PC Keeps Getting Invaded by SPYWARE

To help us to best help you, please follow the steps below closely and in the order given and do not skip anything. If you have any difficulty, please post back letting us know what steps you have completed, what you found while doing the scans if anything along with details about any problems you may have encountered in completing the steps. The more details you can provide the better. Don't be afraid to ask for additional help if you don't understand something!

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus RemovalMake sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENTto your next message. (Do NOT copy/paste the log into your post).

 

I think you forgot one step:

Is this your complete log? No editing?

 

Please run thes additional steps:

Give this a run: http://securityresponse.symantec.com/avcenter/FxIstbar.exe

Read about the removal tool here:
http://securityresponse.symantec.com/avcenter/venc/data/adware.istbar.html


- Please download and install Microsoft® Windows AntiSpyware
- Make sure you upgrade it to the lastest definitions. Do not run the scan when asked!
- Then boot into safe mode and run a full system scan.
- Then reboot in normal and report back what it finds and fixes and does not fix too.
- Post a new HJT log (as an attachment this time please)

 

Well in order to keep you moving along, I'm not going to wait for the results of my previous message. After complete my previous message, it is possible that some of the below may alread be fixed and will no longer appear in your log.

Goto to Add/Remove Programs and look for uninstalls for the below and uninstall if found:
Media Access
Delfin Media Viewer Adware


If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\System32\slserver.exe
C:\WINDOWS\System32\mikejones.exe
C:\WINDOWS\sixtypopsix.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\WINDOWS\jiusjwv.exe
C:\WINDOWS\System32\50cent.exe
C:\WINDOWS\System32\abasa5jrp.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Z8dFiW.exe
C:\Program Files\ISTsvc\istsvc.exe

After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [NAV Auto Updates] slserver.exe
O4 - HKLM\..\Run: [start extracting] mikejones.exe
O4 - HKLM\..\Run: [sixtysix] C:\WINDOWS\sixtypopsix.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [4VZWsdBN] C:\WINDOWS\jiusjwv.exe
O4 - HKLM\..\Run: [Windows Media Player] 50cent.exe
O4 - HKLM\..\Run: [lldhita] c:\windows\system32\lldhita.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [abasa5jrp] C:\WINDOWS\System32\abasa5jrp.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunServices: [NAV Auto Updates] slserver.exe
O4 - HKLM\..\RunServices: [Windows Media Player] 50cent.exe
O4 - HKLM\..\RunServices: [start extracting] mikejones.exe
O4 - HKCU\..\Run: [NAV Auto Updates] slserver.exe
O4 - HKCU\..\Run: [start extracting] mikejones.exe
O4 - HKCU\..\Run: [Windows Media Player] 50cent.exe
O4 - HKCU\..\RunServices: [start extracting] mikejones.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\System32\wsxsvc <--- the whole folder
C:\Program Files\ISTsvc <--- the whole folder
C:\Program Files\Media Access <--- the whole folder
C:\WINDOWS\System32\slserver.exe
C:\WINDOWS\System32\mikejones.exe
C:\WINDOWS\sixtypopsix.exe
C:\WINDOWS\jiusjwv.exe
C:\WINDOWS\System32\50cent.exe
c:\windows\system32\lldhita.exe
C:\WINDOWS\System32\abasa5jrp.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Z8dFiW.exe <--- delete all file and subfolders in this Temp folder that is allows you to delete.

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

Now run Ccleaner that you installed while running the READ ME. And on the Windows tab leave the default settings and select Run Cleaner. Do not run any other options.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Okay! You HJT log is clean. You should try running MS Antispyware after booting in safe mode. See if that helps to allow it to fix some of the problems it found. Otherwise you should try fixing them by hand.

See the below to help you avoid future problems.
How to Protect yourself from malware!

 

Post's like this are not going to help the user resolve their current problems. And not everyone has the option to get a Mac or wants the complications of running and administering a Linux OS. Let alone having to learn a new OS.

Also he you read our sticky threads (including the one posted in my last message), you will already see that we recommend using FireFox.

I'm online doing more surfing then most people, and I have never had a malware problem! That's right never! If you properly update, protect with the proper software, and watch where you surf and what you click on and say yes to, your chances of getting infected are significantly lower. In additon, while I do have and use FireFox, I primarily use IE and still have no problems. I use IE because most people do. So I use it to be more familiar with problems others may experience.