[Last Call] Learn how to a build a cloud-first strategyRegister Now


cant remove spyware

Posted on 2006-05-10
Medium Priority
Last Modified: 2010-04-11
I have been trying to clean off this PC for days.. and I still can't get it clean!
XP Home... has numerous spyware programs showing up in msconfig and hijackthis.  I remove them in safemode, and they keep coming back.  I even tried installing Sygate personal firewall to keep others out but it wont even show up in startup (not running during reboot).  HELP PLEASE.. I need to get this sytem clean ASAP... thank you in advance.
PS.  I have run adaware in safe mode... as well as antivirus... still does not work!
VERY FRUSTRATED HERE... almost ready to reload XP
Question by:mchyzik
  • 9
  • 5
LVL 47

Expert Comment

ID: 16653557
Hijackthis although an excellent diagnostic tool, enumerator/registry editor it is not  a standalone program. It needs other tools to remove infections.
For example;
Hijackthis can't remove vundo infection, look2me infections etc on its own, it needs other tools. But it is an excellent diagnostic tool because it can tell us what malware infections are present in your system.

Please let us see your hijackthis log, we will then be able to tell you what infection is showing in your log and give you the right tool for it.
You can either;
Paste your Hijackthis log to this site -->  http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or copy and paste the log to this site --> http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Post the link to the saved list here.

Author Comment

ID: 16653713

I already tried removing using hijackthis.. but it doesnt work.  Hoping you see something that will help it clean up!  Thank you again.
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

LVL 47

Expert Comment

ID: 16653739
Your hijackthis looks bad but we can fix that, i have to go now but I'll be back in an hour or so, unless someone will help you before I get back.

Author Comment

ID: 16653859
I hope someone helps me before then... I have tried cleaning it with hijackthis, even in safe mode, but those critters still keep coming back... and no firewall will run on the PC either.  HELP.. Desparate in Virginia (grin).
LVL 47

Expert Comment

ID: 16654172
OK back.

Hijackthis is not a standalone tool, it needs other tools to fix entries or get rid of a certain infection.
Normal bad entries it can take care of but when its an infection like vundo, look2me, qoologic etc it needs other tool.

1. Your log is showing qoologic infection and purityscan among others.
If you do not see any icon for "OIN" or "(program) by OIN" in Add/Remove Programs, please download their stand-alone uninstaller.

In Add/Remove programs also uninstall these if present:
SurfsideKick 3

After uninstalling, make sure these folders are gone:
C:\Program Files\WinFixer
C:\Program Files\SurfSideKick 3

2. Download Killbox:
*Select the "Delete on Reboot" option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:


*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. If the computer doesn't restart, just restart manually.

3. a) Download Brute Force Uninstaller to your C:\
Unzip it to a folder of its own (C:\BFU). So BFU should be on your root directory.

b) Download qoofix.bat
Place qoofix.bat in your C:\BFU - folder. (Important!)
Doubleclick "qooFix.bat", Close all browsers and explorer folders.
Choose option 1 (Qoolfix autofix) and follow the prompts.
Please be patient, it will take about five minutes.

C:\documents and settings\david\local settings\temp <-- make sure you empty this folder. You can also use CCleaner or CleanUp to empty your temp folders.

After that, run hijackthis and put a check next to these entries if they are still present:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =  
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =  
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)  
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\yatnw.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,jvbrhog.exe  
O2 - BHO: Yvakt Class - {98B9F201-C701-41F1-B338-7E5E0E6D768F} - C:\WINNT\system32\ejrwx8drl.dll (file missing)
O4 - HKLM\..\Run: [WFk2] C:\documents and settings\david\local settings\temp\WFk2.exe  
O4 - HKLM\..\Run: [7z6Ns] C:\documents and settings\david\local settings\temp\7z6Ns.exe  
O4 - HKLM\..\Run: [5PvHb] C:\documents and settings\david\local settings\temp\5PvHb.exe
O4 - HKLM\..\Run: [FNI.WFX5AS_0001_0818] "C:\DOCUME~1\DAVID\LOCALS~1\Temp\WFX9A.exe"  
O4 - HKLM\..\Run: [WinFixer helper] C:\Program Files\WinFixer\wfxcwr.exe
O4 - HKLM\..\Run: [w00a71c4.dll] RUNDLL32.EXE w00a71c4.dll,I2 0001ee91000a71c4
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe G
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINNT\system32\pwinoqaf.exe FI002  
O4 - HKLM\..\Run: [gjZC2XV] "C:\WINNT\system32\slk8x2peu.exe"
O4 - HKLM\..\Run: [{E6-6B-B5-5B-ZN}] C:\winnt\system32\pndsregn.exe FI002
O4 - HKCU\..\Run: [Hdcld] C:\WINNT\system32\?ttrib.exe  
O4 - HKCU\..\Run: [Arma] "C:\PROGRA~1\COMMON~1\WNSXS~1\scanregw.exe" -vt rbnd
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe  
O4 - Startup: Zeno.lnk = C:\WINNT\system32\pwinoqaf.exe
O18 - Filter: text/html - {0FA7FD6B-47C3-425B-AE30-36383F1C4503} - C:\WINNT\system32\ejrwx8drl.dll

Let us see a new hijackthis log after you've done those.


Author Comment

ID: 16654433
It looks like I need to do a repair of the OS now...
I was able to look up and remove the ssk by following directions in another post.  Everything looked fine, I then installed antivirus and adaware (again) as well as the firewall.  Everything was working fine until I reboot.  Over half the icons have 'incorrect' icons, and no system/program files can be found when I try to run anything.  YIKES.

Author Comment

ID: 16654451
no repair...re-install?
LVL 47

Expert Comment

ID: 16654482
Did you run the BFU? that should've taken care of qoologic, and the Purityscan uninstaller takes care of purityscan files, while Killbox takes care of the others.

Try rolling back to a date before you got infected by using System Restore console.

Start > All Programs > Accessories > System Tools > System Restore
and pick a date before you got infected.

Bear in mind that any programs you installed, updates or drivers that you've installed after this date would need to be reinstalled.

Author Comment

ID: 16654519
I tried system restore, but it said the system file was not there to perform that operation.  Something 'ate' up my system files.  I am now doing a repair of the OS.  Luckily, not much but Office is installed on this PC.  I backed up data/personal files, .pst, etc to another drive I had on the network (early on, before attempting to clean it).  Will iit still be infected after the repair?

Author Comment

ID: 16654532

Now I am getting kicked out of the install with the error:
windows cannot open this file, rundll.exe...
SHould I format the drive and start from scratch... this is terrible!  Will lead me to a glass of wine!

Author Comment

ID: 16654534
ooops rundll32.exe is the file it doesnt know what to do with.

Author Comment

ID: 16654562
I just turned off the power button on that dang computer... format and reinstall I hope!  Suggestions?
LVL 47

Accepted Solution

rpggamergirl earned 2000 total points
ID: 16654609
repair, reinstal of OS will not get rid of nasties in your system, it's just too bad that system restore did not work it would'have clean it if rolled back to a clean restore point.

Format would be the best option, which will get rid of all infections.
LVL 32

Expert Comment

ID: 16654858
Yes, that is some tough malware. If you are quite sure that important files are backed up to a safe place then a re-format may be in order. Don't overlook things like e-mail, IE favorites etc.

If you want to try something in-between, you can do a clean install of XP, i.e. install it to a new folder (e.g. to c:\WINDOWS instead of C:\WINNT). Then when you're sure everything is running OK you can delete the old infected c:\WINNT folder. This will preserve your own files and put them at less risk, though a good backup is still highly recommended.

Also, don't forget to apply SP2 and all other updates from the Windows Update web site after reinstall.

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question