Spyware+slow computer = sad audry

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by aud-ra, Nov 5, 2004.

  1. aud-ra

    aud-ra Private E-2

    Hola everyone.
    I, like most other people here ;) , am having some issues with my computer.
    I think I downloaded some spyware accidentally, which I can't get rid of.
    I Read the HowTo: Spyware, Trojan And Virus Removal thread, and tried to deal with my issues following your instructions.
    However, I was not able follow the instructions completly.
    here are the steps I was not able to perform:

    I could not install the AdAware SE update ( I was able to install adaware SE though)
    I could not do the online scan at Trend Micro's Free Online Virus Scan. However I have norton<a onMouseOver="window.status='' ; return true;" onMouseOut="window.status='';" oncontextmenu="window.status=''; return true;" onclick="location.href='http://www.enhancemysearch.com/admin/results.php?q=Antivirus&id=49';return false;" href="" TITLE="More Info..."> antivirus </a>installed and updated onto my computer. It had found no viruses.

    My computer is slower than ever before :..(
    Also the issue that I was trying to clear up was not resolved.
    One of the spywares I downloaded (they blitzed me!) caused the annoying pop-up window "Enhance My Search.com" to appear whenever I typed a query into a search engine. So now I cant keep the window from popping up, and my computer now takes forever to open folders and web browsers.

    BTW I am running windows 2000 with NT

    If any of you could help me out, it would be greatly appreciated.
    Thanks
    Audry
     
    aud-ra, Nov 5, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    So which version of Ad-Aware SE are you running? And what is the Reference file version? A new update came out today.

    What was the problem with running Trend Micro's Scan?
    Why didn't you do the Symantec Scan?
    And what was it that you were trying to post about Norton?


    After you complete ALL steps of the READ ME FIRST, if you still have a problem, you should read the tutorial in this Sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis log file as an attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

    Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

    Make sure you have HJT Version 1.98.2 and follow the guideline on where to install it and how to post a log as an attachment.
     
    chaslang, Nov 5, 2004
    #2
  3. aud-ra

    aud-ra Private E-2

    I did run the symantec scan. It ran fine.
    I went to the website for the Trend Micro's Scan. And there was an error it didnt even try to run it. I cannot replicate the error because I can no longer open IE browsers on my computer (or anything else for that matter, even the task manager)

    I ran norton antivirus earlier today before I tried ALL of the things in your help file. No viruses were found.
    I could not install the AdAware SE update ( I was able to install adaware SE though)



    I cannot remember the version of ad-awareSE that was ran. Only that it had been last updated 53 days ago. (I down loaded and installed adawareSE today) I tried to update it, but it claimed an error connecting to the server everytime.
    Everything else, i ran sucessfully.
    Audry
    ohh eek, sorry about the sad state of the previous post, I'm not sure what happened.

    (here is the edited version of my first post)
    I could not do the online scan at Trend Micro's Free Online Virus Scan. However I have norton antivirus installed and updated onto my computer. It had found no viruses.
     
    aud-ra, Nov 5, 2004
    #3
  4. aud-ra

    aud-ra Private E-2

    oh, here is another symptom.

    One of the spywares that I am dealing with causes the 'links' to show up in various texts. I think that If i clicked on them, they would open "enhancemysearch".com and search with that term.
    cry. When I Tried to edit my original post. It exposed the HTML under that linking thing that is going on with my computer.
     
    aud-ra, Nov 5, 2004
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your missing the point of my question! What is the Ad-Aware version number? Is it 1.05?
    If so, you can can download the reference file update here: Ad-aware SE referencefile SE1R17 05.11.2004

    And just extract it the correct directory manually. 53 days is very old so old in fact that you probably do not have vers 1.05 and that may be why you cannot update.
     
    chaslang, Nov 5, 2004
    #5
  6. aud-ra

    aud-ra Private E-2

    I downloaded the updated definitions file. And it worked! woo! My computer appears to be clean! very happy!
    For some reason I downloaded Ad-AwareSE version 1.05 with the very old defintions file.
    Thanks for pointing me in the direction of the definitions file.
    Audry
     
    aud-ra, Nov 8, 2004
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome!
     
    chaslang, Nov 8, 2004
    #7
  8. aud-ra

    aud-ra Private E-2

    Hello again.
    I thought I was clean, but I have a particularly tenacious spyware on my computer still.
    It's Called PeopleonPage. I redid the read-me steps, and clear out my system, but the next day PeopleonPage is back.
    I dont know what to do!

    Thanks
    Audry
     
    aud-ra, Nov 12, 2004
    #8
  9. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    3 possibilities:

    1: Make sure its not in add\remove programs.

    2: Pest Patrol claims to remove it: http://majorgeeks.com/download1187.html

    3: Manual removal from DoxDesk.com http://www.doxdesk.com/parasite/AproposMedia.html

    POP variant
    Open the registry, by clicking 'Start', choosing 'Run' and entering 'regedit'. Open the 'CLSID' key inside 'HKEY_CLASSES_ROOT' and delete the following subkeys:

    {645FD3BC-C314-4F7A-9D2E-64D62A0FDD78}
    {65C8C1F5-230E-4DC9-9A0D-F3159A5E7778}
    {8023A3E7-AB95-4C23-8313-0BE9842CC70E}
    {976C4E11-B9C5-4B2B-97EF-F7D06BA4242F}
    {B3BE5046-8197-48FB-B89F-7C767316D03C}
    Next, open the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and delete the 'AutoUpdater' and 'POP' entries.

    You can also delete HKEY_CLASSES_ROOT\POP.Server[.1], HKEY_CLASSES_ROOT\POPAd.Server[.1], HKEY_LOCAL_MACHINE\Software\POP and HKEY_CURRENT_USER\Software\POP to clean up.

    SysAI and CxtPls variants
    Open the registry (Start->Run->regedit) and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Delete the 'AutoUpdater' entry. There is also one other entry that must be deleted. Its name will be a nonsensical string of eight random alphanumeric characters, and its value will be a single EXE filename, which is semi-random.

    If you are not sure you have the right entry, open the System folder (inside the Windows folder, called "System32" under Windows NT/2000/XP/2003) and load the EXE file it refers to into a text editor. The guilty file will have the string "WinGenerics" inside it somewhere.

    Now open the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and there should be a similar eight-character random entry pointing to another semi-random EXE in the System folder. Delete this too.

    You can also delete the registry keys HKEY_LOCAL_MACHINE\SOFTWARE\Envolo, HKEY_LOCAL_MACHINE\SOFTWARE\AutoUpdate and HKEY_CURRENT_USER\Software\Apropos to clean up.

    SysAI variant
    Open a Command Prompt window (from Start->Programs->Accessories) and enter the following commands:

    cd %WinDir%\System
    regsvr32 /u "C:\Program Files\SysAI\AproposPlugin.dll"
    CxtPls variant
    Open a Command Prompt window (from Start->Programs->Accessories) and enter the following commands:

    cd %WinDir%\System
    regsvr32 /u "C:\Program Files\CxtPls\CxtPls.dll"
    All variants
    Restart the computer and you should be able to delete the 'AutoUpdate' folder in 'Program Files' (on the C: drive, even if your Program Files are normally elsewhere), along with the folder 'POP' (POP variant), 'SysAI' (SysAI variant) or 'CxtPls' (CxtPls variant).

    In the System folder you can also delete the two semi-randomly-named EXE files referred to by the registry entries of the SysAI and CxtPls variants, and, if you have them, auto_update_uninstall.exe and auto_update_uninstall.log.
     
    Major Attitude, Nov 12, 2004
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds