mchyzik
asked on
cant remove spyware
I have been trying to clean off this PC for days.. and I still can't get it clean!
XP Home... has numerous spyware programs showing up in msconfig and hijackthis. I remove them in safemode, and they keep coming back. I even tried installing Sygate personal firewall to keep others out but it wont even show up in startup (not running during reboot). HELP PLEASE.. I need to get this sytem clean ASAP... thank you in advance.
PS. I have run adaware in safe mode... as well as antivirus... still does not work!
VERY FRUSTRATED HERE... almost ready to reload XP
XP Home... has numerous spyware programs showing up in msconfig and hijackthis. I remove them in safemode, and they keep coming back. I even tried installing Sygate personal firewall to keep others out but it wont even show up in startup (not running during reboot). HELP PLEASE.. I need to get this sytem clean ASAP... thank you in advance.
PS. I have run adaware in safe mode... as well as antivirus... still does not work!
VERY FRUSTRATED HERE... almost ready to reload XP
ASKER
http://www.hijackthis.de/logfiles/269739805ac5a8d395c0eac82b1d2776.html
I already tried removing using hijackthis.. but it doesnt work. Hoping you see something that will help it clean up! Thank you again.
I already tried removing using hijackthis.. but it doesnt work. Hoping you see something that will help it clean up! Thank you again.
Your hijackthis looks bad but we can fix that, i have to go now but I'll be back in an hour or so, unless someone will help you before I get back.
ASKER
I hope someone helps me before then... I have tried cleaning it with hijackthis, even in safe mode, but those critters still keep coming back... and no firewall will run on the PC either. HELP.. Desparate in Virginia (grin).
OK back.
Hijackthis is not a standalone tool, it needs other tools to fix entries or get rid of a certain infection.
Normal bad entries it can take care of but when its an infection like vundo, look2me, qoologic etc it needs other tool.
1. Your log is showing qoologic infection and purityscan among others.
If you do not see any icon for "OIN" or "(program) by OIN" in Add/Remove Programs, please download their stand-alone uninstaller.
http://www.outerinfo.com/OiUninstaller.exe.
In Add/Remove programs also uninstall these if present:
Winfixer
SurfsideKick 3
Zeno
After uninstalling, make sure these folders are gone:
C:\Program Files\WinFixer
C:\Program Files\SurfSideKick 3
2. Download Killbox:
http://www.atribune.org/downloads/KillBox.exe
*Select the "Delete on Reboot" option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINNT\system32\pwinoqaf .exe
C:\winnt\system32\pndsregn .exe
C:\WINNT\system32\yatnw.ex e
C:\WINNT\system32\w00a71c4 .dll
C:\WINNT\system32\slk8x2pe u.exe
C:\WINNT\system32\ejrwx8dr l.dll
*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. If the computer doesn't restart, just restart manually.
3. a) Download Brute Force Uninstaller to your C:\
http://www.merijn.org/files/bfu.zip
Unzip it to a folder of its own (C:\BFU). So BFU should be on your root directory.
b) Download qoofix.bat
http://downloads.subratam.org/Lon/qooFix.bat
Place qoofix.bat in your C:\BFU - folder. (Important!)
Doubleclick "qooFix.bat", Close all browsers and explorer folders.
Choose option 1 (Qoolfix autofix) and follow the prompts.
Please be patient, it will take about five minutes.
C:\documents and settings\david\local settings\temp <-- make sure you empty this folder. You can also use CCleaner or CleanUp to empty your temp folders.
After that, run hijackthis and put a check next to these entries if they are still present:
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant =
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,CustomizeS earch =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB- 00C04FD644 97} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\yatnw.ex e
F2 - REG:system.ini: UserInit=C:\WINNT\system32 \userinit. exe,jvbrho g.exe
O2 - BHO: Yvakt Class - {98B9F201-C701-41F1-B338-7 E5E0E6D768 F} - C:\WINNT\system32\ejrwx8dr l.dll (file missing)
O4 - HKLM\..\Run: [WFk2] C:\documents and settings\david\local settings\temp\WFk2.exe
O4 - HKLM\..\Run: [7z6Ns] C:\documents and settings\david\local settings\temp\7z6Ns.exe
O4 - HKLM\..\Run: [5PvHb] C:\documents and settings\david\local settings\temp\5PvHb.exe
O4 - HKLM\..\Run: [FNI.WFX5AS_0001_0818] "C:\DOCUME~1\DAVID\LOCALS~ 1\Temp\WFX 9A.exe"
O4 - HKLM\..\Run: [WinFixer helper] C:\Program Files\WinFixer\wfxcwr.exe
O4 - HKLM\..\Run: [w00a71c4.dll] RUNDLL32.EXE w00a71c4.dll,I2 0001ee91000a71c4
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe G
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINNT\system32\pwinoqaf .exe FI002
O4 - HKLM\..\Run: [gjZC2XV] "C:\WINNT\system32\slk8x2p eu.exe"
O4 - HKLM\..\Run: [{E6-6B-B5-5B-ZN}] C:\winnt\system32\pndsregn .exe FI002
O4 - HKCU\..\Run: [Hdcld] C:\WINNT\system32\?ttrib.e xe
O4 - HKCU\..\Run: [Arma] "C:\PROGRA~1\COMMON~1\WNSX S~1\scanre gw.exe" -vt rbnd
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: Zeno.lnk = C:\WINNT\system32\pwinoqaf .exe
O18 - Filter: text/html - {0FA7FD6B-47C3-425B-AE30-3 6383F1C450 3} - C:\WINNT\system32\ejrwx8dr l.dll
Let us see a new hijackthis log after you've done those.
Hijackthis is not a standalone tool, it needs other tools to fix entries or get rid of a certain infection.
Normal bad entries it can take care of but when its an infection like vundo, look2me, qoologic etc it needs other tool.
1. Your log is showing qoologic infection and purityscan among others.
If you do not see any icon for "OIN" or "(program) by OIN" in Add/Remove Programs, please download their stand-alone uninstaller.
http://www.outerinfo.com/OiUninstaller.exe.
In Add/Remove programs also uninstall these if present:
Winfixer
SurfsideKick 3
Zeno
After uninstalling, make sure these folders are gone:
C:\Program Files\WinFixer
C:\Program Files\SurfSideKick 3
2. Download Killbox:
http://www.atribune.org/downloads/KillBox.exe
*Select the "Delete on Reboot" option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINNT\system32\pwinoqaf
C:\winnt\system32\pndsregn
C:\WINNT\system32\yatnw.ex
C:\WINNT\system32\w00a71c4
C:\WINNT\system32\slk8x2pe
C:\WINNT\system32\ejrwx8dr
*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. If the computer doesn't restart, just restart manually.
3. a) Download Brute Force Uninstaller to your C:\
http://www.merijn.org/files/bfu.zip
Unzip it to a folder of its own (C:\BFU). So BFU should be on your root directory.
b) Download qoofix.bat
http://downloads.subratam.org/Lon/qooFix.bat
Place qoofix.bat in your C:\BFU - folder. (Important!)
Doubleclick "qooFix.bat", Close all browsers and explorer folders.
Choose option 1 (Qoolfix autofix) and follow the prompts.
Please be patient, it will take about five minutes.
C:\documents and settings\david\local settings\temp <-- make sure you empty this folder. You can also use CCleaner or CleanUp to empty your temp folders.
After that, run hijackthis and put a check next to these entries if they are still present:
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\yatnw.ex
F2 - REG:system.ini: UserInit=C:\WINNT\system32
O2 - BHO: Yvakt Class - {98B9F201-C701-41F1-B338-7
O4 - HKLM\..\Run: [WFk2] C:\documents and settings\david\local settings\temp\WFk2.exe
O4 - HKLM\..\Run: [7z6Ns] C:\documents and settings\david\local settings\temp\7z6Ns.exe
O4 - HKLM\..\Run: [5PvHb] C:\documents and settings\david\local settings\temp\5PvHb.exe
O4 - HKLM\..\Run: [FNI.WFX5AS_0001_0818] "C:\DOCUME~1\DAVID\LOCALS~
O4 - HKLM\..\Run: [WinFixer helper] C:\Program Files\WinFixer\wfxcwr.exe
O4 - HKLM\..\Run: [w00a71c4.dll] RUNDLL32.EXE w00a71c4.dll,I2 0001ee91000a71c4
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe G
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINNT\system32\pwinoqaf
O4 - HKLM\..\Run: [gjZC2XV] "C:\WINNT\system32\slk8x2p
O4 - HKLM\..\Run: [{E6-6B-B5-5B-ZN}] C:\winnt\system32\pndsregn
O4 - HKCU\..\Run: [Hdcld] C:\WINNT\system32\?ttrib.e
O4 - HKCU\..\Run: [Arma] "C:\PROGRA~1\COMMON~1\WNSX
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: Zeno.lnk = C:\WINNT\system32\pwinoqaf
O18 - Filter: text/html - {0FA7FD6B-47C3-425B-AE30-3
Let us see a new hijackthis log after you've done those.
ASKER
It looks like I need to do a repair of the OS now...
I was able to look up and remove the ssk by following directions in another post. Everything looked fine, I then installed antivirus and adaware (again) as well as the firewall. Everything was working fine until I reboot. Over half the icons have 'incorrect' icons, and no system/program files can be found when I try to run anything. YIKES.
I was able to look up and remove the ssk by following directions in another post. Everything looked fine, I then installed antivirus and adaware (again) as well as the firewall. Everything was working fine until I reboot. Over half the icons have 'incorrect' icons, and no system/program files can be found when I try to run anything. YIKES.
ASKER
no repair...re-install?
Did you run the BFU? that should've taken care of qoologic, and the Purityscan uninstaller takes care of purityscan files, while Killbox takes care of the others.
Try rolling back to a date before you got infected by using System Restore console.
Start > All Programs > Accessories > System Tools > System Restore
and pick a date before you got infected.
Bear in mind that any programs you installed, updates or drivers that you've installed after this date would need to be reinstalled.
Try rolling back to a date before you got infected by using System Restore console.
Start > All Programs > Accessories > System Tools > System Restore
and pick a date before you got infected.
Bear in mind that any programs you installed, updates or drivers that you've installed after this date would need to be reinstalled.
ASKER
I tried system restore, but it said the system file was not there to perform that operation. Something 'ate' up my system files. I am now doing a repair of the OS. Luckily, not much but Office is installed on this PC. I backed up data/personal files, .pst, etc to another drive I had on the network (early on, before attempting to clean it). Will iit still be infected after the repair?
ASKER
Now I am getting kicked out of the install with the error:
windows cannot open this file, rundll.exe...
SHould I format the drive and start from scratch... this is terrible! Will lead me to a glass of wine!
ASKER
ooops rundll32.exe is the file it doesnt know what to do with.
ASKER
I just turned off the power button on that dang computer... format and reinstall I hope! Suggestions?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes, that is some tough malware. If you are quite sure that important files are backed up to a safe place then a re-format may be in order. Don't overlook things like e-mail, IE favorites etc.
If you want to try something in-between, you can do a clean install of XP, i.e. install it to a new folder (e.g. to c:\WINDOWS instead of C:\WINNT). Then when you're sure everything is running OK you can delete the old infected c:\WINNT folder. This will preserve your own files and put them at less risk, though a good backup is still highly recommended.
Also, don't forget to apply SP2 and all other updates from the Windows Update web site after reinstall.
If you want to try something in-between, you can do a clean install of XP, i.e. install it to a new folder (e.g. to c:\WINDOWS instead of C:\WINNT). Then when you're sure everything is running OK you can delete the old infected c:\WINNT folder. This will preserve your own files and put them at less risk, though a good backup is still highly recommended.
Also, don't forget to apply SP2 and all other updates from the Windows Update web site after reinstall.
For example;
Hijackthis can't remove vundo infection, look2me infections etc on its own, it needs other tools. But it is an excellent diagnostic tool because it can tell us what malware infections are present in your system.
Please let us see your hijackthis log, we will then be able to tell you what infection is showing in your log and give you the right tool for it.
You can either;
Paste your Hijackthis log to this site --> http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:
Or copy and paste the log to this site --> http://www.hijackthis.de/
and click "Analyse", click "Save". Post the link to the saved list here.