Spyware Hijacker problems

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by roguespeare, Jun 10, 2005.

  1. roguespeare

    roguespeare Private E-2

    What a nightmare. It all started a couple of days ago. Everytime I boot up, all of this junk starts loading: Spysheriff, YourSiteBar, Maxifiles, Istbar. I close it all down and run ad-aware, spybot etc. My start page is changed to some gawdawful porn site and my security setting are changed to the lowest possible levels. I get pop ups when I'm not even surfing, and all of these applications and programs and windows start opening. It's difficult to shut them down.

    When I go on the net - to get help - as in this case, I get more pop ups and redirects. A tech at the computer store says it sounds like a browser hijacker. I am running Windows 98, IE 5.5, on a Pentium II. I have Norton AV running all of the time (it says I'm clean. So did the McAfee when ran seperately). Was using ZA firewall, but it became disabled. Now I have Kerio. I know my comp is old, can't afford a new one until the end of the year. So I have to keep this one alive a little while longer.

    I took the tutorial on this site and spent about twelve hours running everything it said to do. Hasn't helped. Everything comes back upon boot up. I also can not boot into safe mode without getting the error message: "Explorer has performed an illegal operation and will be shut down." So I can't do anything from same mode. Don't get this message when I boot normally.

    I also run all the scans before I shut down as well. Nothing helps. I can follow directions and use a computer and software but don't know anything about the registry, or all of the places where spyware, hijacker, and trojans live. All I know is that they show up in my program files. Sometimes I can manage to delete them with a wipe program I have but they always come back. Same for add/remove programs. I remove them after bootup and they show up again when I turn my computer on next time.

    Was hoping to get some help before I crash, or some permanent damage is done. If you need any more info please ask. I could really use some advice. These last few days have been long and stressful.

    Thanks,
     
    roguespeare, Jun 10, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Were you able to run the online scanners in normal boot mode?

    Look in Add/Remove programs and uninstall the below if found:
    Spysheriff, YourSiteBar, Maxifiles, Istbar

    Let me know what you find or do not find.

    Please follow the steps below:

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, Jun 11, 2005
    #2
  3. roguespeare

    roguespeare Private E-2

    Yes, I was able to run the online scans in normal boot mode. Maxifiles and Spyheriff usually show up in my add/remove programs while I am on the net. Istbar I haven't seen in a while. As I was booting up this afternoon I eliminated all the programs trying to load onto my system. One is called Freeipod.com, one is SiteBar.

    I had already downloaded HJT to the folder suggested. I ran the scan as per your instructions.

    Thanks for the reply.
     

    Attached Files:

    roguespeare, Jun 11, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Is the below your expected Start Page and do you need those Proxy Server settings?
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hairy-granny.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=127.0.0.1:80;gopher=127.0.0.1:80;http=127.0.0.1:80;https=127.0.0.1:80
     
    chaslang, Jun 11, 2005
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You seem to have a rogue ZoneAlarm (ZoneLabs) firewall installed. Or it may be malware. I suspect malware. Did you install both Kerio and ZoneAlarm firewalls?

    Only one software firewall must be used.

    Please look in Add/Remove programs for the below and uninstall:
    Search Maid
    Security IGuard
    Virtual Maid

    Tell me which ones you find.
     
    chaslang, Jun 11, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I would also look in Add/Remove programs for the below and uninstall:
    royalvegasMPP or MPPoker

    I need answers and results from my other message before continuing. There is a bunch more to remove.
     
    Last edited: Jun 11, 2005
    chaslang, Jun 11, 2005
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Well it looks like you logged out, I just give it my best shot without answers to the previous questions.

    Make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O4 - HKLM\..\Run: [Security iGuard] C:\PROGRAM FILES\SECURITY IGUARD\SECURITY IGUARD.EXE
    O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.windupdates.com
    O15 - Trusted Zone: *.c4tdownload.com
    O15 - Trusted Zone: *.overpro.com
    O15 - Trusted Zone: *.megapornix.com
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.addictivetechnologies.com
    O15 - Trusted Zone: *.crazywinnings.com
    O15 - Trusted Zone: *.slotchbar.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.slotch.com
    O15 - Trusted Zone: *.media-motor.net
    O15 - Trusted Zone: *.xxxtoolbar.com
    O15 - Trusted Zone: *.ysbweb.com
    O15 - Trusted Zone: *.addictivetechnologies.net
    O15 - Trusted Zone: *.f1organizer.com
    O15 - Trusted Zone: *.topconverting.com
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.static.topconverting.com
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted Zone: *.windupdates.com (HKLM)
    O15 - Trusted Zone: *.c4tdownload.com (HKLM)
    O15 - Trusted Zone: *.overpro.com (HKLM)
    O15 - Trusted Zone: *.megapornix.com (HKLM)
    O15 - Trusted Zone: *.awmdabest.com (HKLM)
    O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
    O15 - Trusted Zone: *.crazywinnings.com (HKLM)
    O15 - Trusted Zone: *.slotchbar.com (HKLM)
    O15 - Trusted Zone: *.clickspring.net (HKLM)
    O15 - Trusted Zone: *.mt-download.com (HKLM)
    O15 - Trusted Zone: *.slotch.com (HKLM)
    O15 - Trusted Zone: *.media-motor.net (HKLM)
    O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
    O15 - Trusted Zone: *.ysbweb.com (HKLM)
    O15 - Trusted Zone: *.addictivetechnologies.net (HKLM)
    O15 - Trusted Zone: *.f1organizer.com (HKLM)
    O15 - Trusted Zone: *.topconverting.com (HKLM)
    O15 - Trusted Zone: *.searchmiracle.com (HKLM)
    O15 - Trusted Zone: *.static.topconverting.com (HKLM)
    O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\PROGRAM FILES\SECURITY IGUARD <--- the whole folder
    C:\winstall.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST).

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
    Some of those O15 items do have a habit of coming back so we may need some special steps to remove them completely.
     
    chaslang, Jun 11, 2005
    #7
  8. roguespeare

    roguespeare Private E-2

    Sorry, I had to leave for a bit. I'll stay connected this time.

    Okay, my start page is usually mail.com. Not the porno site listed. Those proxy server settings were for when I was running A4Proxy. Since these problems, I haven't been able to use A4Proxy to access the internet.

    As for ZoneAlarm, I had some kind of DLL problem. Then I went through these complicated instructions to uninstall. I was afraid to reinstall it, so I installed Kerio firewall instead.

    I found none of these programs in Add/Remove:
    Search Maid
    Security IGuard
    Virtual Maid

    I can't find royalvegasMPP or MPPoker in Add/Remove either. I do have Royal Vegas Poker (which I did install and sign up for). Do I delete this?

    I will wait for a reply to this before I continue any further.
     
    roguespeare, Jun 11, 2005
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! You can keep Royal Vegas if you are sure it is OK! Run the steps in my last post and let's see where that gets you. Notice that Security Iguard is shown in your HJT log.
     
    chaslang, Jun 11, 2005
    #9
  10. roguespeare

    roguespeare Private E-2

    Okay, I'm back. I booted into safe mode - still got the explorer error message but ignored it - and deleted the c:\winstall.exe file (i used normal delete, though I do have a delete with wiping program).

    I couldn't find C:\PROGRAM FILES\SECURITY IGUARD. Yes, I am showing all hidden files. Ran a search on my computer and couldn't find it. Baffling.

    Ran Ccleaner and then booted into normal mode, with the usual junk like freeipod.com trying to load on to my system. Ran another HJT scan after reboot without running any other programs like ad-aware etc. Checked to see id winstall.exe was gone. It doesn't appear to be there anymore. Then I came right back here without doing anything else.

    The new scan looks the previous one. Here it is.
     

    Attached Files:

    roguespeare, Jun 11, 2005
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay, let's try the following.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hairy-granny.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hairy-granny.com
    O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

    After clicking Fix, exit HJT.

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now please download DelDomains and unzip it to your desktop.

    Find the files from deldomains.zip on your Desktop and RightClick on the deldomains.inf file and select Install.

    Also download HOSTERand then follow the below steps.
    • Unzip Hoster to a convenient folder such as C:\Hoster
    • Run Hoster.exe, click Restore Original Hosts and then click OK.
    • Click the X to exit the program
    Now download: Pocket KillBox

    And extract it to its own folder.
    Double-click killbox.exe. Select the option "Delete on reboot".
    Now highlight and 'copy' the list of filepaths below (there is only one for you):
    C:\winstall.exe

    Open 'file' in the killbox menu at the top and choose 'Paste from clipboard'

    Now you will see, this is pasted in the "Full Path of File to Delete"-field.
    There's a little arrow (dropdown-arrow) next to that field.
    If you expand it, these lines should be there together!

    Then press the red button with a white X in it.
    Killbox will tell you that all listed files will be deleted on next reboot.
    Click YES

    When it asks if you would like to Reboot now, click YES
    If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

    Now after reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    Last edited: Jun 12, 2005
    chaslang, Jun 11, 2005
    #11
  12. roguespeare

    roguespeare Private E-2

    Okay, good news, bad news. I followed your directions exactly. When I rebooted only the programs that normally boot loaded. That made me really happy not having to shut down all of those programs trying to load on to my system at startup.

    Bad news is my start page is still the porn site and all my security settings are lowered. I came right here to post the news and haven't surfed around, or checked e-mail, or been online long. But no popups or redirections yet. Fingers crossed.

    Thanks for taking the time to help me out. I really appreciate it. Two days ago I was frustrated and stressed out. Now I am beginning to see the light at the end of the tunnel.

    Here is my latest HJT log:
     

    Attached Files:

    roguespeare, Jun 12, 2005
    #12
  13. roguespeare

    roguespeare Private E-2

    When booting up this afternoon, all of the usual popups that start with freeipod.com began. I closed them all down. Then I received this message: RUNDLL error C:\WINDOWS\SYSTEM\thn.dll Missing entry.

    Instead of clicking ok on it to get rid of it I used Ctrl+Del+Alt in case it wasn't a legitimate message.

    Since coming to majorgeeks and following all of the instructions nothing has returned to my Add/Remove programs. But in my Program Files, I still have MaxiFiles and Spysheriff folders. Befiore getting help here, I tried to delete these and it didn't change anything.
     
    roguespeare, Jun 12, 2005
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run IE, select Tools, Internet Options. Now select Security and then click the Trusted Sites circle. Then click the Sites button. Look for anything that is in the Web sites box and select it. Then click Remove. Then at the bottom make sure there is a check mark in the box that says Require server verification...... blah blah. Do that for all items you find in the TZ. Now click OK. And OK again

    Make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE


    After killing all the above processes, click "Back".

    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hairy-granny.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hairy-granny.com
    O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\SYSTEM\NSY5362.DLL
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)

    After clicking Fix, exit HJT.

    Now we are going to reboot your PC to an MSDOS prompt.
    Click Start and select Shutdown and in the Window that comes up choose the one that says Restart the computer in MD-DOS mode.

    When it boots you will be at the command prompt (full screen) enter the below commands each followed by the enter key. Let me know if you have any problems or get any error messages during these steps (tell me the exact error message).

    Now in command prompt window do the following:

    cd c:\windows\system
    attrib -s -h -r NSY5362.DLL
    del NSY5362.DLL


    cd C:\WINDOWS\SYSTEM\ZONELABS
    attrib -s -h -r VSMON.EXE
    del VSMON.EXE



    win

    Now your PC should reboot into Windows.
    Run Windows Explorer and navigate to the below folders and delete them:
    MaxiFiles
    Spysheriff


    Come back and tell me the results. Also post a new HJT log.
     
    chaslang, Jun 12, 2005
    #14
  15. roguespeare

    roguespeare Private E-2

    Okay, did all that. When it booted from Dos to Windows it loaded normally, without any of the usual popups. However, I have the Explorer error message "This program has performaed an illegal operation and will be shut down."

    DETAILS: EXPLORER caused an invalid page fault in
    module <unknown> at 0000:c008ba2d.
    Registers:
    EAX=0042bf62 CS=017f EIP=c008ba2d EFLGS=00010216
    EBX=00000008 SS=0187 ESP=005fff88 EBP=005fff98
    ECX=cfe32040 DS=0187 ESI=0042b9f3 FS=25bf
    EDX=817e8b7c ES=0187 EDI=818151bc GS=0000
    Bytes at CS:EIP:
    66 01 00 00 68 e2 43 08 c0 ff 35 ac 43 08 c0 ff

    I couldn't close it, but went ahead and deleted MaxiFiles and SpySheriff. I noticed several things in WINDOWS EXPLORER that are programs that try to load on startup. I haven't deleted them.

    eres
    own
    sefe
    sefer
    protect
    podmodzone

    I rebooted to log on here. No error message and no popups during/after reboot.

    My latest log
     

    Attached Files:

    roguespeare, Jun 12, 2005
    #15
  16. roguespeare

    roguespeare Private E-2

    Just booted up a while ago and all the popups started to load again. My start page reset to the porn site and my security settings lowered. While I was shutting down all of the popups a virus tried to sneak through. I quarantined it just in case there are special instructions to deal with it.

    c:\WINDOWS\isrvs\sysvpd.dll is infected with the Download.Trojan virus.

    I couldn't access the internet, so I ran Window Washer (v.3.0), Ad-aware, and Spybot. I rebooted with no popups this time. My second normal (clean) boot in the last 24 hours. I had none in the last five days when all my troubles started.

    The porn site start page is still there and my lowered security settings.

    I am now having trouble consistantly accessing the internet.
     
    roguespeare, Jun 13, 2005
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Before you go any further, you must do step 1 in the below thread. Many of your problems are occurring because you are way out of date with your updates:

    How to Protect yourself from malware!


    Also have HijackThis fix:
    O21 - SSODL: OLE Module - {0656A137-B161-CADD-9777-E37A75727E78} - C:\WINDOWS\SYSTEM\thn32.dll

    Let me know when you complete that.
     
    chaslang, Jun 13, 2005
    #17
  18. roguespeare

    roguespeare Private E-2

    Okay, I have made the updates. I installed Mozilla Firefox, set it to be my default browser, but upon boot up, it is no longer my default browser.

    I can only access the internet for about seven minutes after boot up. Then no connection. I can't reach any site unless I boot up again.

    On boot up, I still get all the usual popups and loading of programs.

    What can I do now? Should I repeat some of the earlier steps you advised?
     
    roguespeare, Jun 15, 2005
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Post a new HJT log.
     
    chaslang, Jun 15, 2005
    #19
  20. roguespeare

    roguespeare Private E-2

    I should also note that my connection is lost after seven minutes despite the fact I'm on a cable.

    Latest log
     

    Attached Files:

    roguespeare, Jun 16, 2005
    #20
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You do not have your updates from Microsoft. Notice the below from you HJT log:
    MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

    You are way out of date. You must get the latest version of IE and then reconnect to Windows update again after that and get all patches for IE6 installed.

    I whole load of problems have come back. This is either because of where you are surfing or because you do not have your updates for all software installed. Perhaps you need to stay away from royalvegasMPP too.

    Run the below tools and tell me if they find anything:

    Symantec W32.Mydoom@mm Removal Tool

    Mydoom, Zindos, and Doomjuice Worm Removal Tool

    Also see message #11 and run the DelDomains tool again. After doing that, run Spybot and Immunize your system (you have to click the Immunize button).
     
    Last edited: Jun 16, 2005
    chaslang, Jun 16, 2005
    #21
  22. roguespeare

    roguespeare Private E-2

    "I whole load of problems have come back. This is either because of where you are surfing or because you do not have your updates for all software installed. Perhaps you need to stay away from royalvegasMPP too."

    Since these problems started I only check my online e-mail (mail.com + hotmail) and come here to majorgeeks. I haven't been to Royal Vegas poker in more than a month. I will delete that if you want me to (I only have $11 in that poker account anyway).
    Run the below tools and tell me if they find anything:

    Symantec W32.Mydoom@mm Removal Tool (NOTHING FOUND)

    Mydoom, Zindos, and Doomjuice Worm Removal Tool (NO INFECTION DETECTED)

    Also see message #11 and run the DelDomains tool again. After doing that, run Spybot and Immunize your system (you have to click the Immunize button).
    (DSO Exploit has to be removed everytime I run Spybot)

    Usual problems with things loading at bootup. Also the problem of start page and settings being changed.

    Latest log
     

    Attached Files:

    roguespeare, Jun 16, 2005
    #22
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If DSO exploit constantly has to be removed you have one of two problems
    - missing Windows updates
    - please tell me what version of Spybot S&D you are running.


    Did you run the Deldomain.inf file again?
    Did you use Spybot's Immunize feature AFTER doing that?
     
    chaslang, Jun 16, 2005
    #23
  24. roguespeare

    roguespeare Private E-2

    I am runnnng Spybot S & D 1.3

    "Did you run the Deldomain.inf file again?
    Did you use Spybot's Immunize feature AFTER doing that?"

    Yes to both
     
    roguespeare, Jun 16, 2005
    #24
  25. roguespeare

    roguespeare Private E-2

    Am checking for more Windows updates
     
    roguespeare, Jun 16, 2005
    #25
  26. roguespeare

    roguespeare Private E-2

    I missed some of the updates. Sorry for that. I will install them. What do you want me to do next?
     
    roguespeare, Jun 16, 2005
    #26
  27. roguespeare

    roguespeare Private E-2

    I have all the updates and repeated POST #11

    Maxifiles and Spysheriff folders are still in my program files (though not present in Add/Remove programs).

    In Windows Explorer, these are the programs I recognize that try to load on bootup:

    eres
    main
    own
    podmodzone
    protect
    sefe
    sefer

    When deleting them previously, they just came back. I won't delete them until instructed how best to go about it.

    Besides my start page and security setting changed on boot up, I notice that Spybot Immunize has been changed, and Spyware Blaster settings also. Virtually none of my setting are the same after boot up.

    My HJT log still looks the same.
     

    Attached Files:

    roguespeare, Jun 16, 2005
    #27
  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not follow the steps in the READ ME FIRST properly. If you had, you would not be running an old version of Spybot. This makes me wonder if all your other programs are out of date and running old definitions. Please get the proper versions and updates for all programs as requested in the READ ME FIRST.
     
    chaslang, Jun 17, 2005
    #28
  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It does not look like any of those steps where rerun. It seems like you have something blocking registry changes. Or something is restoring your registry to the bad stuff after reboot.

    Give me a list of ALL spyware removal and virus scanning type tools installed on your PC.

    Also download, install, and run Microworld Antivirus Toolkit Utility save the log and post it back here. It will not fix anything but it may help identify problems. I'm starting to wonder if you explorer.exe file is infected.

    What do you mean by
    How are you seeing the load on bootup?

    Do you have a Windows 98 Gold CD? If so, locate explorer.exe on it and compare it to the one in your c:\windows folder.
     
    chaslang, Jun 17, 2005
    #29
  30. roguespeare

    roguespeare Private E-2

    Also download, install, and run Microworld Antivirus Toolkit Utility save the log and post it back here. It will not fix anything but it may help identify problems. I'm starting to wonder if your explorer.exe file is infected.

    It looks like you are right on the mark with this. To answer your other questions:

    Give me a list of ALL spyware removal and virus scanning type tools installed on your PC.

    Microworld Antivirus Toolkit Utility (just downloaded)
    Norton Antivirus
    Hijack This v 1.99.0001
    Spybot S & D 1.3 (UPDATE)
    Symantec W32.Mydoom@mm Removal Tool
    Mydoom, Zindos, and Doomjuice Worm Removal Tool
    Ad-Aware SE 1.06r1 (VX2 Cleaner Plug-In also)
    CCleaner v1.19.108
    SpywareBlaster v3.4
    McAfee AVERT Stinger v2.5.4
    CWShredder 2.15
    Kill2me v1.02 (in the same unzipped file as Kill2me is 100323.EXE, MAIN.EXE, podmodzone(PODRNO~1.EXE), PROTECT.EXE, SEFE.EXE, SEFER.EXE)
    AboutBuster v5.00
    DelDomains
    Hoster v1.6.1.3
    KillBox v2.00.0175
    BugDoctor v3.0.1.3
    WindowWasher v3.0 (very old version I bought a couple of years ago)

    I just downloaded all the programs from the links provided and put them in a folder labelled "spyware progs". I can only access the internet for about seven minutes - don't know why - before my cable connection times out. I can only get back on the internet by rebooting (again for only seven minutes). I don't have time to find the latest versions.

    What do you mean by

    Quote:
    In Windows Explorer, these are the programs I recognize that try to load on bootup:

    How are you seeing the load on bootup? I

    T IS TECHNICALLY AFTER BOOTUP, THAT IS, AFTER MY EXPLORER, NORTON, KERIO FIREWALL etc, HAVE LOADED. It starts with Freeprod.com opening up. I press ctrl +del +alt to end task. Then I see Temp 532, protect, main, own, and others in the window. I press end task for all of these as well. It used to start with Spysheriff. That never loads anymore. If I don't close the programs down, windows, and websites, and ads pop on to my screen. About 1/3 of the time I get a clean boot where just my programs load, except for Temp532, which always loads.

    Do you have a Windows 98 Gold CD? If so, locate explorer.exe on it and compare it to the one in your c:\windows folder.

    I have the disk, but can't dig it out until tomorrow

    FILE IS TOO LARGE TO UPLOAD
     
    Last edited: Jun 17, 2005
    roguespeare, Jun 17, 2005
    #30
  31. roguespeare

    roguespeare Private E-2

    I will try zipping it.
     

    Attached Files:

    roguespeare, Jun 17, 2005
    #31
  32. roguespeare

    roguespeare Private E-2

    I haven't found my WINDOWS CD yet, but this is the info for explorer.exe on my computer. June 06, 2005 was the day my problems started.

    Size: 180kb (184,320 bytes) 188,416 bytes used
    Created: Monday, June 06, 2005. 5:05:23pm
    Modified: Monday, June 06, 2005. 5:05:24pm
    Version: 4.72.3110.1
     
    roguespeare, Jun 17, 2005
    #32
  33. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    As I expected, your explorer.exe is infected.
    File C:\WINDOWS\EXPLORER.EXE infected by "Virus.Win32.Bube.l" Virus!

    For more info on this see:
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE%5FBUBE%2EA%2DO&VSect=Sn

    You need to get a copy of it from your CD and replace the one in c:\windows

    You will need to do this after booting to an MS-DOS prompt. Here is how to boot to an MS-DOS prompt:

    Click Start and select Shutdown and in the Window that comes up choose the one that says Restart the computer in MD-DOS mode. When it boots you will be at the command prompt (full screen). You will need to copy the explorer.exe file from the CD ROM to your C:\windows folder to replace the infected one. The problem is that the explorer.exe file on your CD is more than likely compressed into a .CAB file and you will need to locate which one before booting to DOS mode. Is may be in WIN98_45.CAB that is where is was for Win98Se. A tool like WinZip

    Why do you have so much stuff saved on your Desktop?
    What is this folder: C:\WINDOWS\Desktop\Len_Ebay

    You should also delete the below after booting in safe mode or you can delete from the MS-DOS prompt:
    C:\WINDOWS\SYSTEM\ELITEURK32.EXE
    C:\WINDOWS\Desktop\temp532.exe
    C:\WINDOWS\winsx.inf
    C:\WINDOWS\winsx.dll
    C:\WINDOWS\webdlg32.inf
    C:\WINDOWS\webdlg32.dll
    C:\WINDOWS\sefer.exe
    C:\WINDOWS\podrnodzone.exe
    C:\WINDOWS\100323.exe
    C:\WINDOWS\bigtraffic.exe
    C:\WINDOWS\SYSTEM\nsa2300.dll
    C:\WINDOWS\SYSTEM\shellexpi.exe
    C:\WINDOWS\SYSTEM\osconfig.dll
    C:\WINDOWS\SYSTEM\nsd31F3.dll
    C:\WINDOWS\SYSTEM\COMMCOS2.DLL
    C:\WINDOWS\SYSTEM\tked7urvi5e6xk.exe
    C:\WINDOWS\SYSTEM\wldr.dll
    C:\WINDOWS\SYSTEM\g6zfgof3pi.dll
    C:\WINDOWS\SYSTEM\ijnc7mb8ou6dmy.exe
    C:\WINDOWS\SYSTEM\mc-58-12-0000093.exe
    C:\WINDOWS\SYSTEM\nsm4072.dll

    Geez! There is a bunch more. Let's get your explorer.exe fixed first and then we will continue.

    Also note you did not follow the directions in the READ ME FIRST and verify that you have the correct versions of tools. Your Spybot is old. So is your PocketKillbox (but that was not part of the READ ME).
     
    Last edited: Jun 19, 2005
    chaslang, Jun 19, 2005
    #33
  34. roguespeare

    roguespeare Private E-2

    I did this. Replaced explorer and scanned and followed the directions at trendmicro.

    Did this too.

    Updated my Spybot and PocketKillbox. I ran everything again from the READ ME FIRST post. Ad-aware and Spybot came out clean for the first time since my problems began. When I boot into normal mode, the only program that loads that shouldn't is something called "http"

    What do I do next Chaslang?
     
    roguespeare, Jun 25, 2005
    #34
  35. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Post a new HJT log. Also tell me about any problems you may be having.
     
    chaslang, Jun 25, 2005
    #35
  36. roguespeare

    roguespeare Private E-2

    Thanks for all the help, Chaslang. My computer is getting better and I am getting an education!

    All the scans still show up again today as clean (Spybot, Ad-Aware, Norton AV, Trendmicro, ect.).

    Now that I replaced the infected explorer.exe file and deleted those files and programs I was supposed to, most things have returned to normal. Upon bootup, the only program that loads that shouldn't is something called Http. I press Ctrl+Del+Alt to end task, but don't know how to get rid of it permanently.

    Here is my latest HJT log. It looks a lot better than when I started posting, though still a couple things that need getting rid of.
     

    Attached Files:

    roguespeare, Jun 26, 2005
    #36
  37. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file move.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the move.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.
    Make sure viewing of hidden files is enabled (per the tutorial).
    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O4 - HKLM\..\Run: [Internet Explorer] c:\Program Files\Internet Explorer\shttps\http.exe
    O15 - Trusted Zone: *.frame.crazywinnings.com <--- may already be gone due to registry patch
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM) <--- may already be gone due to registry patch

    After clicking Fix, exit HJT.

    Boot into safe mode and use Windows Explorer to delete:
    c:\Program Files\Internet Explorer\shttps\http.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST).

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Jun 26, 2005
    #37
  38. roguespeare

    roguespeare Private E-2

    Chaslang, my friend, you are a genius!

    Everything appears to be back to normal. I did everything from your last post. The Http is gone and does not load at bootup. Bootup is now fine. Only the programs that are supposed to load do so.

    My new HJT looks good.

    A couple of questions: Now that all appears fixed, would you recommend that I now use Sun java and Mozilla Firefox as suggested in READ ME FIRST?

    Also, my A4Proxy has been out of action since all of this started. Should I uninstall it and then reinstall, or perhaps delete it (if it's corrupted or infected with something) and then reinstall?

    I know, strictly speaking, this is not the proper thread, but my A4Proxy was working fine until I became infected with all of the spyware etc.

    Thanks again.
     

    Attached Files:

    roguespeare, Jun 26, 2005
    #38
  39. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. You log is clean now. To help keep it that way follow the steps in the below thread which will also answer your question about Sun Java and Firefox.

    How to Protect yourself from malware!

    As far as A4Proxy is concerned I really do not know anything about it. You could just try uninstalling, reboot, and then reinstall. Let me know if that helps.
     
    chaslang, Jun 26, 2005
    #39

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds