Can Somebody Please Help Me Get This Annoying Spyware Off My Computer?!

I not knowingly downloaded something like a month ago that ended up being spyware. I downloaded Anti Virus,Adaware, and Spybot Search & Destroy. I think they removed most of it but I'm still havin problems with this annoying spyware. Adaware was detecting the stuff but it kept on stopping and restarting my computer all of a sudden. Now it doesn't even detect it but its still on my computer. Because of this stuff it takes my computer like 20-30 minutes to start up and when I click on files or sometimes when i even just put my mouse over files certain things pop up in my task manager like IEXPLORE.EXE (I don't even use internet explorer),RVICES~.EXE,wmiprvse.exe,GetPopUpInfo.exe, and verclsid.exe which slows down down my computer when it pops up. If anybody could tell me how to get this stuff off my computer it would be greatly appreciated.

I followed everything in the sticky too but I'm still having problems.

 

We also need the logs from BitDefender Online and Panda ActiveScan.

 

ok, I just did the online scans. Here are the logs.

Also, during my scan with www.pandasoftware.com something named SysProtect downloaded to my computer even though I clicked cancel when they asked me if I wanted to download it. Was that supposed to happen?

 

Start by downloading two tools we will need

- Process Explorer
- Pocket KillBox

Extract them to their own folder somewhere that you will be able to locate them later.

Using Add or Remove Programs in the Control Panel; uninstall the following:

Empty The AntiVir Personal Quaratine Folder
Empty the Recycle Bin
Run CCleaner

<< The installed version of Java on this compter is out-dated. Install Java Runtime Environment (JRE) 5.0 Update 8 available from http://java.sun.com/javase/downloads/index.jsp. Uninstall all older versions of Java on your computer, before installing the latest version of Java. >>

IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.

Make sure you have rebooted in Normal Mode (do not open any other processes)

- Run Process Explorer

Note: Some of the below processes may not be running on your sytem. In that case just skip the process and continue to the next process.

In the top section of the Process Explorer screen double click on smss.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of mllml.dll once and then click the kill button. After you have killed all of the mllml.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on winlogon.exe and again click once on each instance of mllml.dll and kill it. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of mllml.dll and kill it. (If you do not find the dll, just continue on.)

Next double click on iexplore.exe and again click once on each instance of mllml.dll and kill it. (If you do not find the dll, just continue on.)

Next double click on rundll32.exe and again click once on each instance of mllml.dll and kill it. (If you do not find the dll, just continue on.)

Next double click on wrssdk.exe and again click once on each instance of mllml.dll and kill it. (If you do not find the dll, just continue on.)

Repeat the above for winanr32.dll.

Now just exit Process Explorer.

Now Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\mllml.dll
C:\WINDOWS\system32\lmllm.bak1
C:\WINDOWS\system32\lmllm.bak2
C:\WINDOWS\system32\lmllm.ini
C:\WINDOWS\system32\lmllm.ini2
C:\WINDOWS\system32\lmllm.tmp
C:\DOCUME~1\JOSHFO~1\MYDOCU~1\SCURIT~1\taskmgr.exe
C:\Documents and Settings\Josh Fossett\Favorites\Antivirus Test Online.url
C:\Documents and Settings\Josh Fossett\Local Settings\Temp\!update.exe
C:\Documents and Settings\Josh Fossett\Local Settings\Temp\35803B7.dmp
C:\Documents and Settings\Josh Fossett\Local Settings\Temp\3d11_appcompat.txt
C:\Documents and Settings\Josh Fossett\Local Settings\Temp\8dm85soo.mp3
C:\Documents and Settings\Josh Fossett\Local Settings\Temp\9257_appcompat.txt
C:\Documents and Settings\Josh Fossett\Local Settings\Temp\9A66BDC.dmp
C:\Documents and Settings\Josh Fossett\Local Settings\Temp\a152_appcompat.txt
C:\Documents and Settings\Josh Fossett\Local Settings\Temp\b103.exe
C:\Documents and Settings\Josh Fossett\Local Settings\Temp\b104.exe
C:\Documents and Settings\Josh Fossett\Local Settings\Temp\b115.exe
C:\Documents and Settings\Josh Fossett\Local Settings\Temp\b121.exe
C:\Documents and Settings\Josh Fossett\Local Settings\Temp\b122.exe
C:\Documents and Settings\Josh Fossett\Local Settings\Temp\cf19_appcompat.txt
C:\Documents and Settings\Josh Fossett\Local Settings\Temp\da1f_appcompat.txt
C:\Documents and Settings\Josh Fossett\Local Settings\Temp\eio3kpkv.mp3
C:\Documents and Settings\Josh Fossett\Local Settings\Temp\ENEMIES ON SITE (DJ SCOPE).torrent
C:\Documents and Settings\Josh Fossett\Local Settings\Temp\everyoneshero.bmp
C:\Documents and Settings\Josh Fossett\Local Settings\Temp\GLC91.tmp
C:\Documents and Settings\Josh Fossett\Local Settings\Temp\GLJ92.tmp
C:\Documents and Settings\Josh Fossett\Local Settings\Temp\mmmxl.log
C:\Documents and Settings\Josh Fossett\Local Settings\Temp\Phat Azz White.torrent
C:\Documents and Settings\Josh Fossett\Local Settings\Temp\PNX29.tmp
C:\Documents and Settings\Josh Fossett\Local Settings\Temp\ptchocolate.bmp
C:\Documents and Settings\Josh Fossett\Local Settings\Temp\removalfile.bat
C:\Documents and Settings\Josh Fossett\Local Settings\Temp\sa7B.exe
C:\Documents and Settings\Josh Fossett\Local Settings\Temp\temp.fr17C6
C:\Documents and Settings\Josh Fossett\Local Settings\Temp\temp.frE0FA
C:\Documents and Settings\Josh Fossett\Local Settings\Temp\TMP10A.tmp
C:\Documents and Settings\Josh Fossett\Local Settings\Temp\tsupdate_4_0_4_1_b3.exe
C:\Documents and Settings\Josh Fossett\Local Settings\Temp\win43.tmp.exe
C:\Documents and Settings\Josh Fossett\My Documents\SCURIT~1\taskmgr.exe
C:\PROGRA~1\CRAMTO~1\untitled.dll
C:\Program Files\Common Files\{9C971111-018D-1033-0126-990428980001}\services.dll
C:\Program Files\Common Files\{9C971111-018D-1033-0126-990428980001}\Update.exe
C:\WINDOWS\Downloaded Program Files\USYP_0002_N91M1708NetInstaller.exe
C:\WINDOWS\ICROSO~1.NET\RVICES~1.EXE
C:\WINDOWS\system32\bjophbcl.exe
C:\WINDOWS\system32\cpfqaobc.exe
C:\WINDOWS\system32\dskpjkkw.exe
C:\WINDOWS\system32\ecyhvdst.exe
C:\WINDOWS\system32\farvnsiy.exe
C:\WINDOWS\system32\haqjdira.exe
C:\WINDOWS\system32\hltbxuhl.exe
C:\WINDOWS\system32\hqhcfkeu.exe
C:\WINDOWS\system32\jongai.dll
C:\WINDOWS\system32\jwsjsbiq.exe
C:\WINDOWS\system32\lcmxwqel.exe
C:\WINDOWS\system32\ljjhhfe.dll
C:\WINDOWS\system32\nfjlltyv.exe
C:\WINDOWS\system32\njeihtvo.exe
C:\WINDOWS\system32\nwwvbghp.exe
C:\WINDOWS\system32\oeocastx.exe
C:\WINDOWS\system32\ojovcgty.exe
C:\WINDOWS\system32\REN16.tmp
C:\WINDOWS\system32\REN17.tmp
C:\WINDOWS\system32\rundll32.dll
C:\WINDOWS\system32\scumuwmx.exe
C:\WINDOWS\system32\stkxdgpt.exe
C:\WINDOWS\system32\svigsedi.exe
C:\WINDOWS\system32\tkriiqvx.exe
C:\WINDOWS\system32\tmofuaxd.exe
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\system32\uaouqivw.exe
C:\WINDOWS\system32\vbkxwddr.exe
C:\WINDOWS\system32\wcpsvit.exe
C:\WINDOWS\system32\winanr32.dll
C:\WINDOWS\system32\ybwivwuo.exe

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

Reboot to Safe Mode.

Open Windows Explorer, navigate to and delete the following folders:

Close Windows Explorer

Now run CCleaner.

For Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Mode.

Follow the directions for Virtumonde aka Trojan Vundo Removal.

Now attach a new HJT log, the log from Vuncdo Fix and tell me how the steps went.

Make sure you tell me how things are working now!

 

My computer is running pretty smoothly now. The only problem is verclsid.exe,GetPopupInfo.exe, and wmiprvse.exe are still popping up, not as frequently as before though. Other than that my computer is running way better than it has for the last month or two. Also, Vundo Fix found nothing on my computer.

Here are my logs.

 

Download
- ExplorerXP

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files

Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post a fresh HijackThis log.

Make sure to tell me how your computer is running.

 

I just did everything you told me to do but verclsid.exe,GetPopupInfo.exe, and wmiprvse.exe still keep popping up in my task manager when i click on files.

Here is my log.

 

Is it anyway I could stop verclsid.exe,GetPopupInfo.exe, and wmiprvse.exe from popping up on my computer?

 

Download and Install CounterSpy from our Read Me first.

Update the definitins and run a full system scan.

Post the log when finished.

 

In the Read Me it says:

I have Windows Defender on my computer. Should I install and run it anyway? Do I need to uninstall Windows Defender? I've also read some reviews on Counter Spy and some say it disrupts the computer and is hard to uninstall. Is that true? I'm just asking to be sure.

 

In the Read Me it says:

Quote:
CounterSpy

* Only install and run CounterSpy if you cannot run Microsoft Windows Defender which is only for Windows 2000 SP4/XP SP2 /2003 SP1. So all you Win98Se and Win Me users should use CounterSpy. Win95 and Win98 users are out of luck. Also, if you do not have the correct SP levels for Win 2K/XP/2003, you should use CounterSpy. Time for you to get updated to a newer OS.

I have Windows Defender on my computer. Should I install and run it anyway? Do I need to uninstall Windows Defender? I've also read some reviews on Counter Spy and some say it disrupts the computer and is hard to uninstall. Is that true? I'm just asking to be sure.

 

I am well aware of waht is in the Read Me. Those are peliminary cleaning procedures.

Doesn't change the fact that I want a Counter Spy log. Windows Defender does not a have log of any sorts that I can look at.

 

Here is my Counter Spy log.

 

Your CounterSpy log shows several items that we need to deal with, but first I need to get a log of your registry uninstall key.

Follow teh directions for Getting Uninstall Programs List From The Registry.

 

Here is my GetUnKey log.

 

Using Add or Remove Programs in the Control Panel; uninstall the following:

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop. DO NOT run it as this time we will do that later in Safe Mode.

Close Notepad.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files

Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Follow the directions for Smitfraud, SpySheriff, SpyAxe & PSGuard Removal.

Attach the log from SmitRem, a fresh CountSpy log and a fresh HijackThis log.

 

Nothing really changed, the same things are still popping up in my task manager whenever I browse folders or open some files.

Also, the iMesh and Download Accelerator Plus weren't on my Add or Remove Programs in the Control Panel.

Here are the SmitRem, CounterSpy, and Hijackthis logs.

 

Download SmitfraudFix (by S!Ri) to your Desktop.

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach that log in your next reply.

Note:process.exe ( which is used my SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. The below is a link to what process.exe is.

http://www.beyondlogic.org/consulting/proc...processutil.htm


IMPORTANT: Do NOT run any other options until you are asked to do so!

 

Here is the log from the SmitfraudFix.

 

Your logs are coming back clean.

Download Blacklight Beta from here:
http://www.majorgeeks.com/F-Secure_BlackLight_d5156.html

• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please post contents of log.

 

Here is the log from Blacklight Beta.

 

Your Blacklight log is clean.

Can you give me a screenshot of the pop-ups?

 

Nothing is popping up. I thought the wmiprvse.exe and verclsid.exe wasn't supposed to appear in my task manager but I looked it up and found out that its supposed to do that so the spyware is off my computer. Thanks for the help!