Spyware Difficulties

I've had problems with Spyware for aobut a year now. I've been using the Major Geeks forums to try and fix the problems myself but I've had no luck.

I've followed the intructions in the following threads:

http://forums.majorgeeks.com/showthread.php?t=35407
http://forums.majorgeeks.com/showthread.php?t=38752
http://forums.majorgeeks.com/showthread.php?t=74216

but this hasn't rectified the problem. (NB I can't run the online virus scanners in safe mode as I can't connect to the internet in Safe Mode!)

My main symptoms include a search bar which appears at the top of my IE window, some icons which appear on the desktop ("Watch Live TV", "Find a date" etc.) and something's also trying to redirect my IE homepage to a string of random letters.

Spyware removers and anti-virus programs have pulled out several names repeatedly: "Greyseek", "IdleTool.exe", "KaZaA".

My sister did have the KaZaA downloading program installed on the computer years ago but we uninstalled it after problems with the computer apparently dialling premium rate numbers. It has, however, persisted on the "Add/Remove programs" menu in the Control Panel. It refuses to be uninstalled because of a missing .dll file.

I've attached a HijackThis! log I've just run on my computer.

I hope someone can help me!

Thanks.

xSamx

 

I've done as you said and the files are attached.

Please note: I installed Spy Sweeper previously to try and fix my spyware problem, hence the free subscription has run out by now and Spy Sweeper won't remove what it finds without a subscription.

What can I do now?

 

Have done as you said. Files attached.

No, Spysweeper did not remove the files. After it had found them, and I was presented with the list of malware detected, there was no 'Remove' button, only a notice saying that removal requires an 'active subsciption' and a link to take me to the Spysweeper website to subscribe to the paid service. Icons and search bar are still present on my computer, anyway, so even if Spysweeper did remove whatever it found, I still have a problem.

Thank you for your time and patience this far!

 

Hey D3,

Your PMs are full at IANAG

These are the Scheduled Tasks for LOP:

F:\WINDOWS\tasks\AB1CF196918B674E.job
F:\WINDOWS\tasks\AC97FD8291806FFA.job
F:\WINDOWS\tasks\AD6FDB1091844EBC.job


PP

 

I've just logged in to post Ewido scan report and fresh HJT log, but the Ewido scan log is too big for the forum to let me post it as an attachment. What should I do?

I can't find those .job files you mentioned. There's nothing that even resembles that in my F:\WINDOWS\tasks folder. I don't know whether Ewido might have deleted them in the scan I ran. Sorry: I acted on your previous post as soon as I got it.

The icons on the desktop and the search bar *appear* to have gone. The random letters homepage still seems to be lurking somewhere - it's still listed in Spyware Blaster (which I've been using to stop it diverting my homepage all the time), under "Tools -> Browser Pages

 

To reply to chaslang:

I *did* run CCleaner as I was instructed in that thread. A lot of the entries in the log are "F:\RECYCLER\NPROTECT\ ... .MOZ" and labelled "Spyware cookie". I assume that this is something to do with Norton and the Un-erase feature on the recycle bin. Do I need to so something with those files then run Ewido again? Or should I just manually delete that section of the log in Notepad and then post it so you can see what else Ewido did?

I only have one user account - I got rid of our multiple user accounts-system months ago to try and deal with this latent spyware. When I boot in Safe Mode there seems also to be a passworded "Administrator" account but I don't know the password for it. My godfather built this computer for us and he passed away over the summer so, if that was something to do with him, I shall probably never know what his password was!


To reply to D3m3nt3d:

I am already viewing "Hidden Files and Folders" and system folders. I cannot find an option in the Tools -> Folder Options -> View menu for "Operating System Files". These .job files still have not appeared in the "F:\WINDOWS\tasks" folder, as far as I can tell.


Additionally, I've re-set the random letters-search bar entry (Note: it was a search bar entry not a browser page entry; sorry, my mistake.) in Spyware Blaster that I mentioned above to the default microsoft one given by Spyware Blaster, and the random letters entry seems to have disappeared. No return of icons or search bar as yet.

Have attached fresh HJT log.

 

ISeeYou log attached.

Have emptied "F:\Windows\Prefetch" as there wasn't a "C:\Windows\Prefetch". (My hard drive is partitioned - C: formatted with Windows 98, F: with XP, if that explains it.)

Have followed instructions about clearing Recycle Bin of Norton protected files in that I right clicked my recycle bin and told it to empty the norton protected files. My "F:\Recycler" folder still contains a (hidden) folder called "S-1-5-21-1220945662-2139871995-725345543-1003" so I tried running the second step on that web page - booting in safe mode and deleting the files using the "command" window and putting in the following commands:

c:
cd\
cd recycler\nprotect
del *.*
cd ..
rd nprotect

I got as far as "cd recycler\nprotect" when it came up with "invalid directory" so I stopped and exited. I assume I need to perform this for my F: drive rather than my C: drive (although some version of Norton is installed on my C: drive). How do I alter the commands to that effect?

Also, if having Norton keep these files is a bad idea, is there any way I can stop it doing so? My Norton subscription has long since run out, so I can't download up-to-date virus definitions anyway. Would I be better to uninstall Norton altogether and rely on online virus scanners?

There do not appear to be any more problems, at least as far as I have noticed up until now. Since running Ewido, my computer has started running an awful lot faster and the problems I've been having recently getting web pages to load have also disappeared.

 

Lol! That's why it would still be there, then! Don't worry, I shall leave it well alone.

 

I'm really sorry. I did exactly as you said this far:

The file showed up in blue. I selected option "Delete on reboot" and then clicked the red cross and said yes to the confirmation message but then my computer restarted itself of its own accord. There wasn't any message asking me whether I wanted to. When it had rebooted I checked for the first file again, and it didn't come up in blue, so I tried the second one, which did. I then repeated your instructions and the same thing happened again. I'm posting this before I try anything with the third file.

What should I do now? Have I messed this up completely? I don't know why the computer restarted itself.

 

When I tried to delete the third file it asked me whether I wanted to reboot. As it was the last file, I told it yes. The new ISeeYou log is attached.

An additional point, (to modify what I said about there being no more problems) I was tidying up the files on my hard drive and I noticed some folders in C:\Program Files that I didn't recognise: "Altnet", "Downloadware" and "MediaLoads". I googled the names and found numerous spyware-related articles, including one mentioning "Downloadware" in connection with a crashing instability in XP. Before I ran the Ewido scanner, most times I started up XP, as soon as I connected to the internet (or sometimes before, but then I do have broadband), an error message would come up saying that Explorer had to be restarted. The screen would go blank, and all the desktop icons and taskbar would disappear then reappear, but the spyware icons would not reappear until shortly after the rest. As I say, this seems to have stopped happening now, and Ewido did remove some Brilliant Digital spyware, but I have now noticed these folders, which I don't think were there before, or at least I certainly didn't notice them.

 

I deleted IdleTool.exe earlier. It was coming up on virus scanners as a trojan but when I tried to delete it, it said the file was in use. I found out yesterday (using msconfig) that it was set to load at start-up, so I un-ticked it in msconfig and, when I rebooted and then tried to delete it, it worked. It's not coming up in blue in KillBox, so I guess I must have got it. I checked what the exact full path was first and it's "F:\Documents and Settings\Karen\Application Data\ADMIN NAME". There's nothing in that folder now.

 

Kazaa is still coming up in Add/Remove programs. It has done for years. When I click "Change/Remove" I get an error message saying it can't be uninstalled because of a missing file given as "F:\Windows\System32\cd_clint.dll". I think Kazaa shows up on the "Add\Remove programs" menu when I load up with Windows 98 as well. Shall I just go ahead and remove those folders anyway?

 

Well, I hope that made sense to someone!

Anyway, ISeeYou aside for a moment, I've just tried uninstalling Norton as per:

But it asked me whether I wanted to uninstall Nortan Anti-Virus alone or all the Norton Internet Security Features. I've also got Norton System Works installed. Do I need to get rid of all the Norton softwar to stop any interference with the AVG program you suggested I download? Or should I only uninstall the NAV?

 

Chas is correct . . . That's why it is still called ISeeYouXP

I haven't had time to address the above (or the obvious Hosts file issues with older OS) so I only recommend it for XP machines.

But, in this case, it did serve a purpose to identify those scheduled tasks put there by the lop infection.

Happy Christmas!
PP

 

IdleTool appear to have disappeared completely. I've deleted the ADMIN NAME folder and that has not reappeared either.

I've run KazaaBegone, logged on both in XP and then in Windows 98. It says all traces have been removed from both, now, but Kazaa is still appearing in the "Add/Remove programs" menu in my Control Panel on XP. The "Downloadware" folder inside my "C:\Program Files" folder has gone but the "Altnet" and "MediaLoads" folders are still there.

I've got rid of all of Norton Internet Security now. Which of the free firewalls would you recommend I download? I've used ZoneAlarm before and it seemed to do the job. I've turned the Windows firewall on in the meantime but I presume that I probably shouldn't keep that running along side ZoneAlarm once I've downloaded it?

 

Yey! Kazaa finally gone! Well, from the Add/Remove programs menu, anyway. The "Altnet" and "MediaLoads" folders are still in "C:\Program Files". Shall I manually delete them or do I need a program to make sure that they're gone?

Have installed ZoneAlarm and turned off Windows Firewall. Now have running AVG, Zone Alarm, Windows Anti-Spyware and Spyware Blaster's kicking around, too. I have Spysweeper as well, but since it can't delete anything, and it's real-time protection functions seem to be the same as those of Windows Anti-Spyware, should I uninstall it?

I've got another issue which might be virus, rather than spyware related, so I don't know whether I ought to post it in this forum... It's to do with MS Excel and the fact that it doesn't seem to want to load up...

 

Additionally, have just logged on to Windows 98 to check for Kazaa remnants and repeat procedure if necessary. "MediaLoads" had appeared in the "Add/Remove programs" menu in the Control Panel. I clicked remove and an error message flashed up saying that there had been an error during the uninstall process, possibly caused by the fact that the program had already been uninstalled, and asking did I want to remove it from the "Add/Remove programs" list. I clicked yes and then repeated HijackThis! procedure but HijackThis! found no trace of either Kazaa or MediaLoads. The folders in C:\Program Files ("Altnet" and "MediaLoads") are still there.

Also, Windows 98 has started consistently crashing on shut-down again (which is something used to do ages ago, but I thought I had remedied it), and the cursor is now constantly alternating between the normal arrow and the egg timer, even when the computer isn't doing anything. I don't know whether either of those points are related to the Kazaa/MediaLoads situation.

 

I rebooted in Safe Mode and deleted those folders then emptied the Recycle Bin. The folders are still gone now that I've rebooted in normal mode. Nothing suspect has reappeared on my "Add/Remove programs" list. Looks like we got the little devil!

Shall I turn System Restore back on now, and re-hide my hidden files etc.? What do you recommend I do with Spy Sweeper?

 

Thank you so much for all your help, D3. Hope you have a nice Christmas tomorrow!