Spyware Problem on PC

Hi
I am using a HP Pavilion (zv5000) Pentium 4 running a Windows XP home operating system with McFee Anti Virus.
I have a Broadband connection through a Netgear Router. (Wireless & Ethernet connection, with a Netgear Wireless PC card when away from my laptops Expansion Base)

In my C:\Documents and Settings\User\Local Settings\TEMP file there are appear 5 files all starting with me_ & a string of what appear random letters & numbers (eg. me_7Xr0kcB2W2TpaJD ).
These generate at the log on of any user on the computer.
They are Hidden Files and cannot be Deleted.

Type of File: File

Description: me_7Xr0kcB2W2TpaJD


Location: C:\Documents and Settings\User\Local Settings\TEMP

Size: 0 bytes

Size on disc: 0 bytes


Created: Time of Log in to user
Modified: "
Accessed: "



Attributes: Hidden



If I log on or switch to a different user the files generate in that users Temp directory with a different string of characters me_xxxxxxxxxxxxxx.


I have run through the Generic Guide Steps 1 to 7

Check list with Ad/Remove Programs

Downloaded or updated suggested programs.

In Safe Mode with phone connection unplugged.
Ccleaner run
Microsoft Malicious Software Removal Tool (No Malicious Software Found)
Ad-Aware SE (Nothing Found)
Spybot Search & Destroy (Nothing Found)
Microsoft Antispyware
CWShredder (Removed CWS, MSConfig.)
Kill2Me

I then activated Network Connections still in Safe Mode

Ran BitDefender
then Panda ActiveScan (5 infections found)

Logs Attached.
(BitDefender I have attached 2 logs one as it originally saved as a txt file and the other edited so the relevant information is in a more readable style)

I have then run HijackThis and attached the log file.

Thank you in advance for any help you can give me.

Stephen.


PS hope I have done all this correctly including the attachments & post itself.

 

Welcome to MajorGeeks.com!

Please see the below thread on how to install and run Spy Sweeper.

• Running Spy Sweeper...

 

Thanks for the quick response

I forgot to mention it before but I am using Firefox & Thunderbird,
not Explorer & Outlook.

I have run the scans you suggested.


I ran CCleaner
then Spy Sweeper
(
I then ran CCleaner again,
I already had Ewido installed so I did an update then rebooted in Safe Mode with the phone line disconnected at the wall socket & ran Ewido.
I then rebooted the system in normal mode & ran
HijackThis.

All the logs are attached,
including the ones from the CCleaner runs Pre & Post the Spy Sweeper run, which are both in 1 attachment due to a maximum of 4 attachments).


Thanks again for the help

Stephen

 

Please look in Add/Remove Programs for the following and uninstall them if found:

Spy Sweeper

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q304&bd=pavili on&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q304&bd=pavili on&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c =Q304&bd=pavilion&pf=laptop

O15 - Trusted Zone: http://download.windowsupdate.com

Again, make sure ALL browser windows are closed when you click FIX.

Next, run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

• Temporary Files
• Temporary Internet Files
• Recycle Bin

And Click OK.

After you complete the above, REBOOT and proceed with the rest of this fix...

Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot once more and then scan with HijackThis and attach the new log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

Hi Again

I have updated all my anti spyware / anti virus programs

Used Add/Remove Programs to remove Spy Sweeper

Ran HijackThis & checked the 5 Files Indicated

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...Q304&bd=pavili on&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...Q304&bd=pavili on&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c =Q304&bd=pavilion&pf=laptop

O15 - Trusted Zone: http://download.windowsupdate.com

With all broser windows closed before clicking FIX (Only the acual HijackThis window was open)

Ran CCleaner & saved log file (attached)

Ran Ad-Aware SE (5 Negligable Objects Deleted)

Ran Spybot S&D (No Immediate Threats Found)

Ran cleanmgr with all boxes checked (did not ask for automatic reboot of system so manually Turned Off computer & Rebooted)

Disabled & Re-enabled System Restore with Reboot.


Checked in TEMP file again,
Files that won't Delete in C:\Documents and Settings\User\Local Settings\TEMP

~DF1E18.tmp

~DFC183.tmp

IadHide5.dll

me_384LIGbdkRU2vU3

me_au9TMmwk4UmpwwA

me_l5syRwJ3cTL6FR8

me_u9Z0E1CuwGh0vLV

me_ZzTiQ90XGPAt1rl






IadHide5.dll

ABOVE FILES PROPERTIES

GENERAL

Type of File: Application Extension

Opens with: Unknown application

Location: C:\Documents and Settings\User\Local Settings\TEMP

Size: 24.0 KB (24,613 bytes)

Size on disc: 28.0 KB (28,672 bytes)


Created: Thursday, 2 February 2006, 23:16:40
Modified: Wednesday, 11 February 2004, 16:58:16
Accessed: Today, 4 February 2006, 12:47:12

(Later Modified & Accessed Date Showed Today, 4 February 2006, 13:05:48)

Attributes: (Nothing Checked)

VERSION

File version: 6.3.2.62

Description: IAdHide

Copyright: © 2003 BackWeb Technologies Ltd. All rights reserved.

Language English (United States)
Original File name IAdHide.dll
Private Build Description 5
Product Name BackWeb IAdHide
Product Version Version 6.3.2 (Build 62R)



me_384LIGbdkRU2vU3

me_au9TMmwk4UmpwwA

me_l5syRwJ3cTL6FR8

me_u9Z0E1CuwGh0vLV

me_ZzTiQ90XGPAt1rl


ABOVE FILES PROPERTIES

Type of File: File

Description: me_384LIGbdkRU2vU3 (file name)


Location: C:\Documents and Settings\User\Local Settings\TEMP

Size: 0 bytes

Size on disc: 0 bytes


Created: Today, 4 February 2006, 12:47:07 (Time of Log in to user)
Modified: Today, 4 February 2006, 12:47:07
Accessed: Today, 4 February 2006, 12:47:07

Attributes: Hidden


Have Run HijackThis again
Have Attached Log Files for all processes & Have also attached a txt file of IadHide5.dll opened with word pad (22 IadHide5.txt).

Thanks Once More for the Help

Stephen

 

All I requested was a fresh HJT log, you didn't have to attach all of the others. Also, the HJT log was confusing for a minute until I realized it was two logs in one file.

Anyway, are you having any further problems?

 

I was still concerned about the 5 files that generated at User logon in the
C:\Documents and Settings\User\Local Settings\TEMP file
that are Hidden and cannot be deleted.

me_384LIGbdkRU2vU3

me_au9TMmwk4UmpwwA

me_l5syRwJ3cTL6FR8

me_u9Z0E1CuwGh0vLV

me_ZzTiQ90XGPAt1rl


(always me_ and 15 random characters)


If I log out as one user & relog on as another user they generate in that users
TEMP file at time of log on

If I Switch between users (Not loging out) they generate in the new user account TEMP file at Logon & stay in the previous users Temp file as well.

Also 2 x 32kb .tmp files that generate at log on

~DF[4 random characters].tmp


& I also have a file

IadHide5.dll Company: BackWeb

that is in the
C:\Documents and Settings\User\Local Settings\TEMP
folder only (not other Temp folders)

Also in my
C:\Documents and Settings
folder some new folders have appeared since I started loading
all the new spyware & anti virus programs

C:\Documents and Settings\

Administrator (Previously in folder)
Alex (Previously in folder)
All Users (Previously in folder)
Bronte (Previously in folder)
Default User (Hidden Previously in folder?)
Gabrielle (Previously in folder)
LocalService (Hidden NOT Previously in folder)
McAfeeMVSUser (NOT Previously in folder)
NetworkService (Hidden NOT Previously in folder)
User (Previously in folder)

I do not know if these extra folders have been generated by the
programs I have put on.


Microsoft Windows Malicious Software Removal Tool
Microsoft AntiSpyware
Spy Sweeper (Now Removed)
CCleaner
NoAdware
Bitdefender
cwshredder
Kill2Me
HijackThis
Spybot - Search & Destroy (Already on but reloaded)
Ad-Aware SE Personal (Already on)
ewido anti-malware (Already on)


If these files ( me_ , IadHide5, & ~DF )
are normal or not of concern please let me know.


Sorry about the double HijackThis Log.


Thanks

Stephen

 

You will always have TEMP files, that's normal. The folders in Docs & Settings are normal also.

The programs, you can remove what you don't need or use but that's up to you.

You should see this article on How to Protect yourself from malware!

 

Thanks for that.

I was just worried becasuse these files were Hidden & could'nt be deleted.

I have copied & I am reading the
How to Protect yourself from malware!
segment at present.

Thanks for all your help

Stephen

 

Your Welcome!