Spyware still...

I have been working on removing a Conhook virus for the last couple of days following your procedures in the Readme First section. I finally got rid of the damn thing after using Process Explorer and Pocket Killbox.

Once it was gone, I went through everything again from the beginning. It seems there is still something hidden and I'm not sure where it is. Hopefully you guys can help me out now.

My original attempts to remove the Conhook had to be done in normal mode. I couldn't get into safe mode until I learned that I can modify my boot.ini file with /safeboot:Minimal or /safeboot:Network.

I've done quite a lot on my own and it is very clean now. Spybot found nothing in Safe mode. Counterspy found some and quarantined them. Bitdefender found and removed several, including some in a quarantine folder (sorry, I forgot to clear those out). Finally, Panda found one spyware.

I'm running Windows 2000 with Avast! 4.7 Home Edition completely up to date. Now I also have CounterSpy running and Spybot has given me all the latest immunizations.

Attached are the logs you request. The rest will follow.

 

Need help (last post lost?)

Sorry if this is a double of the last, but it sent me to "invalid link". Clicked on "contact admin" and got front page. No contact link on that page. :cry

Anyway, in case that link is lost, I'm reposting the info here.

I finally got rid of a Conhook virus after using Process Explorer and Pocket Killbox, but am still seeing infections after additional scanning. I have gone through all of the steps in your Readme file and the logs are attached.

I have a Windows 2000 PC with Avast! 4.7 Home (completely up to date) and Spybot 1.4 and up-to-date immunizations. I have also used Registry Mechanic and now have Counterspy running as well.

Additional logs will follow. Ok, it says that I've already uploaded the files: bdscan.txt, activescan.txt, and counterspy.txt. So I'm attaching hijackthis.log, newfiles.txt, and runkeys.txt. If you can't find the others, please let me know how to upload them again and I will.

Thanks,
Brian

 

Download
- Pocket Killbox

Using Add or Remove Programs in the Control Panel; uninstall the following:

Now Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post a fesh HijackThis log. Be sure to tell me how your computer is running.

 

I'm at work right now. I'll get to this as soon as I get home. Before I do, I just want to understand a couple of things near the end of your description. ExplorerXP? I'm running Windows 2000, and I'm not sure what ExplorerXP is. I assume you just mean the standard File Explorer. The second is Cleanmgr? Is that a utility that exists under Windows 2000 as well? Other than that it all looks pretty straightforward. I'll let you know.

Thanks a bunch for this site. You guys are fantastic. Saved me from having to reinstall. I thought you might have a "donate" button so I could kick you a few bucks for your time, but I couldn't find one. You might consider adding one.

 

Ok. I followed everything you listed. I've attached the new Hijackthis.log. Please have a look and tell me what you think. The last Bit Defender scan I ran did not find any viruses. Neither did CounterSpy or Spybot. That was before I ran these steps. But I figured it couldn't hurt to clean out some garbage anyway.

Thanks for the help and let me know if there is anything else you think I need to do.

 

I forgot to edit that part of my instructions it should have said Windows Explorer instead of ExplorerXP.

Your log is clean. If you are not having any other malware problems, it is time to do our final steps:

• If we used Pocket Killbox during your cleanup, do the below
  • Run Pocket Killbox and select File, Cleanup, Delete All Backups
• If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
• If we used SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
• If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
• If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
• If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
• You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
• If you are running Windows XP or Windows ME, do the below:
  • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
  • Then reboot and Enable System Restore to create a new clean Restore Point.
• After doing the above, you should work thru the below link:
  • How to Protect yourself from malware!