Persistant CWS_TINYO problems deleting with SpySweeper

I have run spysweeper many times and each time it tells me I have CWS_TINYO running in memory and says it will clean it if I desire. I check in the afirmative and it is unsuccessful indeleting it. I also have other messages, such as "detected AIRCITY running" and spysweeper tells me how to delete it and I follow the istructions and it fails to delete.

I have run the process in the Tutorial on your site twice and it all the various programs seem to be successful but the offending spyware seems to regenerate or is not deleted.

I have run various on-line scans and they seem to find many pieces of software that they say they can delete if I purchase the software I have purchased Sypsweeper and Norton and a pop-up blocker and I would expect them to be able to do this.

Is there anything I can do with this problem or must I format and reload all my software?

I also have many problems with IE...such as about.blank and my homepage changeing to some porn site frequently......

I have also tried to delete E2Give by using the software removal routine in Control Center but it will not delete....I am using WindowsXP

I hope I have given enough info for someone to help...

I have downloaded Hijack this and can supply a log file if that will help but I didn't want to run it untill someone thinks it is a good idea....

 

If you have exhausted all other options, then go ahead send us a FRESH HijackThis Log. Please be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99.1) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis ! Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99.1

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

Somebody will take a look as time permits.

PP

 

OK, I have attached the Hijackthis log.............

 

Hi Model N Man,

It looks like you have a nasty About : Blank issue to deal with. Also your XP is waaaaay out of date! Immediately AFTER we get you fixed up, you MUST go to Windows Updates and get updated!!

Please download the following tools. You should already have a couple of them from the Cleanup Tutorial:

Pocket KillBox

About : Buster

CCleaner


NOW:
Read through the instructions below to familiarize yourself with the procedure. You will need to follow these instructions very carefully, or this baddie will come right back. Note that, if you have since rebooted, some of the file names may be different!!

**** NOTE: If you cannot use Windows Explorer to delete the files as instructed below, try Pocket KillBox.

Please run about:Buster and make sure you have UPDATED the database - I believe it is up to number 25. Just do that. DO NOT RUN a scan right now. After that you can exit About:Buster.



FIRST:
Please print or save these instructions locally because after this reading this sentence you will need to physically unplug your connection from your cable, ADSL, or dial-up modem to your PC and then you MUST exit all browsers and DO NOT run any again until requested.

Okay, unplug your internet connection and exit browsers now!!!!

Look in Add or Remove Programs and Uninstall E2Give, if found.


NOW:
Click Start > Run > type services.msc and Click OK

Locate Workstation NetLogon Service ( 11Fßä #•ºÄÖ`I) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

NEXT:
Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.

aircity.exe
winwd.exe
iepo.exe
aircity.exe


After killing all the above processes, click "Back".
Then, please scan with HijackThis and check the boxes for the following entries. DO NOT CLICK FIX until you make sure you have exited all browser sessions including the one you are reading right now! (DO NOT OPEN ANOTHER BROWSER UNTIL DIRECTED TO DO SO):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ubuct.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ubuct.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ubuct.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ubuct.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ubuct.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ubuct.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ubuct.dll/sp.html#12345

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {2597913B-6769-4339-0A99-627E4D34AB9A} - C:\WINDOWS\system32\netbg32.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)

O4 - HKLM\..\Run: [iepo.exe] C:\WINDOWS\iepo.exe
O4 - HKCU\..\Run: [aircity] C:\WINDOWS\System32\aircity.exe
O4 - HKCU\..\RunOnce: [aircity] C:\WINDOWS\System32\aircity.exe

O15 - Trusted Zone: *.media-motor.net

O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - (no file)

O23 - Service: Workstation NetLogon Service ( 11Fßä #•ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\winwd.exe
O23 - Service: Win32 USB2 Driver (Microsoft Config) - Unknown owner - C:\WINDOWS\System32\svchosting.exe" -netsvcs (file missing)

Click FIX and then Exit HijackThis.

NEXT:
Run Windows Explorer and look for and try to delete the following (sort the listing in Windows Explorer by Modification dates and look for possibly other similarly named files from the same date - let me know if you find others):

C:\WINDOWS\ubuct.dll
C:\WINDOWS\system32\winwd.exe
C:\WINDOWS\System32\aircity.exe
C:\WINDOWS\System32\svchosting.exe
C:\WINDOWS\iepo.exe
C:\Program Files\E2G ---> The Folder
C:\WINDOWS\system32\netbg32.dll

If you get an error when deleting a file, RightClick on the file and check to see if the “read only” attribute is checked. If it is, uncheck it and try again. If you cannot find or delete them, note which ones and continue with the instructions (tell me the results when you post back). We will be repeating an attempted deletion after booting in safe mode later in these steps.

NOW:
- Run about:Buster and save the log to ab1.log (make sure you let it do the second scan).

- NOW PULL THE POWER PLUG TO YOUR PC! Yes, you read that correctly. This is very important! I do not want you to power down the normal way.

- After that, wait a few minutes and then power up into Safe Mode (still with no internet connection available and do not open any browsers). Only run what I request.

- Repeat the attempted file deletions given above while in safe mode. Note and tell me later which ones cannot be deleted or found (if already deleted earlier and not found now, that is okay).

- Empty your Recycle Bin. In fact, as an additional measure do the following, run CCleaner that you installed while running the READ ME FIRST.

Now, Reset your Web Settings:
1) If you have an Internet Explorer icon on your Desktop, go to step 2. If not, skip to step 3.

2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.

3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

NEXT:
- Run about:Buster again and save the log to ab2.log (let it do second scan)!

- Immediately after about:buster completes, reboot in normal mode. (you do not need to pull the powser plug here. Just reboot.)

- Plug your cable to the internet back in now.

- Open and close a couple of IE sessions and then with IE closed get a new HJT log.

- Now come back here and post both about:Buster logs and the new HJT log.


Let me know how things went and whether you ran into any trouble with the above instructions. As I mentioned at the start, the filenames might have changed, and we may have to give it another try.
I will try to check back when I get some free time - Very busy these days!

Best Luck
PP

 

I have run through your instructions and will post my notes below:

After unplugging the internet conn. and closing the browser I tried to
delete E2Give in the Remove/software section of control center...as before I could not delete it...I then tried to delete with Windows explorer but could not fined it on system.

I then tried to kill winwd.exe and could not...with process manager

I then ran Hijackthis and found and fixed all but the following:
O2-BHO:ccontrol object- {3643abc2-21bf-46b9-b230-f247db0c6fd6}-c:\program files\e2g\iebhos.dll (file missing)

and c:\windows\system32\svchosting.exe"-netsvcs(file missing)

I checked fix on the following but it would not stay fixed...

O23-service: Workstation netlogon service(11f....)- unknown owner

I then went into windows explorer and deleted the files you requested but could not find:
c:\Windows\system32\windwd.exe
c:\windows|system32\aircity.exe
c:\Windows\System32\svchosting.exe
c:\Program Files\E2G folder
c:\windows\system32\netbg32.dll

I then screwed up and did not save the first log from aboutbuster under another name and wrote over the first log with the log from the second running.....I have posted the only log i have now...from the second running
of aboutbuster and the new hijackthis log .

I ran internet explorer and found that the About-blank is still in the url field...I have since started running Mozilla.....maybe it is easier to just trash can internet explorer.....

thank you for your help....

 

Hi Model N Man,

I'll post new instructions this evening when I have more time and am on different compy. I will need a fresh HJT Log, just in case some baddies have changed.

A couple questions:

1 - Are you running PC Security from Tropical Software. I did not see it and assumed that not to be the case. ( winwd.exe )

2 - Were you able to kill Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) at the beginning of the procedure?

3 - Did you have the viewing of hidden files enabled as per the Read Me First Tutorial?

We can try it again if you are game. This baddie can be tough and a little persistence is needed. If you cannot find or delete any items, we'll just have you use Pocket KillBox to remove them.

Anyhoo, let me know if you want to try again and send me a Fresh HJT log and then DO NOT REBOOT so the entries stay the same. I will check back tonight!

You may also want to check out the last few posts in this thread where we used the exact same procedure to remove this baddie!

I'm losin' it with about:blank and iefeats


PP

 

Hi PhillyPhan....

1. I am not running PC Security from Tropical Software
2. Yes, I was able to kill or Disable "Workstation Netlogon Service"
3. Yes, I have viewing of Hidden files turned on in Windows Explorer

I appreciate your help and would like to try again.....this thing is driving me nutts......

I have attached a new Hijackthis log.....and I will not reboot the computer until I hear from you again.....

thanks again

 

Hi Model N Man,

This looks new. Is it reputable? C:\Program Files\Proantivirus Lab\Digital Patrol Scanner 5.0


Let’s give this another go! The instructions are pretty much the same as before, but this time I will have you feed the files to be deleted into Pocket KillBox. Please excuse the repetition as I copy & paste. . . .

Please have these tools on hand from before:
Pocket KillBox
About : Buster
CCleaner

NOW:
Read through the instructions below to familiarize yourself with the procedure. You will need to follow these instructions very carefully, or this baddie will come right back.

Please run about:Buster and make sure you have UPDATED the database – In case it was updated sinc last time you ran it! Just do that. DO NOT RUN a scan right now. After that you can exit About:Buster.


FIRST:
Please print or save these instructions locally because after this reading this sentence you will need to physically unplug your connection from your cable, ADSL, or dial-up modem to your PC and then you MUST exit all browsers and DO NOT run any again until requested.

Okay, unplug your internet connection and exit browsers now!!!!

NOW:
Click Start > Run > type services.msc and Click OK
Locate Workstation NetLogon Service ( 11Fßä #•ºÄÖ`I) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

NEXT:
Open Pocket KillBox and look in the box where it says [System Process] – Navigate to the processes listed below Click the ! in the Yellow Triangle to end them.

aircity.exe
winwd.exe
aircity.exe

After killing all the above processes, EXIT Pocket KillBox.

NEXT:
Please scan with HijackThis and check the boxes for the following entries. DO NOT CLICK FIX until you make sure you have exited all browser sessions including the one you are reading right now! (DO NOT OPEN ANOTHER BROWSER UNTIL DIRECTED TO DO SO):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wigpt.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wigpt.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wigpt.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wigpt.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wigpt.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wigpt.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wigpt.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

R3 - Default URLSearchHook is missing

O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: (no name) - {5658F52F-8D6F-1513-6EDC-56AA6C8F8F76} - C:\WINDOWS\system32\ipmi32.dll

O4 - HKLM\..\Run: [Microsoft IIS] C:\WINDOWS\system32\syshostx.exe
O4 - HKCU\..\Run: [aircity] C:\WINDOWS\System32\aircity.exe
O4 - HKCU\..\Run: [pruttct] C:\WINDOWS\System32\pruttct.exe
O4 - HKCU\..\RunOnce: [aircity] C:\WINDOWS\System32\aircity.exe

O23 - Service: Workstation NetLogon Service ( 11Fßä #•ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\winwd.exe
O23 - Service: Win32 USB2 Driver (Microsoft Config) - Unknown owner - C:\WINDOWS\System32\svchosting.exe" -netsvcs (file missing)

Click FIX and then Exit HijackThis.

NEXT:
Please run Pocket Killbox.
Select the options for Standard File Kill and End Explorer Shell While Killing File for each item to be entered below.

NOW: Enter, Copy&Paste, or use the Folder icon to browse to the following and delete them one by one - If you can't find the item by browsing, enter it anyway!!

C:\WINDOWS\System32\svchosting.exe
C:\WINDOWS\system32\ipmi32.dll
C:\WINDOWS\system32\syshostx.exe
C:\WINDOWS\System32\pruttct.exe
C:\WINDOWS\System32\aircity.exe
C:\WINDOWS\system32\winwd.exe
C:\Program Files\E2G
C:\WINDOWS\system32\wigpt.dll

NOW:
- Run about:Buster and save the log to ab1.log (make sure you let it do the second scan).

- NOW PULL THE POWER PLUG TO YOUR PC! Yes, you read that correctly. This is very important! I do not want you to power down the normal way.

- After that, wait a few minutes and then power up into Safe Mode (still with no internet connection available and do not open any browsers). Only run what I request.

- Repeat the attempted file deletions given above while in safe mode. Note and tell me later which ones cannot be deleted or found (if already deleted earlier and not found now, that is okay).

- Empty your Recycle Bin. In fact, as an additional measure do the following, run CCleaner .

Now, Reset your Web Settings:
1) If you have an Internet Explorer icon on your Desktop, go to step 2. If not, skip to step 3.

2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.

3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

NEXT:
- Run about:Buster again and save the log to ab2.log (let it do second scan)!

- Immediately after about:buster completes, reboot in normal mode. (you do not need to pull the powser plug here. Just reboot.)

- Plug your cable to the internet back in now.

- Open and close a couple of IE sessions and then with IE closed get a new HJT log.

- Now come back here and post both about:Buster logs and the new HJT log.


Hopefully we will make a little progress this time! I will try to check back as time permits.

Best Luck
PP

 

Hi PhilllyPhan:

I have run the instructions....I hate to speak too soon but maybe we got it this time.........I have posted the two buster logs and the HJT log.....Hope I am right....

Thank you for your help..


Model N Man

 

I couldn't put all the logs in the same post so here is the HJT log

 

Well, the 2nd About:Buster log shows clean. The HJT log shows no change, though.

Try fixing those HijackThis entries from the last procedure one more time and then attach a fresh log and let's see what's up with this thing!

I will be tied up this weekend, but will try to check in when I can.

PP

 

Hello PhillyPhan:

Hope you are ready for a happy Easter............I have checked the entries in the HJT run as in the last instructions....I could not find them. I did that even after my wife told me we had a large black bear in the front yard....I'd guess about 250 lbs...that's a first for me....gets the heart beating..anyway I sent the log file.

thanks again for your time

Model N Man

 

You're Welcome Happy to help!

Black Bear, huh? We don't get too many of them in my neck of the woods.

That last HijackThis Log is clean! I trust things are running the way they should?
Now, you MUST surf to Windows Updates and get UPDATED!!! Do this while your machine is clean - In fact, do it now!

Then, come back and have a look at How To Protect Your Compy From Malware!!! - - Put these suggestions to good use!

Happy Easter!
PP