I can't fix it. Spyware will not go away.

kidzkilnputer · Apr 30, 2005

I have read and used the guide about scanning and fixing before posting. Most virus scanners come up clean. I still get 22 infected items with Panda active scan and 1 suspisious item. I also get pop ups seeming to come from search inqwire, ads1revenue and about:?? I cannot boot into safe mode, I get a running list of drivers? and then it tells me to retry. I am including my HJT log please help!!

kidzkilnputer · Apr 30, 2005

I also wanted to mention but forgot that I was unable to use the download for about:blaster I told me it was corrupt and to redownload but I was unalbe to get to use the program everytime I tried after trying to redownload.

chaslang · Apr 30, 2005

Please read the sticky threads and the announcement. HijackThis logs should not be posted unless they are requested. In addition you must install HijackThis properly and you MUST exit ALL browsers before running HijackThis.

Look in Add/Remove programs and uninstall WinTools if found.

You also must not use msconfig to prevent items from loading. That will block us from seeing everything that we may need to see to help you completely resolve your problems.
Please run msconfig and select Normal Startup then reboot and continue with the below.

The proper procedure for using HijackThis is below:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

chaslang · Apr 30, 2005

After following the steps in my previous message, continue with the below:

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\system32\m?config.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {9365B1F6-2C65-2299-1A8E-02E29A512CB5} - C:\WINDOWS\system32\ekr.dll
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [t3sT36U] aaaqc.exe
O4 - HKCU\..\Run: [Dupcno] C:\WINDOWS\system32\m?config.exe
O4 - HKCU\..\Run: [DR_S] C:\Program Files\DR_S\DR_S.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\ekr.dll
C:\Program Files\Common Files\WinTools <-- the whole folder
C:\Program Files\DR_S <-- the whole folder
C:\WINDOWS\system32\aaaqc.exe
C:\WINDOWS\system32\m?config.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

kidzkilnputer · May 1, 2005

hello and thanks for the reply. I am posting my HJT log after saving it to its own folder and I stopped using msconfig. Here it is.

kidzkilnputer · May 1, 2005

After fixing the items you mentioned. Here are my results. I was unable to boot into safe mode, I still get a running list of drivers and it won't let me start up. I rebooted back to normal mode and looked for the files and folders you mentioned:

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\ekr.dll
C:\Program Files\Common Files\WinTools <-- the whole folder
C:\Program Files\DR_S <-- the whole folder
C:\WINDOWS\system32\aaaqc.exe
C:\WINDOWS\system32\m?config.exe
in your post using Windows explorer

but I didn't find any of these. I also ran Ccleaner and then made sure my start page was back to comcast and deleted cookies and temp files and here is my new log. Thank you again for your help. So far I haven't had any pop ups but I haven't been using the internet much to really be sure.

chaslang · May 2, 2005

You still have one problem line in you log! Have HJT fix the below line:

O4 - HKCU\..\Run: [Resa] C:\Documents and Settings\Default\Application Data\oant.exe

Then delete the below file:
C:\Documents and Settings\Default\Application Data\oant.exe

Please be more specific about your inability to boot in safe mode.
I don't know what you mean "running list of drivers". Give exact error messages (if there are any).

kidzkilnputer · May 2, 2005

Thanks for the reply. I'll try to explain what I mean about the running list of drivers. When I press the f8 key to bring up the safe mode selection screen, I am able to choose safe mode. After I hit enter it doen't go into safe mode. Instead I get a black sceen and a list that includes this line in every line of the list.....
multi(0)disk(0)rdisk(0)Partition(1)Windows\system32\32\Drivers\ after the drivers portion of the line the word is different in each line. There are about 35 lines. Each with a different ending. Then it goes back to the black screen saying windows did not load properly and again I choose the safe mode option and the same thing happens. I did this about 10 times in a row and nothing changes. If I don't choose any option windows loads normally. I don't see any error message.

I did another scan with panda this morning (very time consuming) and it still shows 23 infected items but it cannot fix them.

chaslang · May 2, 2005

You should post your problem with booting in safe mode in the Software Forum. Sounds like you may have some files missing of corrupted.

Did you complete my the steps in my previous message?

It is always more helpful to be specific about problems......what is Panda finding? What virus and what files?

kidzkilnputer · May 3, 2005

I will post my safe mode problem on the other board, thanks. So far I have followed all your instructions in previous messages. Here is what my panda log says. I have tried to manually delete using windows explorer but am unable to remove a few. I will post which ones have been removed.

Incident Status Location

Possible Virus. No disinfected C:\Documents and Settings\Default\Application Data\oant.exe (was able to remove)
Possible Virus. No disinfected C:\DOCUME~1\Default\APPLIC~1\oant.exe (not removed yet having trouble finding)
Adware:Adware/eZula No disinfected C:\WINDOWS\system32\ezPopStub.exe (was able to remove)
Adware:Adware/nCase No disinfected C:\WINDOWS\system32\saie_*.dat (was able to remove)
Adware:Adware/PortalScan No disinfected C:\WINDOWS\bundles (not removed)
Adware:Adware/Apropos No disinfected C:\WINDOWS\cxtpls_loader.exe (was able to remove)
Spyware:Spyware/TVMedia No disinfected C:\WINDOWS\Bundles (not able to remove)
Adware:Adware/Coupons No disinfected Windows Registry (not removed)
Possible Virus. No disinfected C:\Documents and Settings\Default\Application Data\oant.exe (was able to remove)
Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\Default\Application Data\tvmknwrd.dll (was able to remove)
Adware:Adware/PortalScan No disinfected C:\WINDOWS\bundles\2504041019.exe (was able to remove)
Adware:Adware/PortalScan No disinfected C:\WINDOWS\bundles\adv0ltc0m.exe (cannot remove)
Adware:Adware/PortalScan No disinfected C:\WINDOWS\bundles\bs5-vwqouc.exe (cannot remove)
Adware:Adware/PortalScan No disinfected C:\WINDOWS\bundles\CSV7P070.exe (cannot remove)
Adware:Adware/PortalScan No disinfected C:\WINDOWS\bundles\james_dh.exe (canot remove)
Adware:Adware/PortalScan No disinfected C:\WINDOWS\bundles\optimizejames.exe (cannot remove)
Adware:Adware/PortalScan No disinfected C:\WINDOWS\bundles\runsearch.exe (cannot remove)
Adware:Adware/PortalScan No disinfected C:\WINDOWS\bundles\s4Sept.exe (cannot remove)
Adware:Adware/PortalScan No disinfected C:\WINDOWS\bundles\setup_silent_26221.exe (cannot remove)
Adware:Adware/PortalScan No disinfected C:\WINDOWS\bundles\snackman.exe (cannot remove)
Adware:Adware/PortalScan No disinfected C:\WINDOWS\bundles\stlb2_seed.exe (cannot remove)
Adware:Adware/PortalScan No disinfected C:\WINDOWS\bundles\vl_ezstub.exe (cannot remove)
Adware:Adware/Coupons No disinfected C:\WINDOWS\cpbrkpie.ocx (removed)
Adware:Adware/Apropos No disinfected C:\WINDOWS\cxtpls_loader.exe (removed)
Adware:Adware/eZula No disinfected C:\WINDOWS\system32\ezPopStub.exe (removed)
Adware:Adware/nCase No disinfected C:\WINDOWS\system32\saieau.dat (removed)
Adware:Adware/nCase No disinfected C:\WINDOWS\system32\saie_kyf.dat (removed)
Adware:Adware/PortalScan No disinfected C:\WINDOWS\system32\winupdt.bin (removed)

They items that are in the windows\bundles folder will not let me remove them. When I select each item the computer freezes up and tells me the program is not responding when I try to close the window.

metavian · May 3, 2005

I have run into an issue like this recently and have found only one solution webroot spysweeper seems to be one of the only spyware sweeper mean enough to deal with some of these pest.. even then sometimes that isn't enough. you can download it from

Edit by chaslang: Offsite link deleted! Spy Sweeper is available for download from MGs. Please do not post offsite links for items available here.

I hope this helps

chaslang · May 3, 2005

Okay! It will be difficult to remove some of these since you cannot boot into safe mode. So we will use a tool to delete them on reboot. But first I need you to make sure you have some options set properly. So double check the below settings.

Right Click Start.
Select Explore
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide extensions for known file types option.
Uncheck the Hide protected operating system files (recommended) option.
Click Apply.
Click OK.

Tell me if you had all of those set as given above.

Now download: Pocket KillBox

And extract it to its own folder.
Double-click killbox.exe on your desktop. Select the option "Delete on reboot".
Now highlight and 'copy' the entire list of filepaths below:

C:\DOCUME~1\Default\APPLIC~1\oant.exe
C:\WINDOWS\bundles\adv0ltc0m.exe
C:\WINDOWS\bundles\bs5-vwqouc.exe
C:\WINDOWS\bundles\CSV7P070.exe
C:\WINDOWS\bundles\james_dh.exe
C:\WINDOWS\bundles\optimizejames.exe
C:\WINDOWS\bundles\runsearch.exe
C:\WINDOWS\bundles\s4Sept.exe
C:\WINDOWS\bundles\setup_silent_26221.exe
C:\WINDOWS\bundles\snackman.exe
C:\WINDOWS\bundles\stlb2_seed.exe
C:\WINDOWS\bundles\vl_ezstub.exe

Open 'file' in the killbox menu at the top and choose 'Paste from clipboard'

Now you will see, this is pasted in the "Full Path of File to Delete"-field.
There's a little arrow (dropdown-arrow) next to that field.
If you expand it, these lines should be there together!

Then press the red button with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot.
Click YES

When it asks if you would like to Reboot now, click YES
If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

Now after reboot double check with Panda and then tell me the results of the above.

kidzkilnputer · May 4, 2005

I have all the options set to these specification you asked about. I didn't need to change any. I downloaded and used killbox then I rescanned with panda. Here is my new log of items Panda found in todays scan, Thanks again!!!
Incident Status Location

Adware:Adware/eZula No disinfected Windows Registry
Adware:Adware/PortalScan No disinfected C:\WINDOWS\bundles
Spyware:Spyware/TVMedia No disinfected C:\WINDOWS\Bundles
Adware:Adware/Coupons No disinfected Windows Registry

chaslang · May 4, 2005

Now see if you can delete the folder: C:\WINDOWS\bundles

Please download, install, and update: Spy Sweeper
Then run a full scan with Spy Sweeper and fix what it finds. Post the log from Spy Sweeper as an attachment. Now boot into safe mode and run Spy Sweeper again. Save the log again. Reboot in normal mode and post both SpySweeper logs.

kidzkilnputer · May 6, 2005

I have deleted the C:WINDOWS\bundles folder. I dowloaded and ran Spy Sweeper. You had asked me to boot into safe mode and rescan after the first scan but I'm still unable to get into safe mode. So I rescanned in normal mode the second time as well. Here is a copy of both logs, they are in 1 file because I forgot to save the file after the first scan. I think I may actually be clean now!! THANKS!!

chaslang · May 6, 2005

Looks good to me! Make sure you complete the steps in the below thread to help keep you clean:

How to Protect yourself from malware!

Log in or Sign up

I can't fix it. Spyware will not go away.

kidzkilnputer Private E-2

Attached Files:

hijackthis.log

kidzkilnputer Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

kidzkilnputer Private E-2

Attached Files:

hijackthis.log

kidzkilnputer Private E-2

Attached Files:

2hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

kidzkilnputer Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

kidzkilnputer Private E-2

metavian Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

kidzkilnputer Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

kidzkilnputer Private E-2

Attached Files:

Spy Sweeper Session Log.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member