FreeSpyScannerandRemover SpywareBomb

Hi,

I am going insane trying to work out how to remove this infection. Iolo Spython listed 2 infections UltimateDefender and SpywareBomb it removed them and I reboot, system runs smoother, then system slows and they are back. With an update to Spython the detections changed to Free spyware Scanner and Remover and SywareBomb. I manged to remove Freespy with combofix and Rougescanfix and seemed to remove Spywarebomb's abilty to reinstall by removing mscoree.dll, because after running Rougescanfix various instances of mscoree.dll were listed as missing in ccleaner's reg fix section. When I run Spython registry values are listed in CCleaner mainly activeX/com entries mscomctl2 and mscomctllib. Housecall, bitdefender, Panda Online Scan, Norton Internet Security 2007, Trendmicro Internet Security 2007, Kaspersky Internet Security 2007, AVG Antispyware, NOD32 and spybot Search and Destroy all find nothing on my computer. I would think it a false positive if my computer did not run so much better after Rougescanfix and Spython temp repairs. I have not fully reinstalled my computer for months because of this. My only thought is either a rouge file or infected process. I have run out of knowledge of what to look for in my computer and would be thanfull for any help.

PS. My windows is fully up to date.

 

Hi Loccie!
Welcome to Major Geeks!

You may have a rootkit, although I think one of the scanners you mentioned should have picked it up. Nevertheless, I will give you the following scan to run and maybe a couple more later. From the way you describe the removal, it sounds like there's something there.

After running that scan, please go to the HijackThis folder and right-
click on hijackthis.exe and rename it to analyse.exe and rerun it. You don't have to rename the log. There are certain infections which evade detection when the name of HijackThis stays the same.

Why do you have so few Windows updates? You have sp2, but you seem to be missing about 50 others.

I want to have you test one of your files at jotti and/or at VirusTotal At each website, there's a box where you can upload them and then click on scan. Please report the results back to me. I don't know if it will find anything.

abri

 

Thank you for the response. I tested that file at Jotti and Virus Total both came up negative. I can only guess my Windows updates are not listed because I used software to clean up old update uninstallers. I use Microsoft Basline Security Analyzer 2.0.1 and Microsoft Update and all is listed fine. I ran the fsbl.exe no rootkit listed. I have also included the list of registry entries CCleaner lists after Spython does its repair and also a list of my MSComctlLib entries now. I tested something out and removed rundll32.exe in safe mode ran Spython and then replaced rundll32 with one I got from Merijn and my computer is running much faster. I am running a Spython scan now to see what it comes up with.

Thanks

PS: Scan just found SpywareBomb again hehe got to laugh or I go crazy.

 

Hi Loccie,
I've been studying your logs and scratching my head a bit. All the files you have listed are ones that are on my computer as well, making me think they are probably legitimate, however, I'm getting a second opinion. While you wait, please install Java Runtime Environment vs. 6.2.

I am curious at the moment what would happen if you turn off Active X in your Internet Explorer or take the option only with prompt and then have Spython fix whatever it finds. This is under tools / internet options / security tab / then custom level down at the bottom of that window. You have three choices for most of the Active X's which will allow them, deny them or prompt you to make a decision. Use that browser with the prompt setting and also, try using an alternate browser like Firefox, which doesn't use Active X for awhile and see if ýou begin to lose speed again.

I'll get back to you about whether these are bad or not.
abri

 

Hi abri

I changed enabled activex to prompt and installed java 6.2.

I will give you some more background, I used to notice that Restricted Sites was changed to Custom and the following entries re-added and unable to be fixed by hijackthis as well as the slow down.

hkcu\software\microsoft\internet explorer\main, local page =
hklm\software\microsoft\internet explorer\main, local page =

browsebui preloader
component categeries cache daemon

I have been looking into the possibility of a hook/rootkit and found a module listed I can not find on my computer. I have no knowledge of this area but googled the name with no findings.

Module Name = dump_IdeChnDr.sys
Image Address = 0xB2AB3000
Size = 98304
path = \SystemRoot\system32\Drivers\dump_IdeChnDr.sys
Product Name = Nothing Listed
Company Name = Nothing Listed
Description = Nothing Listed

Would you look at a autoruns log for me to check it over please?

One last question I uninstalled CCleaner and it dropped a .exe 'Au_.exe' into

C:\Documents and Settings\Loccie\Local Settings\Temp\folder forget the name\Au_.exe

I checked it at virus total and panda listed it as suspicious

Many thanks for your interest in my case I scratched my head so much my hair is coming out ;-)

 

Errrrrr attachment here

 

Hi Loccie!
You've run a lot of scans but not Ewido, smitrem or the one for SpywareFalcon. I'll send you to instructions for these three and see if they pick up anything. My experience so far is that you've been finding things which are normal for your computer. Why there is a difference after you run the cleanup tools, I'm not sure, so I think it is worth it to look a little more thoroughly. Please run the following and post back the results for each:

SpywareQuake and Sypfalcon Removal Procedure

Ewido Anti-Malware

smitrem

abri

 

Hello again

I ran the scans as you requested although I had run avg antispyware before. I found no files listed in the two how to's. When I run smitrem I get an error message 'getst.exe has encountered a problem and needs to close, we are sorry etc etc' then smitrem runs as normal and closes. I googled 'getst.exe' and it came up with 2search? I am running spybot search and destroy and spyware blaster would these affect smitrem?

I noticed after installing Java 6.2 and changing activex permissions Spython is no longer picking up SpywareBomb and my cpu's are running under less load. My gut feeling is the infections were coming directly through Internet Explorer 7. Thank you for all your help and I will keep checking my computer my only worry now is this 'getst.exe' error message

 

I spoke to soon I scanned today and it found SpywareBomb and those same registry entries were listed in CCleaner. I have no idea what to do now :confused

 

Hi Loccie,
Please explain in a bit more detail what is happening here. It (Spython?) found Spyware Bomb and those same registry entries (the ones from your first post?) were listed in CCleaner? (where - you mean in the list it produces of what it deleted?)

What do you mean by CCleaner dropped a file? And why did you uninstall it? Do you think it was infected?

As far as I can tell, the entries which are being deleted are legitimate entries. So each time you boot up, when Windows finds them missing, it replaces them. This sequence could go on for a long time. What I don't understand is why your computer briefly gets better. When does it get better? Is it right after you have Spyware Bomb removed and CCleaner delete all the files but before you reboot your computer again? I have a theory about this but not yet anything concrete.

You mentioned that when you tried to run smitrem, it got an error message that getst.exe couldn't run. You are right that getst.exe is part of 2Search and it will be removed by Ewido. Did Ewido remove it? Did you run the scans in the order in which they were listed?

Did you have a chance to install a browser that doesn't use Active X yet?

abri

 

Hi

I will list what I do to find the infection and what I do after. I run Spython it finds an infection after about 75% of the scan it scans to the end then runs through a cleaning process. At the end I check the log and it says SpywareBomb was removed no other details as to files removed or where from. I then run CCleaner to clean up any registry enteries, always the same list, I have attached it as 'CCleaner after Spython' System is happier internet pages open quicker menu's work faster etc. Then after a while I scan and everything is back to before.

Today I ran Rougescanfix with BFU so I could collect a CCleaner log after that because after RougeScanfix my computer speeds along VERY nicely but my .NET no longer works. Last time I used Rougescanfix my computer was great until I installed .NET again to get my graphics cards control panel working then the infection cycle kicked off again. I copied all the entries listed in CCleaner after Rougescanfix and have attached them as 'CCleaner after Rougescanfix' I am now running the system post Rougescanfix without mscoree.dll. As I said before I thought many times it must be Spython at fault but my system 'feels' so different after a fix.

I uninstalled CCleaner a while ago and it left a file called Au_.EXE in temp files I am just trying to rule out everything on my system and I saw some bad reports for a file listed Au_.exe.

When I run smitrem I get that error message getst.exe has encountered a problem and needs to close, we are sorry for any inconvenience.

Do you want to send a error report yes no

I have not had chance to try another browser because this system is driving me so crazy I only use it when trying to fix it.

 

Hi Loccie,

Please uninstall System Mechanic and Spython completely from your computer. What seems to be happening, is that Spython is identifying a part of your computer as being infected and deleting legitimate files. The computer works well briefly until it notices that it is missing files. It then begins the process of replacing them and, I expect, creating dmp files to record all the errors it encounters when it discovers that legitimate files are missing. I'm making a guess that it is this whole process which is slowing down your computer and that it started when you installed System Mechanic.

The .NET problem is described here:
http://support.microsoft.com/kb/316091/EN-US/

When I put the below item in bold into Google, it came up with this:

[SIZE=-1]It's a legitimate file.[/SIZE]

[SIZE=-1]Also, can you locate the following two files on your computer?
[/SIZE]getst.exe
Au_.EXE

If so, please go to both of the following websites and upload the files one at a time and have them scanned. Post what you find out from your scans.

VirusTotal

jotti

abri

 

Hi


I did not explain myself very well. .NET works fine until I do a Rougescanfix then it no longer works. The notepad document 'CCleaner after Rougescanfix' shows the registry entries that are no longer viable after rougescanfix not Spython. I use CCleaner only to give myself an idea of what has been affected by the fix hoping it may point to an infection. Is it normal for Rougescanfix to remove .NET files? My only thought is maybe the infection needs .NET to reinfect my system? Could it be a IE7 plug in? I am running this system now without MScoree.dll (removed by Rougescanfix) because I know as soon as I fix .NET I will get troubles again. I am not sure what to do next other than a reinstall or maybe removal of IE7.


getsts.exe is a smitren exe that is responsible for getting shared tasts I believe? Just a shame it has the same name as a 2search file hehe gave me a scare. I just get a error message it can not run and needs to close, any ideas why?


When I uninstall CCleaner it leave a tmp file *Au_.exe* in

C:\Documents and Settings\Loccie\Local Settings\Temp\*folder I forgot the name of*\Au_.exe

Virus Total Panda lists it as *suspicious*


Take it easy be safe

 

Did you see this in the Microsoft article I posted to you?
"Mscoree.dll Could Not Be Found" Error Message When You Try to Run a .NET Executable File

We haven't established that your computer is infected.

I would try removing registry mechanic first. Also, if you remove IE7, please do so using the Microsoft tool which can be found under Add/Remove Windows Components which is a separate button within Add/Remove programs.

Please try and duplicate this and then have Jotti scan the file.

abri

 

Hello

http://support.microsoft.com/kb/316091/EN-US/ article is basically saying if you get a error missing mscoree.dll it is because you need .net installed to use .net applications?

Rougescanfix removes mscoree.dll from system32. I had .net on my computer until I ran rougescanfix. I had .net 2 and 3 installed until I ran Rougescanfix now I do not have mscoree.dll in system 32 because Rougescanfix removed it. I just wondered if this was a normal part of Rougescanfix?

Registry Mechanic is not a good program?

I will of course use the uninstaller if I have to remove anything

 

It means that if you try to run .net executable files and mscoree.dll is missing, you can't run them.

Rougescanfix is a removal tool for Virusburst which has certain symptoms of which a popup informing you have a virus is one of the symptoms. Do you have these symptoms?? What caused you to begin using Rougescanfix on your computer? Are you now, or were you ever having symptoms which would have made it necessary to use this removal tool? Did someone recommend it to you? There is another removal tool with a similar name.

Your problems seem to be related to a false positive being produced by a piece of software which now comes included with Registry Mechanic called Spython. We are wondering if you remove this entire tool, if the symptoms you've been experiencing will stop. It is a question.[/quote]

IE7 needs to be taken out via Add/Remove Windows Components in the part of the computer called Add/Remove Programs. It cannot be uninstalled.

abri

 

Hi

Ok I have been running a lot of tests hence the big delay in a reply.


I first set out to find if Spython was giving a false positive.

I ran Spython waited for it to find an infection then stopped it before it could fix it. I then ran smitrem and then ran Spython again to see if there was any change to its detection, no change it still found two infections. I did this test for smitfraudfix, rougescanfix and combofix after all these Spython was still finding infections. So I decided something must be up with Spython and uninstalled it and forgot about my troubles.

Yesterday I installed Spyware Doctor and scanned and it came up with Trojan-PWS.Tanspy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load

I googled this and someone else was having similar troubles to me, IE was automatically downloading Spyquake files through a browser extension.

I fixed it by opening Internet properties/Advanced and unchecking 'Enable-Third Party Browser Extensions*' Rebooting in safe mode and running Spyware Doctor. I have no idea why nothing else finds this or if it is what Spython is finding becuase I can not be stressed to reinstall System Mechanic for an answer. I can reason however that if I had some sort of rouge browser extension any infection could easily reinfect as soon as a my browser was opened. I hope this brings an end to my issues, we will see.

I still do not understand why Mscoree.dll was removed from my system by rougescanfix, but I do know after mscoree.dll was removed Spython was not finding the infection after it fixed it.