Need A Little Help With Removal

You need to attach the HijackThis log requested in step 7 of the READ ME.

No problems other that what was already cleaned and one item below. You need to explain what problems you are actually having.

I suggest you uninstall the below:
Web Savings from Ebates

And you should delete the below file:
C:\WINDOWS\system32\xmltok.dll.off

Also CCleaner did not work properly, so do the below.
Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

 

Here is a direct quote from step 6 C of the READ ME. Notice the last bullet item.

Th word stuff does not mean anything to me. You will have to be specific since your logs show no malware.

See if this will uninstall it: Your Uninstaller! 2006

 

More than likely not true. This was explained in step 6 of the READ ME too in the online scans section.

On the contrary! It says it is okay to attach a log if you are still having problems and you have done the other steps. In addition step 6 comes before step 7 and step 6 does say if you still need help that you should also attach a HijackThis log.

Have you completed all the other instructions?
Did Your Uninstaller uninstall Web Savings from Ebates ?

I still don't know what you mean by "stuff" or what your problems are.

You should uninstall the CounterSpy trial program since we are finished with it now.


Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: (no name) - {2898379A-A812-4285-8DBF-7DE39EE66D46} - (no file)
O2 - BHO: (no name) - {FBBAFFBE-5A8F-4B71-B742-DFB0107415DB} - (no file)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

After clicking Fix, exit HJT.


Now reboot your PC
Now attach the below new logs and tell me how the above steps went.

1. ShowNew
2. HJT

Make sure you tell me how things are working now!

 

Here is a quote from message # 4.

Are you referring to the below from your activescan log?

If so, don't worry about it. It is not an active problem and since Panda is not reporting exactly where they think this is, we cannot do anything about it anyway. And since it is not active, it is not worth the effort.

No it is not malware. It is for your graphics card. It is the NVIDIA nView Wizard

There is no need to apologize. I understand that following the steps and doing all the things we ask can be difficult especially if you are not a PC expert.

 

But I still see the below in your HJT log:

O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

Did you uninstall it before or after getting your HJT log? Make sure it is uninstalled and that the above lines do not show a new HJT log anymore. Then also delete the below folders if they still exist:
C:\Documents and Settings\admin\Application Data\Sunbelt Software
C:\Documents and Settings\All Users\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software


If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt logs that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
9. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
10. If you are running Windows XP or Windows ME, do the below:
    • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

That normally means it is still installed or something from it is still running. Did you fix those lines I mentioned in HijackThis? If yes, then try deleting the C:\Program Files\Sunbelt Software folder again. If it does not delete, attach a new HJT log.

That's true. Anytime Panda just indicates something is in the registry but it provides no supporting information, it is just a benign registry trace that could be left over after the major items have been removed. It could also be a false indication.

 

Part of CounterSpy is still there. We will fix this below.

Actually according to your HJT log you have not completed the instructions in the How to protect yourself thread. At a minimum I can see you have no realtime antispyware protection and you have not installed a true bidirectional firewall. In addition, you should install SpywareBlaster if you have not already done so.


Consider running this Disable/Remove Windows Messenger to remove Windows Messenger which is a frequent cause of unwanted popups.


Now let's finish with CounterSpy.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Service: Sunbelt CounterSpy Antispyware
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pasteSBCSSvc into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT and reboot when it tells you it needs to.

After reboot attach a new HJT log.

 

CounterSpy is gone now! Just follow those instructions to get your PC properly protected now.

 

You're welcome. Surf safely.