spyware help

I have downloaded pretty much every type of spyware elimination programs.... Spybot, CCleaner, Hyjack this, Norton... etc... and i still have spyware on my computer. Ive gone through all my system files and deleted all suspicious files and folders and I have my hyjack this log if necessary. No matter how many times i try to delete it, FunWebTools always manages to regenerate itself within a matter of seconds, also Huntbar and a few others. Im thinking about just running my computer in safe mode forever so i never have to see funcade and bullseye gaming systems spontaneously load on my system. I dont even play games on my computer. Thanks for any help you can give me!

 

Hi Indymoo6,


Generally, it is a good idea to start with the Cleanup Tutorial below.

READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan and Virus Removal

There are only a few of us Volunteers who regularly offer advice in this forum. Running through the above Tutorial will remove a lot of stuff that would otherwise clog a HijackThis Log and save us valuable time.

Please let us know the steps that you are able to complete and the ones that give you problems. Note that you need to be in Safe Mode with System Restore OFF (if you have it) and have the Viewing of Hidden Files ENABLED as per the instructions in the link. Make sure to do the Online Scans.

Post back and let us know how you fared. Also, send us a HijackThis Log. Please be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99.1) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis! Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99.1

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.


PP

 

here is my hyjackthis log:
Logfile of HijackThis v1.99.0
Scan saved at 2:40:48 PM, on 3/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Hi Indy,

There are a lot of issues in your HJT Log, but we should be able to fix you up!!

First, however, please download the latest version of HijackThis from the link I provided and extract it to a safe folder - C:\Program Files\HijackThis.

Please rescan with HJT in Normal Windows boot and attach the log as per my previous instructions.

Also, how many different active User Accounts are on your computer?

Hang in there and we'll have your machine feeling better in no time!

PP

 

IM sorry im really not very good with computers, i dont see an additional options link to attach this to i tried to download that new hyjack software and this is what i got...

 

also.. im not really sure how many users names i have... when i checked in same mode the only users were administrator and myself

 

Hi Indy,

Attaching the log is not a big deal - I'll take care of it!

However, it is EXTREMELY Important that we get HijackThis located in a SAFE Folder before we begin! Below is how to do this.

To create a new folder:
Click START > My Computer > Local Disc C: > Program Files
Now, RightClick on an Empty Area and select New > Folder & name it HijackThis and ENTER

To Extract HijackThis:
Now, RightClick your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder (C:\Program Files\HijackThis)and click Next.

Be sure to let me know if you have problems doing this!

The reason HJT needs its own safe folder is so that backups will be safely preserved. That way, if a mistake is made in the removal process, the mistakenly deleted entry can be restored. Plus, when we clean your machine, we will flush Temp Files, so HJT can't be in a Temp Folder.

I know this process is intimidating! I'm happy to talk you through it

Do the above and I'll post some Cleanup Instructions for you shortly.


PP

 

I just moved my hyjack under C:.... thanks so much for you help

 

Hi Indy,

Let's see what we can do! If you have any questions about the instructions below, be sure to ask. I have to cook dinner, but will check back tonight to see how you fared!



Please print out these instructions so that you can operate with All Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.


Now scan with HijackThis and Check the Boxes for the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

O2 - BHO: (no name) - {09A2D7FB-7D6C-4F4C-9A91-D5BB2405B984} - C:\Program Files\yhk6xoxp\yhk6xoxp.dll (file missing)
O2 - BHO: (no name) - {1B155161-3743-4800-AE49-8B4147CAD771} - C:\Program Files\yhk6xoxp\yhk6xoxp.dll (file missing)
O2 - BHO: (no name) - {28E67F50-46D2-416E-B95E-589A60C370E8} - C:\Program Files\yhk6xoxp\yhk6xoxp.dll (file missing)
O2 - BHO: SDWin32 Class - {41B72860-F89A-4275-B29A-80A638ED4909} - C:\WINDOWS\System32\hygnv.dll
O2 - BHO: (no name) - {4602BE2A-DE7F-415F-8D0A-AADCA6A372D6} - C:\Program Files\yhk6xoxp\yhk6xoxp.dll (file missing)
O2 - BHO: MSW.cIExplorer - {4B57B77A-B130-4EB8-8CFB-42B880F6D311} - C:\Documents and Settings\All Users\Application Data\msw\MSW.dll
O2 - BHO: (no name) - {525439EC-369D-4361-A31E-AD003E6FC1D7} - C:\Program Files\yhk6xoxp\yhk6xoxp.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {542972DE-FA31-4F05-A1BD-7661FED5D052} - C:\Program Files\yhk6xoxp\yhk6xoxp.dll (file missing)
O2 - BHO: (no name) - {64787B5E-41C4-4465-A1FE-CDB69AE72882} - C:\Program Files\yhk6xoxp\yhk6xoxp.dll (file missing)
O2 - BHO: (no name) - {7A15264F-23D2-4F80-AF4A-825234E2FAB7} - C:\Program Files\yhk6xoxp\yhk6xoxp.dll (file missing)
O2 - BHO: (no name) - {8FF021C4-B1EA-4C20-8EDD-357B23BA6E92} - C:\Program Files\yhk6xoxp\yhk6xoxp.dll (file missing)
O2 - BHO: (no name) - {994C3A7E-938C-4105-A18D-7930629B0337} - C:\Program Files\yhk6xoxp\yhk6xoxp.dll (file missing)
O2 - BHO: (no name) - {9EE7A0CA-18D2-4E25-80ED-EDEFB11B4F89} - C:\Program Files\yhk6xoxp\yhk6xoxp.dll (file missing)
O2 - BHO: (no name) - {B0E0F9C3-D7A4-4140-BA4A-D09176A66B26} - C:\Program Files\yhk6xoxp\yhk6xoxp.dll (file missing)
O2 - BHO: (no name) - {B22BEDEB-2A10-445D-BE18-F8FBA9862D40} - C:\Program Files\yhk6xoxp\yhk6xoxp.dll (file missing)
O2 - BHO: (no name) - {BB4A2306-AF6A-42E5-82B7-CBD16DE4E3E5} - C:\Program Files\yhk6xoxp\yhk6xoxp.dll (file missing)
O2 - BHO: (no name) - {C3CE0ADC-D8BA-48DF-9AEF-9A4C085C9DBD} - C:\Program Files\yhk6xoxp\yhk6xoxp.dll (file missing)
O2 - BHO: SDWin32 Class - {E5421F46-E31C-48A0-AF47-3C85455E1C3A} - C:\WINDOWS\System32\lmttz.dll
O2 - BHO: (no name) - {F954EA90-5FB3-497A-B3E8-C949390953AB} - C:\Program Files\yhk6xoxp\yhk6xoxp.dll (file missing)

O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [jwudmp] c:\windows\system32\jwudmp.exe
O4 - HKLM\..\Run: [hygnvc] C:\WINDOWS\System32\hygnvc.exe
O4 - HKLM\..\Run: [yhk6xoxp] C:\Program Files\yhk6xoxp\yhk6xoxp.exe
O4 - HKLM\..\Run: [lmttzc] C:\WINDOWS\System32\lmttzc.exe
O4 - HKLM\..\Run: [App32dll] C:\windows\system32\msnavc32.exe lee0105
O4 - HKLM\..\Run: [x7mR3EU] lmrccp32.exe
O4 - HKCU\..\Run: [JavaUpdate0.07] C:\WINDOWS\System32\gwys.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
O4 - HKCU\..\Run: [prutqct] C:\WINDOWS\System32\prutqct.exe
O4 - HKCU\..\Run: [gw55ROYFP] lfpmbed.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\System32\winupdt.exe
c:\windows\system32\jwudmp.exe
C:\WINDOWS\System32\hygnvc.exe
C:\Program Files\yhk6xoxp ---> The Folder
C:\WINDOWS\System32\lmttzc.exe
C:\windows\system32\msnavc32.exe
lmrccp32.exe --> You'll have to run a search of your machine for this one - Probably find it in C:\Windows or C:\Windows\System32 Folders
C:\WINDOWS\System32\gwys.exe
C:\WINDOWS\System32\sysmonnt
C:\WINDOWS\System32\prutqct.exe
lfpmbed.exe --> You'll have to run a search of your machine for this one - Probably find it in C:\Windows or C:\Windows\System32 Folders

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know of any problems you may have encountered with the above instructions and how your computer is running now. I will try to check back tonight when time permits.

Best luck
PP

 

thanks so much for all your help...my computer is running alot better, except when I run spybot, FunWebTools still comes up for 2 entries.....

 

After i rebooted my computer in normal mode and ran hyjackthis, this was the log.......



i'm not really sure how to do a spy bot log, but the only entries that came up were for fun web products (4 entries)

 

Hi Indy,

Chas is correct that those FunWeb remants are likely orphaned registry entries. To pin them down, I'll need to see the log Spybot or Ad-aware produces after it scans and fixes.

For now, how are things running? Is your computer displaying any abnormal symptoms? Or is FunWeb only coming up in SpyBot scans? Does Ad-aware find this as well?

Let's run through this again and get rid of a few more things:

Please look in Add or Remove Programs for the following and Uninstall it if found:

SurfSideKick 2

Please print out these instructions so that you can operate with All Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now scan with HijackThis and Check the Boxes for the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\Program Files\SurfSideKick 2\SskBho.dll

O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if it should remain:

C:\Program Files\SurfSideKick 2 --> The Folder


NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.

Then, run an Ad-AwareSE scan as per the tutorial and attach that log as well. To attach, scroll down to the Additional Options section when you post back and use the "Manage Attachments" button.

PP

 

My computer is running much better, but funwebtools stills shows up on spybot here are the logs

 

Hi Indy,

Well, Ad-aware found the SurfSideKick, but did not see FunWeb.

I did, however, see an item that I missed!

Please fix these lines with HijackThis:

R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\Program Files\SurfSideKick 2\SskBho.dll (file missing)
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe

Then, boot to Safe Mode and make sure C:\Program Files\SurfSideKick 2 has been removed for good!

ALSO: DELETE this file while in Safe Mode--> C:\WINDOWS\system\wmgwopi.exe


Then, get me a SpybotSD Log. First, scan and fix with Spybot in Safe Mode.
Then, open Spybot and select Advanced Mode > Tools > View Report and Click the Green Arrow to View Report and then click EXPORT and save the latest log to your Desktop where you can find it easily. Then, attach it with your post.

pp

 

here are the logs from spybot....thanks

 

I don't see FunWeb in there either!

What message (Please be Exact) do you get when Spybot detects this?

I don't think it is any kind of threat - but I know the constant alert can be a pain! If we can pin it down, we can manually remove it from the registry so you don't keeep getting these warnings. (Although, on the plus side, those warnings prompted you to come here and we removed a lot of bad stuff from your machine! )

Also, before I forget, you should have a look at Chaslang's Suggestions!!

Anyhoo, update me on that detection message and let's see what we can do.

PP

 

I just would like to thank everyone for helping me with my computer. Everyone was a huge help and I could have done it with out you guys.!!

 

You're Welcome We are happy to help!

Let us know if that renegade registry entry continues to bother you. We can try to hunt it down and remove it. Also, be sure to update and scan with Spybot and Ad-aware often!

PP