Infected with ridiculous spyware

Discussion in 'Malware Help (A Specialist Will Reply)' started by Mango927, Mar 15, 2005.

  1. Mango927

    Mango927 Private E-2

    Hello, I have been looking at this site for a while now and I figured it's time to register and get personal help.

    I have often tried to get rid of spyware when it gets to a ridiculous amount on other computers, but usually end up reformatting. I would like to avoid having to do this in the future, but for now I want to deal with this computer.

    I have followed most of the steps in the "How to: Spyware, Trojan And Virus Removal". I have downloaded all the necessary programs and made the appropriate adjustments to my computer (i.e. system restore, hidden files, etc.).

    However, I have had a problem with step 1. I have tried to do online scan's with "Trend Micro" however, when it gets near the end of the scan, it freezes, and I haven't been able to complete that scan. I haven't tried the Java version yet, as I would have to get out of safe mode to install, and then go back and try again. I did get the "Symantec Check" to work though.

    I have completed steps 2, 3, and 4 correctly and completely, plus a scan with Norton. I have not tried "Hijack This" yet, but I think that may be my only hope left.

    I didn't bother trying the alternative scans because when I boot up into Normal mode again, it is still evident that there is spyware left. I have also closed startup programs via msconfig, however, it seems most of the spyware starts on startup.

    So, I am requesting the help of the knowledgable, since I am in over my head.

    I'm assuming hijack this is my only option left. Please let me know if there are any steps I should do before this and if there is anything else I need to do before running hijack.

    Thank you.
     
    Mango927, Mar 15, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please stop using msconfig (put it back to Normal Startup). We need to see eveything to get to the heart of problems. Then do the below. Make sure you follow those steps properly.

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, Mar 15, 2005
    #2
  3. Mango927

    Mango927 Private E-2

    Thank you for the help. Attatched is the scan log.

    By the way, where are you from in north Jersey?
     

    Attached Files:

    Mango927, Mar 16, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! After we get your current problems resolved, you must get your system updated at Microsoft Update. You are way out of date.

    Why is some of your Norton/Symantec antivirus application running from the C drive and some running from the D drive. Why would you install it like this?

    Please go to Control Panel, Add/Remove programs and uninstall the below if found:
    Web Offer
    Toolbar

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\WINDOWS\System32\winupdt.exe
    C:\WINDOWS\System32\uspverif.exe
    C:\WINDOWS\System32\wintask.exe
    C:\WINDOWS\system\jnqfg.exe
    After killing all the above processes, click "Back".

    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
    O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
    O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
    O4 - HKLM\..\Run: [073S34X] uspverif.exe
    O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
    O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
    O4 - HKCU\..\RunOnce: [Web Offer] Command /c del C:\WINDOWS\System32\EZPOPS~1.EXE
    O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/07fd890db1e87f84f903/netzip/RdxIE601.cab


    After clicking Fix, exit HJT.

    Boot into safe mode and use Windows Explorer to delete:
    c:\WINDOWS\System32\AUNPS2.DLL
    C:\WINDOWS\System32\winupdt.exe
    C:\WINDOWS\System32\uspverif.exe
    C:\WINDOWS\System32\wintask.exe
    C:\WINDOWS\system\jnqfg.exe
    C:\WINDOWS\System32\EZPOPS~1.EXE

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST).

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Mar 16, 2005
    #4
  5. Mango927

    Mango927 Private E-2

    hello, yes, my windows is out of date, that needs to be upgraded.

    some of my norton/symantec stuff is on my c and d drive because a long time ago, i thought that if i installed norton on the d drive and had to reformat my c drive, that i wouldn't have to resinstall norton. i forget if that worked or not, but nevertheless, that's why it is installed like that.

    anyway, i completed the hijack instructions and it seems to have helped a little, however, there is still much spyware and i am bombarded when i boot back up into normal mode. to me, it seems impossible to get all of the spyware recognized in the hijack, since the spyware is random and doesn't all take effect immediately after startup. but, i'm not very knowledgable on the subject and we'll see what happens, and i guess it takes multiples tries.

    nevertheless, attatched is my new hijack log.
     

    Attached Files:

    Mango927, Mar 17, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You do not have that much malware on your PC! Yes there are a few things still there. At least one I ask you to uninstall. WebOffer. Did you use Add/Remove programs to uninstall this?

    You should also look for ezula in Add/Remove programs. Do this now!

    Some of your problems with stuff coming back are due to the outdated OS and no firewall running.
     
    chaslang, Mar 17, 2005
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What kind of connection to the internet do you have (dial-up, cable, or DSL)?

    Please download, install and update (but do not run a scan yet): Microsoft® Windows AntiSpyware

    Then boot into safe mode and run a scan with MS Antispyware. This should remove a few of the nasties.

    Then reboot in normal mode and post a new HJT log.

    Where have you been surfing since last here and what did you download and install. I now see Wild Tangent which was not here before.
     
    chaslang, Mar 17, 2005
    #7
  8. Mango927

    Mango927 Private E-2

    sounds good to me. and after all this is done, i am going to read the firewall tutorial, since i have tried them in the past, but didn't know what i was doing.

    as for now both weboffer and ezula are not in my add/remove programs list.

    and i am running on comcast cable internet.
     
    Mango927, Mar 17, 2005
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    After the MS Antispyware is complete. Follow the steps in the below link. This will get your Windows OS update and a firewall in place. When you go to Windows Update do not select Express Install! Only select Custom Install and install all updates accept Win XP SP2. You must not install that while you have malware problems.
     
    chaslang, Mar 17, 2005
    #9
  10. Mango927

    Mango927 Private E-2

    i have downloaded and used MSA in safe mode.

    i haven't really been surfing anything since my last posts. just comcast.net, which is my home page and yahoo sports. wildtangent was on my computer before, but probably didn't show up in hijack, because it was probably removed in an adaware or spybot scan, which i assume may be the same case for other spyware/malware.

    as of right now, i booted into normal mode again and there are some pop ups that come up.

    attatched is my updated log.
     

    Attached Files:

    Mango927, Mar 17, 2005
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'll be looking at your log in soon. But I just notice I forgot to give you a link in my last message. Here is where I wanted you to go to get updates and a firewall etc:

    How to Protect yourself from malware!
     
    chaslang, Mar 17, 2005
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Also run this while waiting: EliteToolbar Remover

    Let me know what it tells you!

    Did you run MS Antispyware in safe mode and did you update it before running?
    What version do you have and what version are the reference files?
     
    chaslang, Mar 17, 2005
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Do you know what C:\DOCUME~1\ALLUSE~1\APPLIC~1\msw\BMan.exe and BMan1.exe are? If not just remove them as my steps indicate below. If you do know what the are for and use them, tell me and ignore steps mentioning them below.

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
    C:\WINDOWS\System32\Kcntsi.exe
    C:\DOCUME~1\ALLUSE~1\APPLIC~1\msw\BMan.exe
    C:\WINDOWS\System32\dpcecr40.exe
    C:\WINDOWS\system\jnqfg.exe
    C:\WINDOWS\System32\ctwiext.exe
    C:\WINDOWS\System32\sysmonnt.exe

    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
    R3 - Default URLSearchHook is missing
    O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [pcojqu] c:\windows\system32\pcojqu.exe
    O4 - HKLM\..\Run: [jz2iq2nk] C:\Program Files\jz2iq2nk\jz2iq2nk.exe
    O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
    O4 - HKLM\..\Run: [BMan] C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
    O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Kcntsi.exe
    O4 - HKLM\..\Run: [msmc] C:\WINDOWS\System32\msdioo.exe
    O4 - HKLM\..\Run: [073S34X] dpcecr40.exe
    O4 - HKCU\..\Run: [Hws2RQb4l] ctwiext.exe
    O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
    O18 - Filter: text/html - {CC905FF6-B553-496C-9DFA-CFF65ADCD0FC} - C:\WINDOWS\System32\mscgdc.dll

    After clicking Fix, exit HJT.

    Boot into safe mode and use Windows Explorer to delete:
    C:\Program Files\WildTangent <--- the whole folder
    C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
    C:\Documents and Settings\All Users\Application Data\msw\BMan.exe <--- in fact remove the whole msw folder
    C:\Program Files\jz2iq2nk <-- the whole folder
    C:\WINDOWS\isrvs <--- delete each file in this folder and then remove the folder.
    c:\windows\system32\pcojqu.exe
    C:\WINDOWS\System32\Kcntsi.exe
    C:\WINDOWS\System32\dpcecr40.exe
    C:\WINDOWS\system\jnqfg.exe
    C:\WINDOWS\System32\ctwiext.exe
    C:\WINDOWS\System32\sysmonnt.exe
    C:\WINDOWS\System32\msdioo.exe
    C:\WINDOWS\System32\mscgdc.dll

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST).
    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.


    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Mar 17, 2005
    #13
  14. Mango927

    Mango927 Private E-2

    I have done the steps, and things seem to be working a little better each time I have followed your instructions. However, at times it has gotten crazy and I've had to delete processes through the task manager. And some of the items I have been instructed to delete have not been there, and I think that is because I killed those processes through task manager. nevertheless it is a little better and here is my updated log.
     

    Attached Files:

    Mango927, Mar 17, 2005
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I asked you to kill the processes using the process manager in HijackThis! You need to follow the steps we give you. They are meant to be executed in a particular order and in a timely fashion to make sure we get all pieces of the infection.

    You must remember, exit all browsers before you use HijackThis. You have the below running:
    C:\Program Files\Mozilla Firefox\firefox.exe

    You still have some problems! Please tell me what version of Microsoft Antispyware you are running and what version are the spyware definitions that you have.

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\WINDOWS\system\jnqfg.exe

    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteyei32.exe
    O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\system\jnqfg.exe
    C:\windows\system32\eliteyei32.exe
    C:\WINDOWS\isrvs\desktop.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file. Let me know if you cannot find these files or cannot delete them.

    Empty your Recycle Bin and got to C:\Windows\Prefetch and delete all file in the Prefetch folder.
    Now run Ccleaner (installed while running the READ ME FIRST).

    While in safe mode run a full system scan with Microsoft Antispyware.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Mar 18, 2005
    #15
  16. Mango927

    Mango927 Private E-2

    i only used task manager because when i would boot up into normal mode a couple of times the pop ups were overwhelming and it prevented me from doing anything. as in it would have been difficult if possible at all to run hijack this. nevertheless, this time i just let it be and ran hijack this.

    i am running Microsoft AntiSpyware Version: 1.0.509. It is also the Beta 1 version. The definitions are version 5699.

    things seem to be running much better, however, sometimes it takes time for the spyware to take effect. i would have a better analysis if i left the computer for an hour to see what comes up. regardless here is my updated hijack log.

    also, i don't know what bman or bman1 is, and it has only shown up recently. i think it was adware and proceeded to delete it as instructed.
     

    Attached Files:

    Mango927, Mar 19, 2005
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are you having any problems locating and deleting the below:

    O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteyei32.exe

    It seems to keep coming back. Fix the line with HJT. Reboot to safe mode and delete the file.
    You must tell me the results of this. Do you find the file? Does it delete? Does it not delete? etc.

    We need to get your system updated with Microsoft's updates you are way out of date. You also must install a firewall. You should start reading and following all the steps in the below thread (do not get Win XP SP2 yet though. Use Custom Install instead of Express Install and unselect Win XP SP2):

    How to Protect yourself from malware!
     
    chaslang, Mar 19, 2005
    #17
  18. Mango927

    Mango927 Private E-2

    everything seems to be fixed, and i greatly appreciate your help. there were several elite files including "eliteyei32.exe". however, i used hijack to kill the process and norton actually killed them all, when i went looking for them in normal mode. i checked again in safe mode to see if they were there and they weren't.

    windows is currently updated except for S2, which as you directed i will wait to do. i will proceed to you tutorial about understanding firewalls. i had zone alarm on my other computer, but i don't know how to use it properly.

    my windows is updated and i completed all the steps and have all the neccessary programs from the protecting yourself from malware and removing spyware tutorials.

    the only thing i'm not on top of is the firewall. on my other computer i had black ice for a while last year and didn't know how to use it. and i also recently had zone alarm on my other computer, but i don't know how to use it. like i said i will have to consult the "understanding firewalls" tutorial.
     
    Mango927, Mar 20, 2005
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    So there are no more of those lines like eliteyei32.exe
    appearing in your HJT log? RIght?

    Most firewalls just install and work to some level as a default. They will ask you permission to allow programs to have acess to and from your computer. You have to decide which ones should have access and which should not. This is typically not that hard. You should not leave a firewall off of your system while learning. Install it and learn it while using it. Without a firewall you will become infected again.

    You also have to setup/define you network to the firewall (router inforamtion etc) if you have a network.
     
    chaslang, Mar 20, 2005
    #19
  20. Mango927

    Mango927 Private E-2

    correct, there are no more eliteyei32.exe files or the like appearing in my hijack log.

    and i'm glad to hear that firewall's aren't too difficult. however, could you post the understanding firewalls tutorial anyway? thank you.

    also, when should i:
    a) turn system restore back on, and
    b) install SP2 for XP
     
    Mango927, Mar 20, 2005
    #20
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If all your malware is gone, enable system restore now. Also it would be a good idea to upgrade to SP2 now while you are clean.

    What firewall tutorial are you referring to? This is the Spyware Forum and while we constantly do make use of and tell users they must have a firewall, we do not have a comprehensive firewall tutorial. There have been a few threads here and there where the topic came up and was discussed a little. You would have to search for them to find them. You could try searching the Internet. Perhaps these links would help somewhat (some of these can get complex):

    http://www.vicomsoft.com/knowledge/reference/firewalls1.html
    http://csg.trinhall.cam.ac.uk/tips/firewall
    http://www.cyber.ust.hk/handbook4/hb4main.html

    The firewall software you decide to use more than likely has help files too.
    There is a Networking and a Software Forum here on MG's too. That topic would be better discussed in one of those forums.
     
    chaslang, Mar 20, 2005
    #21
  22. Mango927

    Mango927 Private E-2

    i don't know, i thought i saw a link somehwhere in the site that was a firewall guide or tutorial. but i'll be fine anyway. i will look in the forums and thank you for the links.
     
    Mango927, Mar 20, 2005
    #22
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! If you need more help on malware, just ask. If you run into firewall config problems, try the Networking and Software Forums first. If that does not help, come back here.
     
    chaslang, Mar 21, 2005
    #23

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds