Unsure Spyware had been removed!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by fysoon, Jan 10, 2007.

  1. fysoon

    fysoon Private E-2

    I followed the steps in "READ & RUN ME FIRST" to clean the spyware that had infected my PC. I did all the clean up, and run CClean, Spybot S&D & AVG Anti-Spyware in Safe Mode (didn't run CounterSpy as couldn't get it updated). I also run the Bitdefender (in Safemode with Network) and Panda ActiveScan (in normal mode). All of them had clean/disinfect/quarantined whatever they found, except Panda ActiveScan which found 2 Spyware.
    I'm not sure how to clean these 2 spyware and need help on this.
     

    Attached Files:

    fysoon, Jan 10, 2007
    #1
  2. fysoon

    fysoon Private E-2

    More attachment here....
     

    Attached Files:

    fysoon, Jan 10, 2007
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    You still have some problems!


    I'm going to post two sets of instructions below. Each will be enclosed in separate Quote boxes. Make sure to complete the first one 100% before moving on to the second one.

    ATTACH THE FIRST LOG NOW BEFORE CONTINUING OR YOU WILL OVERWRITE IT!!!! And then immediately continue on to the below steps.

    Now in a second message attach new logs from:
    • GetRunKey
    • ShowNew
    • HJT
    How are things working now?
     
    chaslang, Jan 10, 2007
    #3
  4. fysoon

    fysoon Private E-2

    Hi chaslang,

    I'm attaching the log file from running smitfraudfix.cmd.

    rapport-1st.txt = from STEP1
    rapport.txt = from STEP2

    Thanks for your help.

    cheers,
    fysoon

     

    Attached Files:

    fysoon, Jan 12, 2007
    #4
  5. fysoon

    fysoon Private E-2

    Attachments for new log from GetRunKey, ShowNew & HJT...

     

    Attached Files:

    fysoon, Jan 12, 2007
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you set the below registry values yourself?

    Uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 2
    Java 2 Runtime Environment, SE v1.4.2_05
    Mozilla Firefox (1.5.0.9)
    Sunbelt CounterSpy <-- we are finished using this now!

    Make sure you reboot after uninstalling the above!

    Then install the current version of FireFox from: Mozilla Firefox
    Make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O21 - SSODL: carbinyl - {8d8c2387-7f80-4022-9be6-43630a969558} - C:\WINDOWS\system32\gwquvw.dll (file missing)

    After clicking Fix, exit HJT

    Now reboot in normal mode
    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Now locate the below folders and delete it if found:
    C:\Program Files\Video ActiveX Object
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Sunbelt Software
    C:\Program Files\Sunbelt Software

    Now run Ccleaner

    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT


    Make sure you tell me how things are working now!
     
    chaslang, Jan 13, 2007
    #6
  7. fysoon

    fysoon Private E-2

    No, I didn't set those registry values as I don't even understand what it means by registry for PC.

    What I recalled doing a few months back is I did turn off automatic update for Window.

    I uninstalled J2SE Runtime Environment 5.0 Update 2, Java 2 Runtime Environment, SE v1.4.2_05, Mozilla Firefox (1.5.0.9) & Sunbelt CounterSpy without any problem.

    However, I do encountered problem downloading Firefox 2 from Majorgeeks using IE. It loaded the mozilla firefox page for once but quickly gone blank before I click download. I refreshed IE, couldn't get it open. I ended up downloaded it from *********.

    I ran the HJT to fix O20 & O21 whithout problem, and managed to add the fixME.reg no problem also.

    I managed to remove Sunbelt Counterspy folders, but couldn't locate any more of Video ActiveX. I remembered removing Video ActiveX using Window Add/Remove function during 'READ & RUN ME FIRST'.

    So far, after the first round of clean up, I didn't see IE get open up to show those Ad.
    However, I do get attack by a few Trojan yesterday. They're removed by McAfee. I did a VirusScan later and didn't find any problem.

    I attached the 3 log files here.

    I really appreciate your time and effort of guiding me to remove those malware. Million Thanks to you.

    cheers,
    fysoon
     

    Attached Files:

    Last edited by a moderator: Jan 14, 2007
    fysoon, Jan 13, 2007
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    8. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    chaslang, Jan 14, 2007
    #8
  9. fysoon

    fysoon Private E-2

    Hi,

    I'd follow your instruction here to clean up those log files and redundant stuff, and do the system restore off and on thing.

    I look thru the list of 'How to Protect yourself from malware!' and decided to install AVG Anti Virus and SpywareGuard.
    To do that, I uninstalled the Mcaffee and later installed AVG & SpywareGuard. Everything went on smoothly during the uninstalling and installation.

    However, after I re-boot, I start to see this window popup "Dr.Watson Postmortem Debugger encountered a problem and need to close" and telling me to choose whether to send report to Microsoft or not. I click Don't send and my PC looks like freeze!! The only thing I can do is to Ctrl-Alt-Del to restart.
    After restart, the Dr.Watson thing still popup, and my PC still like frozen. Then I decided to end the process belonged to Dr.Watson, and apparently there're 2 of them (same name, but different size). I managed to end both of them, then only I was able to start to use my PC.

    My question is, is this Dr.Watson thing useful? How do I fix it or work around it?

    Again, thanks for you sound advice and help on this.

    cheers,
    fysoon

     
    fysoon, Jan 16, 2007
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes it can be useful. It does not normally run unless there are some kind of problems in the OS. I doubt this is a malware issue, but I'm also not sure why this started happening just now.

    Please attach new logs from ShowNew and HJT so I can get a feeling for your current status.
     
    chaslang, Jan 16, 2007
    #10
  11. fysoon

    fysoon Private E-2

    I think I managed to get this fix, after uninstalled SpywareGuard. Now the Dr.watson thing didn't popup.
    Could it be that SpywareGuard is outdated already (because the version that I downloaded fr MG is a couple of years back), doesn't compatible with WinXP SP2?


     
    fysoon, Jan 17, 2007
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That is the current version of SpywareGuard. It does not work like most programs and rarely updates. I suggest you use a different realtime blocking tool. If you want free, there are the below which you can try:

    Microsoft Windows Defender

    Spyware Terminator


    Make sure you keep Spybot & SpywareBlaster installed and updated. After each update of Spybot make sure to re-immunize just incase new definitions were added.
     
    chaslang, Jan 17, 2007
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds