cant remove spyware

Posted on 2006-05-10
Last Modified: 2010-04-11
I have been trying to clean off this PC for days.. and I still can't get it clean!
XP Home... has numerous spyware programs showing up in msconfig and hijackthis.  I remove them in safemode, and they keep coming back.  I even tried installing Sygate personal firewall to keep others out but it wont even show up in startup (not running during reboot).  HELP PLEASE.. I need to get this sytem clean ASAP... thank you in advance.
PS.  I have run adaware in safe mode... as well as antivirus... still does not work!
VERY FRUSTRATED HERE... almost ready to reload XP
Question by:mchyzik
    LVL 47

    Expert Comment

    Hijackthis although an excellent diagnostic tool, enumerator/registry editor it is not  a standalone program. It needs other tools to remove infections.
    For example;
    Hijackthis can't remove vundo infection, look2me infections etc on its own, it needs other tools. But it is an excellent diagnostic tool because it can tell us what malware infections are present in your system.

    Please let us see your hijackthis log, we will then be able to tell you what infection is showing in your log and give you the right tool for it.
    You can either;
    Paste your Hijackthis log to this site -->
    then at the bottom left corner click "paste"
    Copy the address/url and post it here:

    Or copy and paste the log to this site -->
    and click "Analyse", click "Save".  Post the link to the saved list here.

    Author Comment


    Author Comment


    I already tried removing using hijackthis.. but it doesnt work.  Hoping you see something that will help it clean up!  Thank you again.
    LVL 47

    Expert Comment

    Your hijackthis looks bad but we can fix that, i have to go now but I'll be back in an hour or so, unless someone will help you before I get back.

    Author Comment

    I hope someone helps me before then... I have tried cleaning it with hijackthis, even in safe mode, but those critters still keep coming back... and no firewall will run on the PC either.  HELP.. Desparate in Virginia (grin).
    LVL 47

    Expert Comment

    OK back.

    Hijackthis is not a standalone tool, it needs other tools to fix entries or get rid of a certain infection.
    Normal bad entries it can take care of but when its an infection like vundo, look2me, qoologic etc it needs other tool.

    1. Your log is showing qoologic infection and purityscan among others.
    If you do not see any icon for "OIN" or "(program) by OIN" in Add/Remove Programs, please download their stand-alone uninstaller.

    In Add/Remove programs also uninstall these if present:
    SurfsideKick 3

    After uninstalling, make sure these folders are gone:
    C:\Program Files\WinFixer
    C:\Program Files\SurfSideKick 3

    2. Download Killbox:
    *Select the "Delete on Reboot" option.
    *Copy the file names below to the clipboard by highlighting them and pressing Control-C:


    *Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
    *Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. If the computer doesn't restart, just restart manually.

    3. a) Download Brute Force Uninstaller to your C:\
    Unzip it to a folder of its own (C:\BFU). So BFU should be on your root directory.

    b) Download qoofix.bat
    Place qoofix.bat in your C:\BFU - folder. (Important!)
    Doubleclick "qooFix.bat", Close all browsers and explorer folders.
    Choose option 1 (Qoolfix autofix) and follow the prompts.
    Please be patient, it will take about five minutes.

    C:\documents and settings\david\local settings\temp <-- make sure you empty this folder. You can also use CCleaner or CleanUp to empty your temp folders.

    After that, run hijackthis and put a check next to these entries if they are still present:
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =  
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =  
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)  
    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\yatnw.exe
    F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,jvbrhog.exe  
    O2 - BHO: Yvakt Class - {98B9F201-C701-41F1-B338-7E5E0E6D768F} - C:\WINNT\system32\ejrwx8drl.dll (file missing)
    O4 - HKLM\..\Run: [WFk2] C:\documents and settings\david\local settings\temp\WFk2.exe  
    O4 - HKLM\..\Run: [7z6Ns] C:\documents and settings\david\local settings\temp\7z6Ns.exe  
    O4 - HKLM\..\Run: [5PvHb] C:\documents and settings\david\local settings\temp\5PvHb.exe
    O4 - HKLM\..\Run: [FNI.WFX5AS_0001_0818] "C:\DOCUME~1\DAVID\LOCALS~1\Temp\WFX9A.exe"  
    O4 - HKLM\..\Run: [WinFixer helper] C:\Program Files\WinFixer\wfxcwr.exe
    O4 - HKLM\..\Run: [w00a71c4.dll] RUNDLL32.EXE w00a71c4.dll,I2 0001ee91000a71c4
    O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe G
    O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINNT\system32\pwinoqaf.exe FI002  
    O4 - HKLM\..\Run: [gjZC2XV] "C:\WINNT\system32\slk8x2peu.exe"
    O4 - HKLM\..\Run: [{E6-6B-B5-5B-ZN}] C:\winnt\system32\pndsregn.exe FI002
    O4 - HKCU\..\Run: [Hdcld] C:\WINNT\system32\?ttrib.exe  
    O4 - HKCU\..\Run: [Arma] "C:\PROGRA~1\COMMON~1\WNSXS~1\scanregw.exe" -vt rbnd
    O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe  
    O4 - Startup: Zeno.lnk = C:\WINNT\system32\pwinoqaf.exe
    O18 - Filter: text/html - {0FA7FD6B-47C3-425B-AE30-36383F1C4503} - C:\WINNT\system32\ejrwx8drl.dll

    Let us see a new hijackthis log after you've done those.


    Author Comment

    It looks like I need to do a repair of the OS now...
    I was able to look up and remove the ssk by following directions in another post.  Everything looked fine, I then installed antivirus and adaware (again) as well as the firewall.  Everything was working fine until I reboot.  Over half the icons have 'incorrect' icons, and no system/program files can be found when I try to run anything.  YIKES.

    Author Comment

    LVL 47

    Expert Comment

    Did you run the BFU? that should've taken care of qoologic, and the Purityscan uninstaller takes care of purityscan files, while Killbox takes care of the others.

    Try rolling back to a date before you got infected by using System Restore console.

    Start > All Programs > Accessories > System Tools > System Restore
    and pick a date before you got infected.

    Bear in mind that any programs you installed, updates or drivers that you've installed after this date would need to be reinstalled.

    Author Comment

    I tried system restore, but it said the system file was not there to perform that operation.  Something 'ate' up my system files.  I am now doing a repair of the OS.  Luckily, not much but Office is installed on this PC.  I backed up data/personal files, .pst, etc to another drive I had on the network (early on, before attempting to clean it).  Will iit still be infected after the repair?

    Author Comment


    Now I am getting kicked out of the install with the error:
    windows cannot open this file, rundll.exe...
    SHould I format the drive and start from scratch... this is terrible!  Will lead me to a glass of wine!

    Author Comment

    ooops rundll32.exe is the file it doesnt know what to do with.

    Author Comment

    I just turned off the power button on that dang computer... format and reinstall I hope!  Suggestions?
    LVL 47

    Accepted Solution

    repair, reinstal of OS will not get rid of nasties in your system, it's just too bad that system restore did not work it would'have clean it if rolled back to a clean restore point.

    Format would be the best option, which will get rid of all infections.
    LVL 32

    Expert Comment

    Yes, that is some tough malware. If you are quite sure that important files are backed up to a safe place then a re-format may be in order. Don't overlook things like e-mail, IE favorites etc.

    If you want to try something in-between, you can do a clean install of XP, i.e. install it to a new folder (e.g. to c:\WINDOWS instead of C:\WINNT). Then when you're sure everything is running OK you can delete the old infected c:\WINNT folder. This will preserve your own files and put them at less risk, though a good backup is still highly recommended.

    Also, don't forget to apply SP2 and all other updates from the Windows Update web site after reinstall.

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    Cryptolocker 4 60
    Malwarebytes Business Solution 4 63
    Cleaned Windows 7 laptop still very sluggish 34 72
    Is  Microsoft IIS 7 retired? 4 63
    The month of August was another action packed month for hackers and a security nightmare for many retailers and restaurant establishments. Some of the more notable data breach victims this past month included supermarket giants SUPERVALU and Alberts…
    Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now