Does my laptop have spyware?

By livinlovinit
Feb 18, 2009
Topic Status:
Not open for further replies.
  1. Hello, I am just wondering if i have a virus or spyware because every time i login to my laptop the wallpaper is gone and so are the icons. everything is gone except my msn messenger and the sidebar that came with vista. Its until I login the second time, everything is there but feels like its performing slowly. I also get the "KeyAccess for windows has stopped working" sometimes. Also when I put my USB key in, the auto run feature doesn't pop up. I will have to go to "My Computer" to view it.

    My HijackThis Log is attached

    Please, any help will be appreciated, I cant bare the thought that someone is watching me through my computer.

    Thank you in advance

    Attached Files:

  2. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Uninstall your AVG Antivirus
    Then run the removal tool
    Here is the 32Bit version (most users): http://www.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe
    Here is the 64Bit version: http://www.avg.com/filedir/util/avg_arv_sup_____.dir/avgremoverx64.exe

    Restart

    Install Avira free AntiVirus

    Open HJT Scan only, and place a tick in everybox where the entry finishes with "File Missing" Then select FIX

    Then follow this guide: UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions

    By the way your Autorun can be fixed by going here: http://support.microsoft.com/kb/953252
  3. livinlovinit

    livinlovinit Newcomer, in training Topic Starter

    Thank you so much for replying. So I am guessing that I do have spyware on my laptop. I will still do what you said I should, but post back here if I have anymore questions.
    Thank you

    Hi, here are the logs of the required 8 step rule. I will await your reply

    heres the HijackThis Log


    sorry, heres the mbam
  4. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    This quoted part was not done, and still needs to be done

    Your SuperAntiSpyware log caught quite a few spywares, it may be best to run it again

    Here is your next step though:

    Please download and run SDFix (I'm sorry, but I must refer you to t h i s tutorial on its use, scroll down to "SDFix Instructions")

    Download, and run the "RunThis.bat" in Safe Mode, as advised
    Then attach the log and a new HJT log
    Oh by the way, it says that it may take 20mins to scan! (Mine took over an hour to complete!)
  5. livinlovinit

    livinlovinit Newcomer, in training Topic Starter

    Oh, I'm sorry, I thought I did. Well I scanned with HijackThis again, and removed the "File Missing" ones, and its okay you refered me to the tutorial, I appreciate it....I will scan with SuperAntiSypware again and the SDFix in safe mode

    Thank you
  6. livinlovinit

    livinlovinit Newcomer, in training Topic Starter

    Hi, I scanned MaleWare Bytes - Anti Maleware and with SuperAntiVirus in safe mode, however I couldn't get SDFix to run the RunThis.bat.....I checked all the possible things to cause it not to work via the tutorial. It seems that it isn't working because it is compatible to the 32-bit computers. My computer is 64-bit. I still did a scan with HijackThis in safe mode and have both SuperAntiVirus and HijackThis Logs. I notice that the HijackThis for some reason can't remove the "File Missing" for some reason =s. Also the Maleware says I'm not infected, but i don't believe it because when I login to my computer, the desktop still acts funny =s
  7. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Please startup HijackThis and do a scan only
    On all listed entries below, place a tick in the associated entry box
    Close all Internet browsers (like Internet Explorer or Firefox) Actually close any other program that's running too.
    Then select FIX to all:
    Close the HijackThis blank Window
    And then restart

    Run CCleaner again
    And then run one more HijackThis scan and log, and attach it to a new reply :)
  8. livinlovinit

    livinlovinit Newcomer, in training Topic Starter

    Okay, so I did the scan with HijackThis and deleted all the items you posted. However the very first one, the O1 - Host: ::1localhost didn't delete from what I understand. HijackThis said:

    "Error Details: An unexpected error has occurred at procedure: modMain_FixOther1Item(sItem=01 - Hosts: ::1localhost)"

    Windows version: Windows NT 6.00.1905
    MSIE version: 7.0.6001.18000

    HijackThis version: 2.0.2


    I rested my laptop as you said and ran the CCleaner and HijackThis again, heres the Log

    Am I free from this Spyware? (I hope so)
  9. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    That's strange, all the file missing and everything I quoted is still there :confused:

    Please go to Users in Control Panel, and confirm that you are an Administrator
    If you are, then there must be policies set. In which case do my above post in Safe Mode, but log on to Administrator account
  10. livinlovinit

    livinlovinit Newcomer, in training Topic Starter

    heres the HijackThis Log. The file missing" codes won't delete for some reason. I restarted sveral times, repeated the process several times and it still won't go away =s this is a stubborn sypware =D.

    Oh I just wanted to mention that I backed up the files I still want to keep on this laptop
    to a cd. I TRULY APPRECIATE YOUR HELP, but this spyware is really getting to me, and I can't really work in school knowing that this laptop is "infected". I need this laptop to make it through college because my program requires us to be able to use a laptop. It seems that this spyware is really tough to get rid of. So I just might reformat this laptop, but if I still have a few steps to go, I will, but if reformatting it will do the trick, why not, I just hope it didn't jump to the cd i used to keep the files I
    still want =D

    I will await your reply about my decision and your advise if I should reformat or not

    Once again THANK YOU FOR ALL YOUR HELP I APPRECIATE IT =D
  11. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Download Combofix
    Lots of info on its use h e r e
    Direct download h e r e

    Locate the downloaded Combofix. Double click on it to run, answering any prompts along the way
    Note: during Combofix scan (lasting up to 10mins) your Desktop and clock may reset (all normal)
    ComboFix will also restart your computer (eventually) and then (eventually) create a log

    Save this log file to be attached to a new reply

    Then run HJT scan
    Remove (tick and Fix all) all the "file missing" entries one last time (just get most for a test)
    Restart (this is a must)
    Do another scan with HJT (scan and log file) and attach this to a new reply (without the "file missing" entries, I hope ;) )
  12. livinlovinit

    livinlovinit Newcomer, in training Topic Starter

    Umm, ComboFix won't work on my 64 bit Vista laptop. It says: Incompatiable OS. ComboFix only works for Windows 2000 and XP and then has it in several different languages after.
    That message pops up after a small blue screen flashes for about 1 second, I can't read what it says but I believe its from the ComboFix running =s
  13. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Hmm I seem to be at a full stop (This is not normal)
    Depending upon how long you wish to wait, I might ask for one of our other Malware specialists to have a look (which I thought I might be, up until now)
     
  14. livinlovinit

    livinlovinit Newcomer, in training Topic Starter

    lol, its okay, but I'm am just wondering, if I were to refomat my laptop, with it all go away???
  15. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Um Yes :)

    There is some corruption, but if you want to remove the Partition or reinstall Windows Vista. If you have a Windows Vista DVD look here for the guide: http://www.windowsreinstall.com/winvista/index.htm (index page)

    If you have a Manufacture re-image Disc, then go for it

    Up to you, and it'll get me out of strife too ;) :D
  16. livinlovinit

    livinlovinit Newcomer, in training Topic Starter

    I would like your malware specialist to have a look but since its the weekend I can use this time to start the reformatting. College, is going to be hard if I don't have a working computer lol. I do have the DVD to reinstall Vista, I made sure I backed up my laptop the first day I got it, just in case I had a problem like this.

    Once again thank you for your assistance =)
  17. mflynn

    mflynn Newcomer, in training Posts: 2,793

    First SDFix will not run under Vista.

    I have had it to run on a few of my Clients workstations that I have tweaked turned off many unneeded services UAC etc.

    On some others with the very same tweaks it will not run. But SDFix under Vista is not supported by its author.

    All the HJT entries with the @ exist on all 64 BIT Vista and HJT will not remove and are harmless and will be right back after a format and install.

    So livinlovinit give us a status report on how computer works (is original issue fixed?) and any issues we may not be aware of.

    But ComboFix should run (unless I have missed the fact that it is a 64 bit issue) and we do need its log.

    So do the following
    In Control panel in User Accounts turn off UAC and reboot (back on after we finish).

    Then Start-Run
    type
    Combofix /u
    Click OK or hit Enter key
    This uninstalls ComboFix

    Now download fresh ComboFix, the rename it to 12CBF34.exe.

    Now try to run
    If no joy then rt click the Icon and chose "Run as Administrator"
    If no joy then rt click the Icon and chose Properties-Compatability chose Windows XP SP2 click apply and OK
    Then Run as Administrator again.

    This don't work we will drop back and punt!

    Mike
  18. livinlovinit

    livinlovinit Newcomer, in training Topic Starter

    Hello Mike, thank you for replying. I ended up reformatting my laptop, twice. Everything seems to be okay, i even notice that some of the devices on the laptop has not stopped working. But something seems funny, so I did a scan with HijackThis and notice the @ entries are still there =( heres the log. Oh and yes my laptop is a 64 bit laptop

    I am currently downloading the ComboFix but I am having a hard time understanding the UAC your talking about and this part

    "Now try to run
    If no joy then rt click the Icon and chose "Run as Administrator"
    If no joy then rt click the Icon and chose Properties-Compatability chose Windows XP SP2 click apply and OK
    Then Run as Administrator again."

    I will post back about the ComboFix when done downloading
  19. mflynn

    mflynn Newcomer, in training Posts: 2,793

    You jumped the gun I don't think a format reinstall was necessary!

    And appearently you did not read my last post!
    No 64 bit drivers for these items so no issue, no problem your computer is running the 32 bit versions for these entries.

    Mike
  20. livinlovinit

    livinlovinit Newcomer, in training Topic Starter

    Oh, im sorry, i understand about the @ entries comment you said.......so does that mean im spyware free....am i still infected???
  21. mflynn

    mflynn Newcomer, in training Posts: 2,793

    No if you just formatted and reinstalled you should be clean.

    Those entries mean nothing.

    If there were 64 Bit versions if these entries they would not have the (file missing) but may would still not be able to be removed until HKT becomes 64bit.

    Forget them!

    Mike
  22. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Normally all "file missing" entries can be safely removed
    I'm going to have to find more information about this, as I've not seen this issue before
    If you happen to know the MS support link concerning this issue, I'd be interested in reading it.
  23. livinlovinit

    livinlovinit Newcomer, in training Topic Starter

    oh, okay, for a sec I thought my recovery disk was infected too lol

    So let me try and understand the last post, the "file missing" entries are suspicious but not high risks of a spyware attack, but none the less forget about it

    Once again, thank you so much =D
  24. mflynn

    mflynn Newcomer, in training Posts: 2,793

    OK I will try to explain more.

    When you have a 64 bit computer/OS there are possibly 2 set of drivers/programs.

    64bit and 32bit.This just means at 64 bit the computer only has to take one bite (in the terms of eating) to process something. If it took 1000 bites at 32 bit it would need only 500 bites at 64bits.

    There is a shortage of 64bit drivers for a lot of applications. There is also a shortage of 64bit programs.

    All the 64bit entries in the HJT log have an @ sign like
    O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)

    To prove the above line is harmless if the Spoolsv was not working then you would not be printing! It has dropped back to 32bits to do this.

    And the 32 bit have this or no mention at all or the (x86) which is 32bit like
    C:\Program Files (x86)\Lavasoft\Ad-Aware\Ad-Aware.exe (x86) designates 32bit.

    The reason you do not need to worry is that the 32bit versions of all those entries with @ sign in their name are running and therefore do not show up. They would show up without the @ sign (32bit) if they really were missing and HJT could then remove the entries,

    So in this case it is a computability there are no 64 bit versions of these so it is impossible for them to run.

    The reason HJT can not remove them is HJT is not 64Bit and may also be effected by the @ sign.

    Is that as clear as mud?

    Mike
  25. livinlovinit

    livinlovinit Newcomer, in training Topic Starter

    OH MY GOD, NO WONDER....it makes scene, the (x86)...lol yes that was clear as mud. Thank you
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.