Major spyware (need help bad..)

Please follow the steps below:

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus RemovalMake sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

Also you should right click on your Desktop and select Properties. Then click the Desktop tab and then the Customize Desktop button. Now in the next window that comes up click the Web tab. Make sure at the bottom that Lock desktop items is unchecked. Then in the Web pages: box delete all items but My Current Home Page and make sure it is unchecked too. Then click OK. Apply. OK.

There has been a load of these problems lately. Search your PC for files named desktop.html, wp.exe, wp.bmp and let me know if you find them. desktop.html is typically in c:\windows\web and wp.exe and wp.bmp have been found in the root of drive C which is c:\

Now do the following: Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixwp.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Double-click on the fixwp.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to add to the registry say yes.

After doing ALL of the above you still have a problem:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Did you merge the item into the registry as requested?

You need to go to Add/Remove programs and uninstall Messenger Plus! 3. It can add a variety of malware problems (including LOP) to your PC.

Now download and install Microsoft® Windows AntiSpyware and make sure you get the updates but do not run a scan yet.

Now reboot into safe mode with no network support, make sure you have no browsers opened and then run a full scan with MS Antispyware and let it fix what it finds.

Now reboot into normal mode.


If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).


Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\bsw.exe
c:\windows\system32\mntlwkqu.exe
c:\windows\system32\calc.exe


After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [mntlwkqu] c:\windows\system32\mntlwkqu.exe
O4 - HKCU\..\Run: [WindowsFY] c:\bsw.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {C47A6AFD-2BB9-4B74-9131-6421C6697447} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C47A6AFD-2BB9-4B74-9131-6421C6697447} - (no file) (HKCU)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete (if found):
C:\WINDOWS\BTGrab.dll
C:\WINDOWS\farmmext.exe
c:\windows\system32\mntlwkqu.exe
c:\bsw.exe


If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.


Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.


Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Your log is basically clean but i have to ask about the below:

C:\sysreset\mirc.exe

Did you install mIRC? It was not on your system in the previous HJT log. This does not look like the folder it should normally be installed into.

 

I misunderstood you earlier. I thought you wanted your home page defaulted to specialgoods.

Please download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.specialgoods.info/ad/ad0229/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank


After clicking Fix, exit HJT.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell me how things are working.

 

Boot into safe mode and look for the below files. Delete if found:

C:\windows\system32\param32.dll
C:\windows\system32\popup_bl.dll


Did you run Stinger during the cleanup procedures?

Try running the below in normal boot mode:

Bitdefender
RavAntivirus <-- select Auto Clean then click Scan My PC
TrojanScan
avast! Virus Cleaner Tool

Let me know if they find anything and what/where.

 

Did you or did BitDefender delete the C:\WINDOWS\system32\wldr.dll file? I'll add to my list below.

Boot into safe mode to do the below:

Click Start, and then click Run. (The Run dialog box appears.)
Type, or copy and paste, the following text:

regsvr32 /u c:\windows\system32\wldr.dll

then click OK. If a dialog box confirming this action appears, click OK. If you get an error message, just OK out of it and continue.

Repeat the above to unregister:
c:\windows\system32\systr.dll
c:\windows\system32\intlmain.dll
c:\windows\system32\param32.dll

Now while in safe mode delete the following if found (let me know what you find):
c:\windows\system32\wldr.dll
c:\windows\system32\systr.dll
c:\windows\system32\intlmain.dll
c:\windows\system32\param32.dll
c:\windows\protector28.exe or c:\windows\system32\protector28.exe
c:\windows\fxiegwfr.exe or c:\windows\system32\fxiegwfr.exe

If you cannot delete any of the above files, try renaming them so that the DLLs are all .ddd and the EXEs are all XXX. For example:

systr.dll ---> systr.ddd
fxiegwfr.exe ---> fxiegwfr.xxx

Then reboot in normal mode and post a new HJT log and let me know the results.

 

So after renaming param32.dll to param32.ddd and rebooting, can you now delete the param32.ddd file. Also make sure the param32.dll file did not come back.

Did you check to see if C:\WINDOWS\system32\wldr.dll does exist? Delete or rename if found?

C:\RECYCLER\NPROTECT is your recycle bin being protected by Norton. I do not use this program but there is probably some way to tell it to dump all items in the Recycle Bin.

 

- Run MS Antispyware and click on Advanced Tools (the gears on the top right of the window)
- Select System Tools
- Select the Internet Explorer ---> IE Settings item in the left window pane
- Now on the bottom click Restore all IE default settings
- Now click in the window on the item labeled Start Page
- Now on the bottom right click Changer URL/page
- In the window that comes up enter www.majorgeeks.com (please use this for now - you can change it to whatever you want later after we get all problems fixed) then click OK.

Now exit the MS Antispyware application and get a new HJT log and post it.
If the http://www.specialgoods.info/ad/ad0229/ item is gone. Reboot your PC and check another log. Is it still gone?

 

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

After clicking Fix, exit HJT.

Are you stil getting messages about specialgoods.info trying to change your start page?

Please look for the below files and let me know if you see them (note: yes some are repeats of what I had you look for already. Just check again.)

c:\windows\system32\param32.dll
c:\windows\system32\guninst.exe
c:\windows\system32\popup_bl.dll
c:\windows\system32\systr.dll
c:\windows\system32\svrhost.exe <--- be carefull!!! This is not svchost.exe