Spyware Problem! Newbie at Hijackthis!

Welcome to MGs!

Your buddy has a lop infection due to installing Messenger Plus. You should have noted the info on it in step 0 of the READ ME. Uninstall it. This may get rid of some of the issues but a bunch of others may remain. Uninstall it and attach a new HJT log.

 

LimeWire 4.2.3 also contains malware. Uninstall it and if you really need to use this P2P junk, at least use the latest version which is supposedly malware free.

Also look in Add/Remove programs for MyWebSearch or MyWebSearch Bar and uninstall if found.

 

After taking care of all of those uninstalls, attach a new HJT log so we can fix what remains.

 

Well something removed MyWebSearch. Maybe it was uninstalled with Limewire being uninstalled.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.lngwhjzgzvhveqxjo.com/1LOQdDlnsJf8x3dzdZmNfdHKFZ3/5bCbw1zJxb0hAqYeYBdc4ewpvesO2kkAcy5c.cgi
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O20 - AppInit_DLLs: MsgPlusLoader.dll


After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Windows\System32\MsgPlusLoader.dll

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Do you really want this adwayre from HP running?
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe

See this link for more info on it:
http://www.bleepingcomputer.com/startups/BACKWEB_137903.exe-1975.html

Run this Disable/Remove Windows Messenger to get rid of Windows Messenger which can be used to serve popups to you. This is not the same thing as MSN Messenger which you have installed. It will not affect MSN Messenger.

Do you know how to use WinZip to compress files into a ZIP file? If so, please put a copy of C:\WINDOWS\SYSTEM32\igfxsrvc.dll into a ZIP and attach it to a message. I will delete it later after checking it.

Are you still getting popups now and do you want to dump the Backweb junk?

 

Re: Finally! I think it's clean! Here is my HJT.

Why did you start a new thread? Isn't this a continuation of what you had already started? I'm merging you back to the other thread.

Please keep all communication for problems like this in the forum threads. PMs about info that belongs here will not normally be answered and do not help other users.

 

Steps to delete f3initialsetup1.0.0.15.inf:
- Click Start, Run, and enter cmd in the box and click OK. This opens a command prompt windows.
- Enter the following command lines each followed by the enter key
cd C:\WINDOWS\Downloaded Program Files\
attrib -r -h -s f3initialsetup1.0.0.15.inf
del f3initialsetup1.0.0.15.inf
exit

Now copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Then for good measure run the registry patch one more time after booting in safe mode.

After this you should be clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

You're welcome. Surf Safely.