I think I have spyware... again!

Hello MajorGeek friends! I think that once again, I may be having a bit of a spyware problem. It sort of goes on and off, but my computer is not as fast as it once was and so I think there must be something on there. I followed the instructions on Major Attitude's "READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan and Virus Removal" yesterday and I thought things were better, but I still keep getting these pop-up things that say, "Warning! You may have critical errors on your PC!" How nice of the spyware people to tell me I have spyware! Anyway, I am sure you are familiar with the pop-up - it says, "This wizard will help you improve the performance of your PC by removing critical system errors which may cause frequent application crashes, instability or slow computer speeds. To continue by scanning your computer for critical errors, click 'Next' below."

This might not be the only pop-up I receive, but they are generally along the same lines. Anyway, could you please help me?!? I would appreciate it so much!!!

Oh, secondly, I have Kazaa on my computer and I just downloaded K-Lite (again). I realize these are both evil, but is there a way to delete Kazaa (so I only have K-Lite) without deleting all of my music? I am afraid to delete it, because back in the days of Morpheus, I deleted it (Morpheus) and all of my music files went with it! I would be so sad without my music on my computer (and there is so much of it that it is not easily replacable)! Thanks so much guys!

Abby

 

Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an ATTACHMENT.
All instructions are covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting


Now post a Hijack This log as an ATTACHMENT to your message (Do NOT copy/paste the log into your post). Please close unnecessary running programs before you run HijackThis. You must close each of the following: your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc.

DO NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

Ok, here is the HJT log file! Thanks!

Abby

 

First:

The first thing that jumps out at me is your Operating System is WAY out dated. This is most of your problem because you have no protection. After we get your system clean I would recommend your updating to Windows XP Service Pack 2 for security purposes.

Second:

Now,

Please look in Add or Remove Programs for the following and Uninstall them if found:

Media Pass

AutoUpdate

CxtPls

NewDotNet Domains


Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.



Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

MediaPass.exe

MediaPassK.exe

AutoUpdate.exe

hpslib32.exe

htusrtp.exe

CxtPls.exe


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.


R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

Are you familiar with these 2 lines, if so dont remove these.

O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPass.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [r85V36R] htusrtp.exe
O4 - HKCU\..\Run: [azu9RWdpR] hpslib32.exe

O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net

O16 - DPF: Dialpad US Java Applet - http://www.dialpad.com/applet/src/vscp.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4047/ftp.coupons.com/v3123/cpbrkpie.cab


Again, make sure All Browser Windows are Closed when you Click FIX.


NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\Program Files\Media Pass ←–– Delete this whole folder if it exist!

C:\Program Files\AutoUpdate ←–– Delete this whole folder if it exist!

C:\Program Files\CxtPls ←–– Delete this whole folder if it exist!

C:\Program Files\NewDotNet ←–– Delete this whole folder if it exist!

C:\WINDOWS\System32\hpslib32.exe

C:\WINDOWS\System32\htusrtp.exe


NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Note: Once Spybot S&D has loaded, select Mode from the menu. Select Advanced Mode and click YES to continue. Now select Settings on the left menu. Locate and select Ignore Products. Search for in the "All Products" tab New.net and uncheck it. Now, click Mode again and select Default Mode. Now click on Search & Destroy and do your scan


Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

Ok, I did all of that. The only problem I had was when I did the scan with Spybot in Safe Mode. It said that it could not remove New.net. Otherwise, everything went perfectly! Attached is the HJT log file!

Abby

 

Again, I will point out that your Operating System is WAY out dated. This is most of your problem because you have no protection while browsing. I would now recommend your updating to Windows XP Service Pack 2 for security purposes.

That log is clean!


FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.



Are you currently experiencing any further problems?

 

Bjgarrick,

I am not currently experiencing any problems that I have noticed. Thank you SO much for your help! There is only one thing I meant to mention in my last post, but forgot to. I had somebody at my college fix my computer about a year and a half ago and they decided for whatever reason to install Windows XP over my operating system at the time (it was Windows ME then) and so now I can't install any of the new service packs or anything, because it is an illegal version of it. This is very annoying and I do not know what to do, particularly, because I don't have the money to purchase XP or the need at the moment since I already have it, technically. I don't know what to do about that.

Additionally, do you have any thoughts on my question from before about Kazaa? Thanks again so much! You're a life saver!

Abby

 

Regarding your WindowsXP situation, the only thing I can suggest as a Microsoft Certified Professional is to purchase a legitimate copy and reinstall so that you can have Windows XP Service Pack 2. Without a Service Pack you will continue to have infections and problems as your not protected while browsing the web. However, if you cant afford WindowsXP which is approx. $99.99 for WinXP Home Upgrade you can always go back to WinME bad as I hate to say that. If you stay like you are, you will have problems because your not protected.

Regarding Kazaa, I would completely do without it period! If you must have it then I would recommend backing up my music and going into Add/Remove programs to get rid of it completely then reinstalling K-Lite.



You should also see this article on How to Protect yourself from malware!

 

There is one thing that keeps happening when I reboot my computer and it is quite annoying. A window pops up that says, "An attempt to change Internet Explorer settings has been detected. Warning! Your IE search page has been changed! Your Internet Explorer current user page has been changed from http://www.google.com to http://www.microsoft.com/isapi/redir.dll?prd=iear=iesearch. What would you like to do?" Then there are buttons for "Restore old value" and "Keep new value". It says that it is a spywareguard browser protection alert. If I click on "Restore old value," it keeps popping back up a few more times. Anyway, I forgot to mention that before too.

I believe that is all. I will save my money for XP so I can have the service packs and all that and I will clean the Kazaa stuff off as well. Thanks again for your help!

Abby

 

Your Welcome Abby!

Thats normal for the search page, you can just accept and it should go away.

Let me know!

 

Bj...I need to caution you on how you are wording some of your posts especially where newer users and/or users who are not computer savvy are concerned. First, the statement about being a MCP doesn't add any weight to your statements at all, if anything it reflects poorly on you especially for those of us who know only to well that any Tom, Dick or Harry who gets noticed simply because they have replied to a lot of posts can get that 'title', and that complete accuracy of answers doesn't even enter into it.

Secondly, the way in which you suggest SP2 will resolve issues with infections and problems is misleading. While most of us know that getting security fixes/patches is VERY important for any OS the upgrade does not offer any guarentees..even with the upgrade users can continue to have infections and problems if they don't practice safe computing and have the necessary protections in place.

A better way to direct users toward getting not only a legitimate copy of XP but toward getting the upgrades would be to simply address the legalities and benefits of it but to also direct them to this thread within the same area of the post.

Your help here is much appreciate but you would do yourself a favor and those who come here for help if you toned things down a bit and are more careful to give complete answers that are not misleading to users.

Thank you!
AbbySue

 

I added the MCP because Im a partner with Microsoft and do NOT support illegal software. Thats why I said this!

Service Pack 2 would help this user a LOT as they do not have a Service Pack, I did not SAY it would keep you safe I said it would HELP!.

My help is NOT appreciated here, I have been bitched at by everybody in here for some reason. EVERYONE in here does the same thing and says the same things I do.

WE ARE ALL IN THIS TOGETHER, TO HELP USERS!

 

Bj...you just don't get it do you? Saying your an MCP doesn't carry any weight despite your definition of it. To simply answer a question accurately and completely without the chest-thumping DOES carry weight. No one has attacked you or resorted to profanity like you have. This forum is about helping people and complete accuracy is essential..everyone makes mistakes...even you but you have a problem admitting or acknowledging that you are human and not perfect when it comes to computer issues. You need to get over it and be a team player to be an effective helper here...that's all there is to it and that is all we have asked of you.

If someone corrects you on something it is not an attack, it's to help you in helping others. This forum evolved due to chas's hard work and dedication in fighting malware and he has worked his butt off for everyone here...it IS necessary for him to not only share his expertise but as moderator, along with PP to step in when things have been overlooked, wrong directions are given or when the wording of a simple sentence is misleading as was the case again here. Specific details are critical in this forum.

No one is perfect and no one here expects perfection however we do expect people that want to help be able to take a little constructive criticism or corrections in a manner that will benefit all, as a learning experience to be embraced not to turn it into something it's not as is your habit.