steps 1 & 2 don't apply to me, apparently (I have windows 98); I did Step 3; did as much of Step 4 as I could. I mentioned the programs I did scan with and mentioned which ones I could not access from the FAQ page (AVERT Stinger on down, as well as CCleaner). I followed links to the MajorGeeks/Ga. location, clicked to download, and got the "Page not available message" on each of these. The other programs I ran numerous times.

These are additional scans which were supposed to be done first (hence step 1) before running the other items you mentioned.

Don't even know what you mean here. Aside from the fact that I couldn't download the others, the programs I *did* run were listed first (except that I couldn't download CCleaner).

Are you saying you cannot download Avert Stinger or that you cannot run it?

I couldn't get to it. See above. After the page that says, "Download will start in a few seconds," it directs to a "Page cannot be displayed" message. Same happened with all of those that I didn't already have.

Anyhoo, after following the directions on installing and running memorywatcher, the worst file in question seems to have disappeared. Thank God and you guys.

I've attached a fresh HJT report. I finally got what you were saying about moving the .exe file into the folder. What I had in the HJT folder was the .zip file, then I'd click on that to get to the .exe file. This time I dragged the sucker into the folder, and it seems to work properly now. I hope you'll take another look at it because I thought I only had one bad file in there, and you said it looked like several...

Thanks again for your help.

 

Not true! Read it again. See step 1a.

1: Virus And Trojan Scanning (do not skip these two scans or you will be asked to run them before continuing)
a) Win9x (Windows 95, 98, 98SE) users boot normal mode.

AUGHHH. I must have been reading the wrong tutorial. The one I was looking at was this:

"DO NOT POST UNTIL YOU HAVE READ THIS: How to: Spyware, Trojan And Virus Removal
...
Getting Prepared; Steps to be sure your system is ready to be scanned:

1: Disable System Restore temporarily (WinXP & WinME only) if you are infected; Any trojans, spyware, etc. you may have picked up could have been saved in System Restore and are waiting to re-infect you. Since System Restore is a protected directory, your tools can not access it to delete files, trapping viruses inside. Please follow instructions to do that here: http://forums.majorgeeks.com/showthread.php?t=31668

2: Network Security, Workstation Netlogon Services & Remote Procedure Call (RPC) Helper (Windows XP, 2K, NT); Only do this step if you have the about:blank or home search hijack. You need to check to see if any of the following three Windows services are running:..."

There's an awful lot of info for a newbie. I think you can tell, though, that I tried my best to follow the directions. I've checked back over numerous "read this first" pages and still haven't found the one to which you refer.

 

Anyhoo, after following the directions on installing and running memorywatcher, the worst file in question seems to have disappeared. Thank God and you guys....

That's what I posted before. Is that what you meant by your post:

It looks like you ran http://www.memorywatcher.com/uninst.exe Is that true?

Or did I do something else by accident? Whatever it was, it seemed to get rid of the worst file, as I stated with my thanks.

 

Be sure and post another HJT log. When you are clean they will tell you and point you to a Preventative Link. Hang in there a little longer.

 

Did you do what I requested in message # 21 yet?

If not, you need to do them.

No you were not reading the wrong tutorial. You just need to follow all the steps. The first section is just Getting Prepared. The next section is the cleaning section and that is where i quoted the below from:

1: Virus And Trojan Scanning (do not skip these two scans or you will be asked to run them before continuing)
a) Win9x (Windows 95, 98, 98SE) users boot normal mode.

This would seem to indicate that you are not following the steps one at a time and in the order written. It is extremely important when trying to resolve issues like this that directions be followed exactly. If you have a question or problem with something, you must always ask.


Please see my post #11. That is where I said I did not understand what scans I was being told to do -- and asked for help. I did not get the answer but instead was berated in various subsequent posts ("Why didn't you do it? All you had to do was...!). I don't know if you realize how harsh you've been coming across to me. It's made a hard situation harder, even as I express my sincere appreciation at getting help for my problem.

Since in your last post you pointed out the actual page and specific scans I needed to do, I've been trying. Symantic took an awfully long time, then the computer froze up and cancelled the action. I can't get Trend Micro to work. I'll try those again tomorrow. I've got to get to bed despite being wired to the max.

Not following directions in order? Well, I guess not, but not for lack of trying.

But picture this: you're trying your best to follow all this foreign material when you're out of your element, Startup Monitor keeps dinging in with its warnings and blocks the action bars on most anything else you're trying to work on, the computer freezes and shuts off in the middle of scans, you're rebooting back and forth from safe mode to normal, and trying to keep track of the web page you were on before following link after non-functioning link...

And through all you're trying to remain polite to someone who's just harsh as can be...

I do thank you for your help but I've had a hard time. I wish you a good night. I'll try again tomorrow.