loading the web adware/spyware

hi freinds, can u please help me to sought out the problem i am facing...
while i browse the net internet explorer pops up and goes to loadingtheweb.com/..... and loaads sites as it likes like party poker, and also with my notice desktop icons like spyware removal, virus attcker, dating, poker icons appear on the desk top. when i run microsoft anti spyware and adware the result shows ezula, isearch websearch and all these stufff. i hope some one has already started a thread similar to this but i just wanted to make sure that i am going in the right direction.. i hope some of u freinds will help me out.
my sys specifications.. op sys windows xp home
web browser is internet explorer

thanking you

 

i did all the steps mentioned to be done before posting but it just starts from some where. every time with new attitude. please guys help me from this . it has been 2 days since i was fightinf with this. i cant waste any more time. please. or suggest the thread which is similar to this

 

now i am unable to connect to inter net.

 

http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

hi bigarrick i am presently unable to connect to net bec these spywares did some thing to my sys as soon as i am done with that i will post the hijack this file. thanks for ur help

 

Will be awaiting your log!

 

thanks for ur patience.. i am attaching the hijack this file. waiting for ur reply on this

 

hi daaa i think experts r busy now so when can i expect the resut guys. thanks

 

ok guys any one from major geek i am sorry i am going to bed now, i will check earlyy in the morning. but there is no response yet for my hijack this file so if u check it i will respond for that early in the morning

 

Please be patient, we are very busy here in the Spyware Forum. Keep in mind we volunteer our time to help users in here. We drop in every now and then when time permits. We have real jobs that come first!

You have many problems in this log! Lets take them one at a time.

PLEASE MAKE SURE YOU DISABLE SYSTEM RESTORE!

First:
Download LSP-Fix

After download is complete, Run LSP-Fix

Check the Box labeled "I know what I'm doing" and then click on the winlspak.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move winlspak.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.

(Note: If the file winlspak.dll is already in the remove section, then just click FINISH.)

Second:
Download and run the following removal tool:

• Trojan.Vundo Removal Tool

Third:
Please download the following items:

L2MeFix Tool

Generic Detection Tool - NT/2000/XP

VX2.BetterInternet Finder XP/2k - Version Msg126

Pocket KillBox

DO NOT USE ANY OF THESE TOOLS UNTIL TOLD TO!

Fourth:
Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
Your computer will go crazy for a bit, but just let it run. It should eventually spit out a log in Notepad. Please attach that log with a fresh HJT log.

Please don't run any other files in the L2MFix folder.

 

hi bigarrick i am sorry if i hurt ur feelings,
ok here are the steps which i followed according to ur suggestion...
firsti downloaded the lsp-fix and ran it but i could not find winlspak.dll file either in keep or remove section so i did not go any further in that step.

second
downloaded the file as u said and ran it but no viruse found after full scan

THIRD
downloaded all the files from the links given by u.

FOURTH
Ran l2MEfix accordingly.

and attched are the log file and new hijack this file. thanks for ur help again.

 

hi major geeks, actually winlspak.dll file was the one which made me not connect to net yesterday, i found the soln from microsoft web site and cleared it. idont know if it still exists, it over wrote my tcp/ip protocol and did not allow me to connect. but with the commands given by microsoft i got through it some how for the time being. But now i am just looking forward for ur help in removing every adware and spyware from my pc.
thanks

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

nsvsvc

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.


Now, look in Task Manager (Ctrl-Alt-Del) for the following running process and, if you see it, try to END it:

nsvsvc.exe

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O4 - HKLM\..\Run: [tsvcin] C:\WINDOWS\system32\n20050308.EXE
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe

O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html

O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)

O15 - Trusted Zone: http://V5.Windowsupdate.microsoft.com and https
O15 - Trusted Zone: http://download.windowsupdate.com

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\system32\nsvsvc ←–– Delete this whole folder if it exist!

C:\WINDOWS\system32\n20050308.exe

C:\WINDOWS\wweb32.dll

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows

Unzip the Generic Detection Tool to a safe folder of your choice and run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Attach this log as an attachment to your post.

Also, do the following:
Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

hi bigarrick nice to see u back again,
here are the findings..
first nsvsvc32.exe is the process running not nsvsvc.exe in my process but i stopped nsvsvc32 as well.
this nsvsvc file could not be seen even if show all hidden folder is activated but i found on search and deleted, but the size deleted shows 0 kb, but in search it showed more.
ccleanup is done and all the other things asked were done as well here i am attaching the req files. i think this j?vaw.exe is the thing causing all this stufff. bec once i saw this javaw running in my start up with out my notice and is adding all the applets like install.class insecureclass some thing like this..
I checked my process before posting u this nsvsvc32.exe again started running.
looking for ur reply
thanks

 

Your HJT log is clean, however your other log isnt. Lets take care of these last few problems.

First:

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file VX2FIX.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the VX2FIX.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!
Second:
Reboot into Safe Mode with the viewing of hidden files and folders enable per the tutorial.

C:\WINDOWS\System32\picsvr <-- Delete the whole folder!

Locate PocketKillbox

Now, Copy and Paste C:\WINDOWS\System32\j?vaw.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Reboot and post one last log from the Generic Detection Tool!

 

hi bjgarrick, done accordingly. actually from the previous step itself my pc is running smoothly so far. i hope it will continue to work like this. thanks very much for ur help. ur a genious man solving problems to so many people so easily. god bless u. i am attching my output file. i hope everything is fine. this j?vaw.exe is still present. even though i did what u said but the program reported that the file has already removed by external process. if anything happens i will report u back. thanking u again.

 

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file info.bat and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the info.bat file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) a text file will open, attach this log to your next post.

 

hi bjgarrick attached is the notepad file u asked for. i hope this will solve the problem. it seems to. thanks for ur help

 

Okay!

Now, navigate to the folder C:\WINDOWS\System32

Keep in mind there is a legitamate file javaw.exe in this directory. Make sure you have hidden files and folders enabled. Also, be sure you have show hidden system files unchecked as well.

Now, find the file javaw.exe and check the properties. One will be part of the Java(TM) 2 Platform Standard Edition and one will be the baddie.

Also, check "View Details" and delete the file that has the date 03/28/2005 10:01 AM

Let me know how this goes, if your not sure ask before you delete it.

 

thanks bjgarrick for ur help. thank u very much. yeah there r two javaw.exe files. one is the java one and the other one has a diff format like it doesnt loook like general .exe files. it looks some thing like 3 block structure written FMC on it. i deleted it from the system files. i hope this will solv ethe problem. i will come back to u if system starts to behave badly again. i hope i will leave u free for some time. thanks very much again

 

Attach one last HJT log to confirm everything is clean.

 

hjt log file attached

 

I see MANY new infections in this new log. Whats up with this?

How did you get all of this again?

 

i think probably due to some activex controls getting loaded with out my notice. i just ran spybot and removed some . i will run it again and then a hijack this and attch that for u. sorry for that. thanks

 

hi bjgarrick i hope this new hjt file attached is much better than the previous one. please check it.

 

That log is clean!

Before you get anymore infections, please follow all of the steps in this sticky thread. Let me know if you have any further problems.

How to Protect yourself from malware!

 

thanks very much for ur help man, i will definetly contact u if i get any problems with this spyware/adware. i had followed all the steps u specified in the how to protect urself from malware article. thanks again for ur help.

 

Your Welcome!