Spyware Removal

Discussion in 'Malware Help (A Specialist Will Reply)' started by Zamiac, Mar 28, 2005.

  1. Zamiac

    Zamiac Private E-2

    Hi,
    I read "How to:Spyware, Trojan and Virus Removal' and followed the procedures and got rid of lots of stuff, however I seem to be left with at least three items and would like advice on their removal. The HijackThis list shows them as 04 items , they are snapple.exe,elitebut32.exe and wuangrd32.exe ,the Pacman Startup List mentions the first two and I found a reference to the other on a German site, can I just fix them using HJT?
    Thanks.
     
    Zamiac, Mar 28, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, Mar 28, 2005
    #2
  3. Zamiac

    Zamiac Private E-2

    Hi,
    Thanks for your quick response,HJT log attached.
    Regards John.
     

    Attached Files:

    Zamiac, Mar 28, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your Windows OS and IE versions are way out of date and present a major security risk. When we fix your current problems you MUST got to Windows Update and get your updates.


    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\WINDOWS\System32\userinit32.exe
    C:\WINDOWS\System32\slserver.exe

    After killing all the above processes, click "Back".

    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEENAU/SAOS01
    F2 - REG:system.ini: UserInit=userinit.exe,userinit32.exe
    O4 - HKLM\..\Run: [wuangrd32] wuangrd32.exe
    O4 - HKLM\..\Run: [snapple] snapple.exe
    O4 - HKLM\..\Run: [NAV Auto Updates] slserver.exe
    O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitebut32.exe
    O4 - HKLM\..\RunServices: [wuangrd32] wuangrd32.exe
    O4 - HKLM\..\RunServices: [snapple] snapple.exe
    O4 - HKLM\..\RunServices: [NAV Auto Updates] slserver.exe
    O4 - HKCU\..\Run: [snapple] snapple.exe
    O4 - HKCU\..\Run: [wuangrd32] wuangrd32.exe
    O4 - HKCU\..\Run: [NAV Auto Updates] slserver.exe
    O4 - HKCU\..\RunServices: [wuangrd32] wuangrd32.exe
    O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe

    After clicking Fix, exit HJT.

    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\System32\userinit32.exe
    C:\WINDOWS\System32\slserver.exe
    C:\WINDOWS\System32\wuangrd32.exe
    C:\WINDOWS\System32\snapple.exe
    C:\windows\system32\elitebut32.exe <--- while looking for this file look for any others beginning with elite and delete them too. Sometimes there are up to 8 more of these files beginning with elite and ending in .exe.
    C:\WINDOWS\System32\hwclock.exe

    (the hwclock.exe process may require a special procedure to remove in our next set of messages).

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST).
    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Mar 29, 2005
    #4
  5. Zamiac

    Zamiac Private E-2

    Hello Again,
    I followed your instructions however I could not find the files that you asked me to delete from C:\windows\system32 the only one that seemed to be there was the elitebut32.exe , a search showed the others to be in the prefetch folder (with numbers after them) the machine seems to be improved , but when connected to the ISP ( IE not running ) it sent about 160k and received about 25k in a minute. I have attached the latest HJT log, thanks again for your help.
    Regards John.
     

    Attached Files:

    Zamiac, Mar 29, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please verify the below settings and tell me if any were set differently:

    Right Click Start.
    Select Explore
    Select the Tools menu and click Folder Options.
    Select the View Tab.
    Under the Hidden files and folders heading select Show hidden files and folders.
    Uncheck the Hide extensions for known file types option.
    Uncheck the Hide protected operating system files (recommended) option.
    Click Apply.
    Click OK.
     
    chaslang, Mar 29, 2005
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do you use Viewpoint? If not, fix the below line.
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=www.viewpoint.com

    Other than that, your log is clean.

    You now need to get your system updated! Please follow the steps in the below thread to help keep you safe. The first step in that thread is a link to Microsoft Update. If you do not want to install WinXP SP2, select Custom Install and choose all the Updates except WinXP SP2. These updates will be quite large. You really need to get up to at least XP SP1a at an absolute minimum.

    How to Protect yourself from malware!
     
    chaslang, Mar 29, 2005
    #7
  8. Zamiac

    Zamiac Private E-2

    Hello,
    The "Hide protected operating files" box was still checked, after unchecking I was able to delete the files. The computer seems to be fine now,I installed SP2 and downloaded the updates,thanks for your help I would never have sorted it out on my own.
    Regards John.
     
    Zamiac, Mar 29, 2005
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Happy to see you got this all fix and now you have updated!
     
    chaslang, Mar 29, 2005
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds