When someone has a spare moment or two, I was wondering if you could please help me

Hi there,

I have recently been having problems with trying to rid myself of spyware/trojans and viruses. So I came to this site, read the READ ME FIRST'S and here is what I did:



1. I disabled System Restore.

2. After checking for those exact three services, I skipped step 2.

3. I enabled viewing of hidden files, folders and extensions.

4. I downloaded, updated all of the applicable tools (added appropiate patches etc), and saved them in C:\Spyware Tools.

5. Since I have XP, I rebooted in safe mood, but found out that I could not connect to the internet with dial up, so I rebooted again in Normal mode. I tried doing online scans at both Trend Micro's and Symantec, but the bar would just not move. I tried it again, after I rebooted, but I again couldn't run the online scans.

6. So I rebooted in Safe Mode. I ran CCleaner, and SpySubtract History killer to get rid of the temp folders.

7. Then I scanned Ad-Aware SE and Spybot.

8. Then I scanned with CWShredder, Kill2me, about:Buster and HSRemove. (although I was quite sure I did not have the about:blank or HomeSearchAssistent hijacks)

9. I then rebooted back to Normal mode and ran the Spytools again. But they were still there.

*Note. Before all of this I ran Windows update (no updates available) and I checked for "RunDll32 advpack.dll,LaunchINFSection java.inf,UnInstall", but it seems I did not have it.


So I decided to download HiJackThis. I followed the tutorial, and deleted everything that I was positive needed to be deleted (according to the "quotes"). I then ran it under " Help2Go Detective" and "Hijack This analysis", and I deleted only what they said was positively maliciuos or definately a virus. I then rebooted and ran the spyware tools again (of course with no browsers open) and there seemed to be FEWER problems, but they are still there. So I was wondering if you were not to busy if you could give me a hand.

Thank you for your time.

Regards,

Teo

 

Re: When someone has a spare moment or two, I was wondering if you could please help

*looks confused* well, you can only connect to the internet (in safe mode) if you have broadband (cable or dsl). when you go into safe mode with networking, your dialup won't work. what problems were you having before (popups, etc.)? do you currently have an antivirus? can you tell us if anything was found by the programs you ran. when doing the online scans, sometimes it takes a while (few minutes) on my dsl, so i'm assuming it didn't d/l all the way on your dialup? what exactly did it do? did you ever get past your accepting it?

doing all of the scans etc., i have found that it takes alot of time. it does not find everything all at once, so be patient. also, each antispy scan will catch different things, that is why it's good to run a combination of them. here's a couple of things that i recommend (what i use and install on all computers i work on) the avast i install if they don't have an antivirus. the spysubtract i use to help rid of spyware. but i always disable it on startup. you can also (if you haven't already) d/l the beta version of antispy from microsoft (it's decent), but i have found that if you use the stuff above, and below, it probably won't find anything extra.


http://www.intermute.com/products/spysubtract.html <-- free 30 day trial
http://majorgeeks.com/download1968.html <-- free antivirus (sometimes on 1st reboot it'll run a dos scan)

http://toolbar.yahoo.com/ie <-- yahoo toolbar for ie (popup block and antispy scan)

g/l - sos

 

It sounds like you have tried to do the READ ME.
You must be careful deleting with HJT from the analysis online unless absolutely sure. It does make mistakes.

Please try to turn OFF any applications that are not needed It makes it much easier to look at the HJT log.
Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, INCLUDING YOUR WEB BROWSER, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder for example C:\Program Files\HJT

Good Luck

 

Hi again,

Thank you for your prompt replies. Now I know that Dial Up will not work in Safe mode, because when I checked the options, only LAN Broadband/Cable was an option. I did not know this beforehand though. I have not had any problems with pop ups. It started off with a problem with SpySubtract finding APROPOS and WINAD, and some others which I am not quite sure what they were (sorry) and when I ran AdAware-SE it showed quite a few, but dumb me I did not jot them down. SpyBot showed "Windows Tool" or something to that effect, a few times. But I am sure that this all happened was because I clicked download Active X at the top of an unsecure browser page. Yes, I currently have Norton Antivirus and Firewall (both updated), and I also ran the Antivirus many times for the system scan, but it usually only showed ADWARE, and that it was not a "major" threat. I also have SpySubtract. I was wondering, why do you disable it on startup? Should I disable it on startup also? After this, I will click on the 2 other links you suggested, and download the approriate software.

By the way, because I am sure you are going to tell me, with regards to HiJackThis, I did EXACTLY what you said in the README. I went to C:\Program Files, clicked on an empty space and made a folder called HJT. Then before I started downloading HiJackThis, I saved it to the HJT in the C:\Program Files.

Here are my system Specs:

Computer
Operating System Microsoft Windows XP Home Edition
OS Service Pack Service Pack 2
Internet Explorer 6.0.2900.2180


Motherboard
CPU Type Intel Pentium 4E, 2933 MHz (5.5 x 533)
Motherboard Name Unknown
Motherboard Chipset Intel Grantsdale-G i915G/GL/GV
System Memory 503 MB
BIOS Type AMI (11/12/04)
Communication Port ECP Printer Port (LPT1)

Display
Video Adapter Intel(R) 82915G/GV/910GL Express Chipset Family (128 MB)
Video Adapter Intel(R) 82915G/GV/910GL Express Chipset Family (128 MB)
3D Accelerator Intel Extreme Graphics 3
Monitor BenQ FP71E [NoDB] (1449822)
Monitor Plug and Play Monitor [NoDB] (1449822)

Multimedia
Audio Adapter Realtek HD Audio rear output

Storage
Disk Drive Generic USB CF Reader USB Device
Disk Drive Generic USB MS Reader USB Device
Disk Drive Generic USB SD Reader USB Device
Disk Drive Generic USB SM Reader USB Device
Disk Drive SAMSUNG SP1614C (160 GB, 7200 RPM, Serial-ATA/150)
Optical Drive SAMSUNG CD-R/RW SW-252S
Optical Drive SAMSUNG DVD-ROM SD-616E (16x/48x DVD-ROM)

Partitions
C: (NTFS) 146393 MB (139320 MB free)
D: (FAT32) 6211 MB (725 MB free)

Input
Keyboard HP PS2 Keyboard (2K - 3)
Mouse Microsoft PS/2 Mouse

Network
Primary IP Address 216.95.76.98
Primary MAC Address 00-11-D8-6F-DE-D6
Network Adapter Realtek RTL8139/810x Family Fast Ethernet NIC
Network Adapter WAN (PPP/SLIP) Interface (216.95.76.98)
Modem Agere Systems PCI Soft Modem

Peripherals
Printer Fax
Printer hp psc 2170 series
Printer Microsoft Office Document Image Writer
USB Device USB Mass Storage Device


I attached the HiJackThis log file.

Thanks again.

Regards,

Teo

 

Teorulte,

First, we need to temporarily disble Search & Destroy TeaTimer. This will affect some of the removal steps.

Next, Please EXTRACT HijackThis from the ZIP File to a Safer location. Here's how:

To create a new folder:
Click START > My Computer > Local Disc C: > Program Files
Now, RightClick on an Empty Area and select New > Folder & name it HijackThis and ENTER

To Extract HijackThis:
Now, Right Click your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder
(C:\Program Files\HJT) and click Next.

Now run HJT from there. Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

The reason HJT needs its own safe folder is so that backups will be safely preserved. That way, if a mistake is made in the removal process, the mistakenly deleted entry can be restored.

C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe



Please allow me a moment to analyze your log.

 

After you have relocated Hijack This into its Safe Location procede.


Please look in Add or Remove Programs for the following and Uninstall if found:

Media Pass


Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.



Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

MediaPass.exe

MediaPassK.exe

TeaTimer.exe


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.intervideo.com/jsp/Product_Promote.jsp?context=2&vp=1&appid=20&custom er=3757&product=CHKB5D8S7A7BKASC2CND3QFS1NHFAQ2Q5Q5M&locale=0x0409

O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPass.exe
O4 - HKLM\..\Run: [u3mU36g] ap9ngl32.exe
O4 - HKCU\..\Run: [f058RWMnV] aclxof.exe

Again, make sure All Browser Windows are Closed when you Click FIX.


NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:


C:\Program Files\Media Pass ←–– Delete this whole folder if it exist!

ap9ngl32.exe ←–– Search for this file and delete when found!

aclxof.exe ←–– Search for this file and delete when found!


NEXT:
Run CCleaner


Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

Hey There,

After I uninstalled Media Pass from add/remove, it was not in the task manager, nor in the hijackthis scan log. And it didn't show up in safe mode either. But everything else went perfect, just like you described it.

Regards,

Teo

 

Log is clean!

Are you currently having any further problems?



FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

 

Hi there,

I ran SpySubtract, Norton Anti-Virus, SpyBot, and Ad-AWare SE and each was clean! I think that everything is running normal again. Thank you very much for all of your help, it is greatly appreciated.

Best regards,

Teo

 

You should see this article on How to Protect yourself from malware!

Browse Safely!