Spyware removal - I've followed your instructions

Hi

I'm having problems with Spyware, mainly in the form of pop-ups (888.com, dell, various casinos etc). I've followed your instructions but still haven't solved the problem. The tools (Spybot, MicrosoftAS etc) have improved the situation but it has not gone away completely. Occasionally (very) I have system freezes and I couldn't follow your instructions 100% as MicrosoftAS wouldn't work in safe mode. I ran this in normal mode, but whenever I do this, the system freezes after the scan (incidentally, the scan results were clear).

The problems seem to have started since I started using Limewire version 4.9.33. Do I need to uninstall this? I've also received various invitations to download Winfix and have followed the sticky thread on this, but HTF doesn't show up any bad files.

I attach my HTF, BitDefender, and Pandascan logs. The Bitdefender log seems to indicate a problem. Your assistance is much appreciated.

MonkeyCat

 

OK - I'll attach that way in future. Sorry for the inconvenience.

I may have run CCleaner as Administrator in Safe mode previously. However, now I've run it under James Heseltine and cleaned up those files (and others) mentioned in your response.

I ran BitDefender first, then Activescan, definitely.

I look forward to hearing from you further.

Thanks.
MonkeyCat

 

The pop-ups appear fairly randomly it seems (I don't get them off-line). I've uninstalled Windows Messanger but the pop-ups are still appearing.

Before I fix the HJT files, do I need to disable file restore?

 

OK - I've fixed through HJT and attach a new file. Also, I've analysed how and when the pop-ups appear on a number of web-sites. Interestingly, one did appear when I was on this site (that was the only browser open) and another has just opened as we speak! Here is what comes up when. COme to think of it, it's the same set of pop-ups on some kind of cycle:

Upon opening web browser - Blank pop-up headed ‘an error has occurred’
- Blue pop-up advising that Spyware has has been detected asking to click ‘here’.

http://www.pokerineurope.com/frontpage/index.php - cyberslots pop-up
http://www.cricinfo.com/ - 888.com casino pop-up
http://www.telegraph.co.uk/sport/main.jhtml?menuId=145&menuItemId=-1&view=GAMES&grid=P9 – a different 888.com pop-up
http://news.bbc.co.uk/sport1/hi/football/teams/b/bolton_wanderers/default.stm - smileys advert
http://www.pokerstarsblog.com/ - 888.com pop-up

The ones that appeared when on your site may have appeared when I first opened the browser (but I went straight to this site) and they were 'Mymobiclub and the Blue pop-up advising Spyware has been detected.

Anyhow, I hope that's enough information and I look forward to hearing from you (hope I've attached the logfile correctly this time).

Thanks.
MonkeyCat

 

Ewido file attached as requested.

Look forward to hearing from you.

 

Ok - attached. It didn't take very long (5 mins) and seems to have automatically created the text file. Did the IE thing as well.

Thanks.
MonkeyCat

PS Firewall is 'on' with worm protection so I don't think this is a problem? I was still having pop-ups after Ewido.

 

Hi

Yes, the pop-ups continued after I reset IE. I've run the Look2me fix and attach both logs. As well, we I first came to reply to the post, my system crashed. I sent an error report to Windows and attached the 'virus alert' document as well.

The pop-ups are still happening!!

Look forward to hearing from you. Happy New Year.

 

To keep things moving along...

Download AproposFix by Swandog46

Save it to your desktop or to another folder of its own, but do NOT run it yet!

Now reboot your computer in Safe Mode! (You must be in safe mode or this fix will not work.)

Once in Safe Mode, double-click aproposfix.exe which will give you a chice of where to unzip/install the program to). This is called the Destination folder in the window that popsup. So either install it to the Desktop or the folder where you downloaded the aproposfix.exe file to. It will create a new folder named aproposfix. Open the aproposfix folder and double click on RunThis.bat to run the fix. Follow the prompts.

When the tool is finished, reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file that has been created in the aproposfix folder.

Good Luck!

Bj

 

OK thanks. Please find attached. Look forward to hearing from you.

 

Please run my previous post once more to confirm it was all successfully removed, then attach the new log with a fresh HJT log.

 

2 new logs attached. Pop ups seem to have stopped. Are we sorted?

Thanks
MonkeyCat

 

Both logs look good, to confirm your clean I would like a fresh WinPFind log from post #11.

 

Here you go. How are we?

 

Looks good, are you having any further problems?

 

Looking good. Thanks for all your help guys.

 

Glad I could be of some assistance!

To stay clean, you should see this article on How to Protect yourself from malware!

Surf Safely!

 

Anytime

When I noticed that the L2MeFix didnt fix the problem, I had a pretty good idea it was Apropos.

 

Didn't notice that LOL! I guess I should look at more logs....

 

One final query. Occasionally when I log on, I get a security alert telling me that virus protection is switched off. It says it's off in the security centre, but when I go directly to the anti-virus application, it says it's on. The message telling me it's 'off' disappears after approx 5 minutes (i.e. it switches back to 'on' in the Security Centre).

Is this a problem?

Thanks.
MonkeyCat

 

I have noticed it doing it with Norton but it shouldnt last that long. I have AVG AntiVirus (I recommend you use this) and it's never done it for me.

It's probably just a Norton thing.

 

My computer was attacked last night immediately after I booted up. I believe I was infected with various kinds of Spyware and am in the process of removing SurfSideKick. I'm following the instructions and just want to clarify one thing; when I first look in Hijack this, I presume I delete the lines with the SurfSideKick references?

Please calrify as it only says to to look for them and not to delete them.

Thanks.

 

Yes, that's what I was referring to, the Sticky thread for SurfSideKick. Anyhow, I went with my gut instinct and removed the HJT entries referring to SSK. The folder which was in Program Files (SurfSideKick 3) has now disappeared so I was unable to follow the rest of the procedure.

There's more Spyware on my system, so I'm going to go through the whole READ ME procedure again and post some new logs with you if that's OK?

Thanks.
Monkeycat

 

I thought I was in good shape too, and I was until the other night; it seemed to come from nowhere when I booted up the computer.

I believe I've removed SurfSideKick. I followed the sticky thread and whilst I couldn't find any repairs.dll files, I followed the rest of the procedure and it seems to have disappeared.

As well, I removed a 'Network Monitor' application from Add/Remove programs. This file was created as a result of the attack, alongside a folder called 'Trus' in Crogram Files. I cannot delete this file presently.

Norton Antivirus identified a virus called 'W32.Picrate' which it was unable to delete as it couldn't access the file. It's located in C:\Documents and Settings\brp.exe

Bit Defender seemed to remove quite a bit and the log is attached alongside the HJT file. However, I could not run Panda Activescan. I keep trying to choose the scan 'My Computer' option but the link simply won't open. Yes, I accessed this through IE, not Mozilla.

Your assistance is appreciated.

 

OK. Please find attached Spy Sweeper log and HJT file. Spysweeper keeps blocking an attempt to open www.a-d-aware.com (or something like that).

Look forward to hearing from you. Where's all this come from?!?

 

PS the HJT entry you refer to - no, I have no knowledge of this. Permission to fix?

 

Followed your instructions and things seem to be much better. I've exited Spy Sweeper and I'm not being directed to the Adware site. Please find attached a fresh HJT log.

Are we sorted? (I'm of to bed now so will pick up your response tomorrow). PS Any ideas how this got on my system? It all seemed to appear at once.

Thanks again for your help.
MonkeyCat

 

OK. I've done the File Restore thing and will look at the thread about protecting from Malware (again). I'm abit unsure on the Java bit, but I'll muddle my way through it.

Should I uninstall Spy Sweeper now? If I experience problems in the future will I be able to download another trial version?

I posted a thread about Limewire playing up a couple of weeks ago (yes, I use p2p applications) and downloaded Shazzaware (but uninstalled as I couldn't get my head around changing my browser settings) and subsequently Morpheus, which is still on my system. I believe Morpheus is a 'clean' application.

Thanks for all your help.

 

Thanks for your comments on P2P applications. I've recently switched from Norton AV to AVG, and AVG picked up a couple of Trojan Dropper viruses<SIGH>. Looking at the location of these, I've discovered they originated in the wmplayer folder......strange.......looking back on your instructions, you advised to delete this folder in safe mode......and I did.

However, when I reboot in normal mode, the folder re-appears and cannot be deleted (even after changing from read-only to read-write). I have tried accessing task manager but cannot locate a relevant process to 'kill'.

I haven't used any P2P applications since the last incident and access pretty much non-dodgy websites.

How can I get rid of it?

Thanks.
MonkeyCat

PS I've also installed Zone Alarm - do I need this? (i.e. does my wireless router have a firewall?).

 

OK - Here you go.

Thanks alot.
MC

 

PS Could not see the wmplayer folder - presumed this was same as Windows Media Player folder, which doesn't contain any files?

 

A new spyware problem which I believe has come from opening an e-mail attachment. Spybot cleared up alot of this, but cannot delete the folder MyWebSearch (which is in Program Files). I've tried all the usual ways of deleting this manually, to no avail.

I attach PandaActiveScan Log and HJT File. Forgot to save the BitDefender one, but this came back clean anyway.

Please advise how I can resolve. Your assistance is, as ever, appreciated.

Thanks.
MonkeyCat

 

Sorry for the delay; been at work. Please find attached list as requested.

MonkeyCat