spyware - adultfriendfinder, oldgames, young8teens etc.

Discussion in 'Malware Help (A Specialist Will Reply)' started by joneel, Apr 18, 2005.

  1. joneel

    joneel Private E-2

    i have spent over a week trying to clean my PC. started with > 1000 viruses and spyware - some of which completely disabled the running of my AV software.

    i'm using symantec anti-virus, no adware, MS anti-spyware, spybot - all are reporting my PC as clean with no spyware or viruses and each is up to date with their signatures.

    my problem is that i'm still receiving pop-ups - adultfriendfinder, young8teens, oldgames and a few more. i've followed the steps in the post "read me first" but my problem persists :-

    - i have no unhidden files
    - system restore is disabled
    - mc afee reports 0 infections
    - spyware blaster is installed and all the protection is turned on

    i have run "hijack this" but it's output means little to me.

    i'm seriously considering wiping my PC and re-installing from scratch - but the only thing preventing me is the amount of work i've put into this. if anyone can offer help before i thrash my PC it would be much appreciated. i'm running XP HOME SP2 and my browser is IE6 SP2.
     
    joneel, Apr 18, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you have completed all the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal and you still have problems, follow the steps below.

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, Apr 18, 2005
    #2
  3. joneel

    joneel Private E-2

    with thanks. hjt log is attached.
     

    Attached Files:

    joneel, Apr 19, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You must remember to exit browsers before running HijackThis. You had the below running:
    C:\Program Files\Internet Explorer\iexplore.exe

    You should not have skipped the Symantec online scan!

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O4 - HKLM\..\Run: [Microsoft MediaScope] winmes.exe
    O4 - HKLM\..\Run: [MS HTML Location Class] MSHTML32.exe
    O4 - HKLM\..\Run: [GNZZ6] C:\WINDOWS\oybxslsq.exe
    O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteoke32.exe
    O4 - HKLM\..\RunServices: [Microsoft MediaScope] winmes.exe
    O4 - HKLM\..\RunServices: [MS HTML Location Class] MSHTML32.exe
    O4 - HKCU\..\Run: [MS HTML Location Class] MSHTML32.exe
    O15 - Trusted Zone: http://*.windowsupdate.com
    O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
    O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\oybxslsq.exe
    C:\windows\system32\eliteoke32.exe <--- you should look for other filenames beginning with elite and ending in .exe and delete them. There could be as many as ten of them.
    C:\windows\system32\winmes.exe
    C:\windows\system32\MSHTML32.exe
    C:\WINDOWS\System32\vbsys2.dll

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Apr 19, 2005
    #4
  5. joneel

    joneel Private E-2

    thanks chaslang. i've re-done everything as per your post. ran hjt (and fix) and ccleaner. while some of the files u mention didn't exist i deleted those which where present.

    everything now seems to be working spyware free. i have logged on to home page several times and no pop-ups have appeared. hjt log is attached.
     

    Attached Files:

    joneel, Apr 19, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Apr 19, 2005
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds