removal procedure - spybot's strange behaviour

Hello, and thanks again for your help on the last PC..
Now I'm working on a computer that someone noticed the firewall (Norton) was turned off upon returning from vacation. The computer was left on (as it is most of the time) as it has remote access enabled, withthe GoToMyPC software.

I uninstalled Weather Watcher, as I found in researching siteadvisor that it calls home to WhenU.

It already had SSD installed, but it behaves strangely. It has immunity enabled, but not SDHelper (the bad products download blocker) and it keeps me from checking the box to enable it. The box stays empty when I click it.

I did the steps needed in safe mode, then rebooted safe mode. I ran Windows MSRT, found nothing. When I then ran SSD, it found several issues but then it popped up that it fixed them without promting me first! The way I'm used to SSD working is that it finds them then you have to click "Fix selected problems"!

Before continuing, should I uninstall>reinstall>update SSD?

 

HJT and other logs, please help

Hello, and thanks again for your help on the last PC..
Now on another computer; the owner noticed the firewall (Norton) was turned off upon returning from vacation. The computer was left on (as it is most of the time) as it has remote access enabled, withthe GoToMyPC software.

I uninstalled Weather Watcher, as I found in researching siteadvisor that it calls home to WhenU.

It already had SSD installed, but it behaves strangely. It has immunity enabled, but not SDHelper (the bad products download blocker) and it keeps me from checking the box to enable it. The box stays empty when I click it.

I did the steps needed in safe mode, then rebooted safe mode. I ran Windows MSRT, found nothing. When I then ran SSD, it found several issues but then it popped up that it fixed them without promting me first! The way I'm used to SSD working is that it finds them then you have to click "Fix selected problems"!

I copied a few logs from SSD since it's behaving so strangely.

Windows defender found several infections; Claria.GAIN.Trickler, C2.Lop, eZula, and WhenU.SaveNow

Bitdefender found a few viruses, but said it couldn't clean all of them.

I started up Panda ActiveScan, but halfway through it mysteriously closed.

I uninstalled SSD, and ran HJT!, logs that resulted fromt these scans are attached.

 

You say you've run the steps.

We need the following logs as per the procedure:

• runkeys.txt - the log from GetRunKey.bat
• newfiles.txt - the log from ShowNew.bat
• CounterSpy - ONLY IF you were not able to run Windows Defender
• Bitdefender - from step 6
• Panda Scan - from step 6
• HijackThis

You could try removing and reinstalling SSD to see if this fixed the behaviour issue.

It is also possible that some form of malware may be interfering with it as you mention Norton firewal is also having issues.

 

craigcomputer: Please don't post your logs as a zip file unless asked to do so. ZIp files can contain any number of file types, which we wouldn't be able to see until we opened it, posing a potential infection risk to those helping you.

Please keep to one thread as this helps avoid confusion, as you can see above I was answering one of your threads whilst you had posted a second one.

Did you run Hijack this from normal mode ? It looks to me as if its been run in safe mode, please rerun it in normal mode and post a new log.

The version of Java RUntime installed on your machin is out dated please remove all versions from your computer and instal Sun Java Runtime Environment 5.0 Update 8

The viruses found by bitdefender are in an infected restore point. We will fix that when we are sure the rest of your system is clean.

Did you run activescan ? If not please do so and post the log in your next post.

 

OK, I have done as you asked. I uninstalled the old versions of Java runtime, and installed the newest you linked to.

I tried to run Panda within safe mode again, and found that it mysteriously closed again. When I tried to enter internet options from IE, it tells me that I am restricted. I know that this is spyware (browser hijacker) behaviour. Also if I enter Internet Options from control panel, the window comes up but the buttons to change homepage are greyed out.

I uninstalled iQfx2 from Add/Remove programs, unsure if it was adware or not.

I reinstalled SSD and that fixed the problem of disabled SDHelper.

However there's another symptom; whenever Spyware Blaster is run, there are hundreds or over a thousand items under "Restricted Sites" with protection disabled. I can check to enable all protection, but hours later there will be some number disabled again.

Attached is HJT log run under normal mode. No activescan is available as it has closed midway both times.

 

According to your HJT log you have 9 running processes. Whilst it is possible to run xp with this feww processes it is highly unlikely.

Your HJT log shows you have 32 startup entries, (32 programs that will run when windows starts) yet NONE of them are showing in the running processes part of the HJT log.

Are you editing the log before posting ? Are you terminating any processes before running HJT ?

Please reboot your computer into Normal mode and do NOTHING except run Hijack This and click 'Do system scan and save a logfile'

Then close HJT, log on to the forum and post the log.

Please do this exactly as I have stated,

DO NOT run any programs after logging on, just allow your computer to do what it normally does
DO NOT run your browser before you run Hijack This
DO NOT edit the log in anyway
DO NOT try to terminate any processes before running HJT

We need to see a full log before we can procede.

 

ok... would you please clarify.... should I follow these instructions and close the instant messenger and email program before HJT, or run HJT immediately after all programs load?

 

On this occasion follow the instructions I have given. I'd like to see why you have so few processes running in the HJT log when you have so many startup entries.

 

OK, I had ended programs (all benign as far as I know) before running HJT

 

Please do as I said above and post a FULL Hijack this log.

 

check and check.
here it is

 

Your HJT log contains no malware.

Have HJT fix the following lines

Have you intentionally set some restrictions on IE ?

if not have HJT fix these lines too :

 

OK, I'll remove those. I'm pretty sure malware set the restrictions on IE;

I noticed another symptom last time I tried to open up Internet Explorer: norton alerted me that some software tried to change the homepage.

Should I try to run Activescan again after removing those? Or I can try alternative scans or the about:blank generic removal procedure

 

did those steps; here's newest logfile

Oh, the bad download blocker in SSD has turned off again and I can't turn it on... this is after uninstall/reinstall and update.

 

You can try and run activescan again now. Having fixed the lines in HJT it may work better now.

 

yep, here's the activescan log. thanks, man.

Also SDHelper still doesn't turn on.

 

do you have advice on what the activescan found, please?

 

The first one is a cookie.

The second one is Adware called Lop that typically instals with Messenger Plus which I suggest you remove if you still have it installed.