spyware protection 2009

Welcome to Major Geeks!


Start by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Now uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 2

Now run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.


Please C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis. And click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\WINDOWS\svcho.exe
C:\WINDOWS\sysguard.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: BHO - {C9C42510-9B21-41c1-9DCD-8382A2D07C61} - C:\WINDOWS\system32\iehelper.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\Owner\Application Data\Macromedia\Common\120e805c1.dll""
O4 - HKCU\..\Run: [system tool] C:\WINDOWS\sysguard.exe
O4 - HKCU\..\Policies\Explorer\Run: [svcho] C:\WINDOWS\svcho.exe
O4 - HKUS\S-1-5-19\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\LocalService\Application Data\Macromedia\Common\120e805c1.dll"" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\NetworkService\Application Data\Macromedia\Common\120e805c1.dll"" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-3209469551-3760592020-4228028370-1008\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Lorraine')
O4 - HKUS\S-1-5-21-3209469551-3760592020-4228028370-1008\..\Run: [motewiwane] Rundll32.exe "C:\WINDOWS\system32\gefayubi.dll",s (User 'Lorraine')
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O20 - AppInit_DLLs: dhlynz.dll ,
O20 - Winlogon Notify: hgGxYSkL - hgGxYSkL.dll (file missing)
NOTE: HJT will popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.
After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.




Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.



Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\Owner\Application Data\Macromedia\Common\120e805c1.dll
C:\Documents and Settings\LocalService\Application Data\Macromedia\Common\120e805c1.dll
C:\Documents and Settings\NetworkService\Application Data\Macromedia\Common\120e805c1.dll
C:\WINDOWS\svcho.exe
C:\WINDOWS\sysguard.exe
C:\WINDOWS\syssvc.exe
C:\Windows\System32\dhlynz.dll
C:\WINDOWS\system32\gefayubi.dll
C:\WINDOWS\system32\iehelper.dll
C:\WINDOWS\Tasks\ISP signup reminder 1.job
C:\WINDOWS\Tasks\ojxusblv.job
C:\WINDOWS\system32\TDSSmtvd.dat

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But if you do get this message, please let me know!)

If Killbox does not reboot just reboot your PC yourself.

After reboot, delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\Owner\Local Settings\Temp
Now see if you can run SUPERAntiSpyware, Malwarebytes, and ComboFix. Make sure you try all of them.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).



Then attach the below logs:

• SUPERAntiSpyware log if it ran
• Malwarebytes log if it ran
• C:\ComboFix.txt if it ran
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Yes.

Yes although some items mentioned may no longer exist after running the scans. So it you don't find certain items, just ignore it and continue. Make sure you look at the current instructions online. I just noticed a typo in them and fixed it.

 

I strongly advise you to cleanup your Desktop. Remove eveything but links to run programs. Do not download and save programs here and defintely do not use it for long term storage. You need to keep ComboFix.exe here for now as we need it, but we will be removing it when we are finished with your cleanup. A cluttered Desktop is malware's playground and it can also cause performance degradation especially when you start saving large files here like you are doing. All of the below should be removed immediately:

Code:

"C:\Documents and Settings\Owner\Desktop\"
aacw_d~1.zip  Jan 31 2009   297435746  "AACW_Demo.zip"
alli1.jpg     May 19 2004      346807  "alli1.jpg"
alli2.jpg     May 19 2004      418089  "alli2.jpg"
bobcats.jpg   Nov 13 2005     2344060  "Bobcats.JPG"
demo10~1.exe  Jun 25 2007   298275604  "Demo105b_AACW.exe"
firefo~1.exe  Mar  1 2009     7521112  "Firefox Setup 3.0.6.exe"
log.txt       Mar  3 2009       17044  "log.txt"
mbamw.exe     Dec 21 2008     2539400  "mbamw.exe"
messen~1.exe  May 29 2002       28672  "MessengerDisable.exe"
messen~1.zip  Mar  3 2009        6701  "messengerdisable.zip"
sas.exe       Feb 28 2009     6043680  "sas.exe"
supera~1.log  Mar  3 2009        7190  "SUPERAntiSpyware Scan Log - 03-01-2009 - 16-29-18.log"
ta08dxdw.exe  Feb 25 2009    13231789  "ta08dxdw.exe"
ta08la~1.exe  Feb 25 2009     1350457  "ta08la1040.exe"
wia_demo.zip  Feb 15 2009   566437681  "WIA_Demo.zip"

Now uninstall your current copy of Malwarebytes. If you have any problem uninstalling it, just tell me later but continue on with the below anyway.


Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKCU\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\Owner\Application Data\Macromedia\Common\120e805c1.dll""
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\LocalService\Application Data\Macromedia\Common\120e805c1.dll"" (User 'SYSTEM')

After clicking Fix, exit HJT.

Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now download this Malwarebytes Anti-Malware

1. Install the above copy of Malwarebytes. Does it install okay?
2. Make sure you update it to current databases during the install or after the install. Does it update okay?
3. Now try running a scan. Did it run? If yes, attach the log with the others below.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• the Malwarebytes log if it ran
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You're welcome. Your logs are clean.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\combofix folder from combofix (if it exists)
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!