problems

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis
​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
  • Bitdefender
  • Panda Scan
  • HijackThis

.

 

You don't disable system restore until your PC has been declared to be clean! We will tell you when that is!

Run all the other steps 1 thru 7 exactly as indicated.

 

Why is it so big? Is just mostly due to loads of cookies being found?

Compress the pand log into a ZIP file and upload the ZIP file.

I see traces of both Antivir and Avast but Avast seems like it may have been uninstalled but not correctly. Is it true that you are only trying to use Antivir?

Are all of the below purchased or are they trials?
SpyCatcher 2006
XoftSpySE
Spy Sniper
CounterSpy
Spyware Doctor

Did you install WinPcap to help you capture or monitor packets for some reason? It is not malware, but could be used for that. So unless you install it, I have to question why it is there.

I also see Live Update from Symantec. Do you have any Symantec software installed, or did you have any at one time.
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

 

Did you install WinZip? If so, just right click on the file and select add to Zip.

I'm not sure I follow you completely. But let's start by uninstalling ALL of these that you did not purchase. I assume that includes the below:
- SpySniper
- SpyCatcher
- SpywareDoctor ????

I assume you meant you purchased both CounterSpy and XoftSpy? Is that correct? You really shoud only use one program like this.

You should also uninstall Ares because it comes bundled with malware!

After doing the above, continue with below.

Let's get an installed programs list from HijackThis!

• Run HijackThis, click Open the Misc Tools section
• Click Open Uninstall Manager
• Click Save List (generates uninstall_list.txt)
• Click Save, to save it to a file where you can find it.
• Attach the uninstall_list.txt file to your next message.

Now click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Automatic LiveUpdate Scheduler ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Automatic LiveUpdate Scheduler

If you receive any error messages just ignore them and continue.

Now exit HJT and reboot when it tells you it needs to. After reboot get a new HJT log and attach it.

 

At the end of my previous instructions I did say:

Your uninstall log shows the below three items which we have been discussing. Since you do not need anything from Symantec and also do not know what WinPcap is, all three of these should be uninstalled using Add/Remove programs.

LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
WinPcap 3.1 beta3

After uninstalling them, attach a new HJT log.

 

You still have both CounterSpy and SpywareDoctor installed. Since your previous answer to my questions about these applications was not too clear. I''ll ask two questions:

1) Is CounterSpy a free version or a paid version?

2) Is Spyware Doctor a free version or a paid version?

Another question! You implied you purchased XoftSpy. Why don't I see it running? It also was not in your installed programs list.


Now Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to rpcapd ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

rpcapd

If you receive any error messages just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunOnce: [VcCleanUp.exe] C:\DOCUME~1\dimity\LOCALS~1\Temp\VcCleanUp.exe /F C:\PROGRA~1\COMMON~1\SYMANT~1\LiveReg\ /RemoveAll
O23 - Service: rpcapd - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\SpyCatcher 2006 <--- delete the whole folder
C:\PROGRAM FILES\ALWIL SOFTWARE <--- delete the whole folder
C:\Program Files\WinPcap <--- delete the whole folder
C:\Documents and Settings\dimity\Local Settings\Temp <--- delete all files and subfolder in this Temp folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

My comments were based on you telling me what was a trial and what you had purchased. Apparently you did not purchase any antispyware applications! Is that correct?

If that is correct, you are going to need one realtime antispyware blocking tool. Once you get your PC upgraded to WinXP SP2 you could use the free Windows Defender package.

 

Let's worry about that a little later. First finish doing what I requested in message number 14.

 

Okay that looks better but I still see CounterSpy:

O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe

Did you uninstall this free trial version? If so, just have HJT fix that O4 line.

I also see the below which is from SpyCatcher. Did you use Add/Remove programs to uninstall SpyCatcher!
O20 - AppInit_DLLs: interceptor.dll

Did you uninstall this free trial version? If so, just have HJT fix that O20 line. You will probably receive an error message when you try to fix that line. Just ignore it and exit HijackThis. Then immediately reboot your PC. Get a new HJT log and attach it.

 

I was getting to this one, but wanted to cleanup all the other items first. Do you or did you ever have an x-logic mp3 player installed? If you did then that is what it is for.

If you never had that MP3 player or similar, this could be a Trojan. And we will have to fix it by having HJT fix that O4 line?

Then you will need to reboot into safe mode and locate the below file and normally I would delete it. But to be safe (incase you need it) just rename the file. Rename it to YMDCAPP.XXX

C:\windows\system32\YMDCApp.exe

Then reboot into normal mode and attach a new HJT log.

This is a valid program. Used by virtual CD programs like Alcohol (or similar) to access CD images protected by SecureROM.

No! None of this has anything to do with Firefox. If you just got an update it was probably configured to do auto updating.

 

That's okay! HijackThis delete it while fixing the O4 line and save it in its backup folder.

Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

I don't remember seeing anything named like that in your CounterSpy log, but if you allowed CounterSpy to fix/delete it then it should be gone.

 

That is a recommendation! Not a requirement. And you get SP2 from Windows update which is step 1 of the How to protect thread.

Yes. It does not erase what you have.

When you have SP2 installed you can use Microsoft Windows Defender which is free. Until then you can use SpywareGuard (mentioned in the How to protect thread) and also you could use Spybot's Teatimer. We did not recommend using it in the READ & RUN ME because it gets in the way and we prefer other applications (paid ones like Spy Sweeper). But using Teatimer is a much better idea than having no protection and it does work.

 

You're welcome. Surf safely!