help needed to remove spyware

Discussion in 'Malware Help (A Specialist Will Reply)' started by tollady, Jun 8, 2006.

  1. tollady

    tollady Private E-2

    I completed the steps documented here in the forums and produced the attached log files. Could you take a look and help me figure out what my pc is infected with and how to remove them? Cheers!

    I was first made aware of problems when my firefox browser started opening advertising sites in tabs and popups on its own. I have now managed to stop this, but was informed by various system scans that the PC is still infected. I also have this problem where something opens for a split second in the taskbar and dissapears again. I don't know what it is.

    Many thanks.
     

    Attached Files:

    tollady, Jun 8, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    You forgot to empty your Norton Quarantine as requested in step 0 of the READ ME. Empty it now!

    Make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    O4 - HKCU\..\Run: [fiou] C:\PROGRA~1\COMMON~1\fiou\fioum.exe

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\Program Files\Common Files\fiou <--- the whole folder
    C:\WINDOWS\SYSTEM32\explorer.dll

    You need to manually delete the below items Panda found from your Email folder.
    Archive Folders\Sent Items\stuff you were sent...\fake\creditcard.zip[creditcard.rtf.exe]
    Archive Folders\Sent Items\stuff you were sent...\unknown\found.rtf.scr
    Archive Folders\Sent Items\stuff you were sent...\unknown\nomoney.zip[nomoney.rtf.exe]
    Archive Folders\Sent Items\stuff you were sent...\read it immediately\textfile.scr

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST).

    Now we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Now reboot in normal mode and post a new HJT log.

    Make sure you tell me how things are working now.

    It may be a good idea for you to run the below tool too. Let me know if it finds anything:

    avast! Virus Cleaner Tool

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Jun 9, 2006
    #2
  3. tollady

    tollady Private E-2

    Firstly may I thank you for the swift response and the great help you have been. It's looking like your advice has helped fix this problem for me.

    I have attached the latest HJT log, and when I ran an avast scan it found no viruses.

    The only issues I have now (assuming the HJT log proves ok) is that I could not find the email 'Archive' folder to delete the stuff that the panda scan found.
    I also have a backup of much of this stuff on an external HD (not attached or scanned yet). Do you have any advice about what to do with this? I'm assuming delete my backup files and run a new backup once my PC is clean??
     
    tollady, Jun 9, 2006
    #3
  4. tollady

    tollady Private E-2

    Oops!

    HJT attached to this!
     

    Attached Files:

    tollady, Jun 9, 2006
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Have you run your email program and looked for the folder within the email application's Sent Items folder?

    It probably would be best to just create a new backup!



    Do you or did you have Symantec Internet Security installed? I see the below service from Symantec. Or is this just because of the Norton Ghost application? I don't understand why they do this! It makes life difficult for everyone when they install an application referred to as a Security Suite just to run other tools like SystemWorks or Ghost.
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

    If this is part of their antivirus or internet security application, you do not want it running if you are going to use AVG7. You cannot just fix this with HJT. We will need special steps, but first I need an answer to my question.

    Also I personally don't recommend keep SpywareGuard installed once another realtime blocking tool like Windows Defender is install. It eats up too many additional resources and slows yor system down. It can also create conflicts. I would uninstall SpywareGuard now.
     
    chaslang, Jun 9, 2006
    #5
  6. tollady

    tollady Private E-2

    Thanks again,

    I did have symantec antivirus and ghost installed. I have now removed all the symantec stuff since my license was up and I'm going to give AVG a go instead.

    Having removed symantec and SpywareGuard I did another Bitdefender scan which turned nothing up, and a Panda scan which only produced a cookie in firefox (see attached log file).

    As such I'm assuming I'm all clear, but I've attached a new HJT log for you to check for me. I never found the email archive stuff, but I guess they've been deleted..?

    Cheers!
     

    Attached Files:

    tollady, Jun 10, 2006
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Jun 10, 2006
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds