Can't find and kill mystery spyware

Can you explain how you go CWShredder running as a service:

O23 - Service: CWShredder Service - InterMute, Inc. - C:\Program Files\Spyware removal\cwshredder.exe

It does not need to be run as a service and provides no useful features when run this way. I always have people remove this line as it is totally not required but I sure would like to know how this is happening. I put CWShredder on dozens of PCs and never had this happen. I'm wondering if his version was on your PC before you got the one from our READ ME FIRST.

You have a Virtumundo problem along with some other problems.

- First look in Add/Remove Programs for the below and uninstall if found:
MyWaySA
MyWaySearchAssistant or look for anything similar

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.

On the page that opens, scroll down to CWShredder Service ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

CWShredder Service

Now exit HJT and do not reboot if it asks you to do so. We will be restarting HJT in a few lines.


Okay let's start by downloading two tools we will need:

- Process Explorer 9.2

- Pocket KillBox

Extract them to there own folder somewhere that you will be able to locate them later.

Reboot in Safe Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of vtsqr.dll once and then click the kill button. After you have killed all of the vtsqr.dll's under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of vtsqr.dll then click the kill button. Once you have done that click ok again. (If you do not find the dll, just continue on.)

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\vtsqr.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O20 - Winlogon Notify: vtsqr - C:\WINDOWS\system32\vtsqr.dll
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Program Files\Spyware removal\cwshredder.exe <--- this will probably already be gone


Copy the bold text below to notepad. Save it as fixVundo.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

C:\WINDOWS\system32\rqstv.ini
C:\WINDOWS\system32\rqstv.ini2
C:\WINDOWS\system32\rqstv.bak
C:\WINDOWS\system32\rqstv.bak2
C:\WINDOWS\system32\rqstv.tmp
C:\WINDOWS\system32\vtsqr.dll

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

After reboot post a new HJT log.
Also look for the below and delete if found:
C:\Program Files\MyWaySA <--- the whole folder

 

You still have exactly the same Virtumundo symptoms and the same steps would have to be used to fix this. They have worked just fine many many times. Did you do them in safe mode? I would also recommend uninstalling or disabling BHO Demon first and then doing the steps again. Many times tools that we use to help us, can also get in the way of fixing problems. Besides, it is not disabling the BHO anyway. It is still there.

 

You're welcome Tracey! Your log is clean. Now to help keep it this way, work thru the steps in the below link:

How to Protect yourself from malware!