TechSpot

Girl in trouble! Can't get rid of spyware infections

By realdallasdiva
Apr 2, 2008
  1. Help! I've run at least 5 different scan programs, pc doctor, windows defender, adaware, etc. with no luck. I keep getting these darn pop ups. Can someone help me out? what do you need from me?
    Thanks in advance!
     
  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Hello realdallasdiva,

    Welcome to Techspot. We are extremely busy around here, so please be patient with us. I am subscribed to your thread so will get email notification of your replies.

    Please have a read here-> Is your system infected? Read this before Cleaning or Formatting

    If you decide to clean your system please follow these Viruses/Spyware/Malware, preliminary removal instructions and post back in this thread with the requested logs. There should be at least 3.

    1)AVG log
    2)Combofix log
    3)Hijackthis log (Step 15)

    This thread is for the use of realdallasdiva only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. realdallasdiva

    realdallasdiva TS Rookie Topic Starter

    wow, some homework!

    I have 4 logs b/c the combofix wouldn't work, used the Deckard scanner with 2 logs.

    Also, found nothing on the antirootkit.
    let me know if I missed something.

    Thanks again!
     
  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    First Run
    Malwarebytes' Anti-Malware

    • Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      • Update Malwarebytes' Anti-Malware
      • and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please copy and paste the log into your next reply
      • If you accidently close it, the log file is saved here and will be named like this:
      • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
      *****************************************************************************************************************

      Remove bad HijackThis entries
      • Run HijackThis (Right click and select Run As Administrator)
      • Click on the System Scan Only button
      • Put a check beside all of the items listed below (if present):

        O4 - HKCU\..\Run: [fcwglzdo] C:\ProgramData\fcwglzdo\evybwjsz.exe
        O4 - HKCU\..\Run: [2redtvm0iD] C:\ProgramData\urcduren\abqpepsr.exe
        O4 - HKCU\..\Run: [YLvPSPGHIc] C:\ProgramData\urcduren\abqpepsr.exe
      • Close all open windows and browsers/email, etc...
      • Click on the "Fix Checked" button
      • When completed, close the application.

      ********************************************************************************************************

      Avenger by Swandog
      • Download Avenger by Swandog and unzip it to your Desktop.

        Note: This program must be run from an account with Administrator priviledges.
      • Open the Avenger folder and Right click/Run as Administrator Avenger.exe to launch the programme.
      • Copy the text in the code box below and Paste it into the Input script here: box.
      Code:
      Files to delete:
      C:\ProgramData\urcduren\abqpepsr.exe
      C:\ProgramData\fcwglzdo\evybwjsz.exe
      C:\Users\Heather\Desktopfilemanagerclient.exe
      C:\Users\Heather\Desktopfwebd.exe
      C:\Users\Heather\DesktopFWebdEditor.exe
      
      Folders to delete:
      C:\Users\All Users\urcduren
      C:\Users\All Users\fcwglzdo
      C:\Users\Heather\Desktopvirii
      C:\3f369c4a80ba67281b3c095a4ff56138
      • Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

      • Ensure the following:
        • Scan for Rootkits is checked.
        • Automatically disable any rootkits found is Unchecked.
      • Press the Execute key.
      • Avenger will now process the script you've pasted (this may involve more than one re-boot), when finished it will produce a log file.
      • Attach the log back here please. (it can also be found at C:\avenger.txt)
      ********************************************************************************************************

      Afterwards please run a fresh scan with Hijackthis

      Attach here
      1)MBAM log
      2)avenger.txt
      3)new Hijackthis.log

      This thread is for the use of realdallasdiva only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. realdallasdiva

    realdallasdiva TS Rookie Topic Starter

    error: a valid script must begin witha command directive

    that's what it said when I copied and pasted the code in the box and pressed execute.
     
  6. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Try typing the commands into avenger instead of copy and paste
     
  7. realdallasdiva

    realdallasdiva TS Rookie Topic Starter

    new logs

    ok, here they are!
     
  8. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Did you right click avenger and select Run As Administrator before running the script
     
  9. realdallasdiva

    realdallasdiva TS Rookie Topic Starter

    avenger

    didn't give me the option. I right click and I can do the usual things, open, send to, extract all, open with, properties....not run as admin

    is that a problem?
     
  10. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Sounds like you are clicking on a folder, you have to right click on the actual

    Avenger.exe file
     
  11. realdallasdiva

    realdallasdiva TS Rookie Topic Starter

    ok, I did it right this time, I hope...I also ran a new hijackthis and attached
     
  12. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Manually navigate to and delete the following folders if there:

    Go to start computer then navigate to the folders, then right click the folder and select delete:

    C:\Users\All Users\urcduren
    C:\Users\All Users\fcwglzdo

    ------------------------------------------------------------------------------------------------------

    Run Kaspersky Online AV Scanner

    Order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
     
  13. realdallasdiva

    realdallasdiva TS Rookie Topic Starter

    kaspersky

    here ya go!
     
  14. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Good Job! Now lets secure the work you have done!

    Uninstall Combofix
    * Click START then RUN
    * Now type Combofix /u in the runbox
    * Make sure there's a space between Combofix and /u
    * Then hit Enter.

    * The above procedure will:
    * Delete the following:
    * ComboFix and its associated files and folders.
    * Reset the clock settings.
    * Hide file extensions, if required.
    * Hide System/Hidden files, if required.
    * Set a new, clean Restore Point.

    -----------------------------------------------------------------------
    Cleanup using OTMoveit2 by OldTimer
    Now we can clear out the rest of the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally.

    Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop.

    1. Double click OTMoveIt2.exe to launch it.
    If using Vista Right-Click OTMoveIt and choose Run As Administrator
    2. Click on the CleanUp! button.
    3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
    4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

    * When finished exit out of OTMoveIt2

    ---------------------------------------------------------------------------
    I recommend you keep
    1 anti virus program
    1 firewall
    Combo of Anti-Spyware (Spybot S&D and MBAM, or your choice)

    For Spybot you can download the latest version from HERE.

    keep them updated.

    You can also turn on tea timer in Spybot:
    • Click on Mode at the top and make sure that Advanced is checked
    • Expand the Tools tab in the left pane
    • Single click on the Resident Icon also in the left pane
    • check Resident "TeaTimer" (Protection of over-all system settings) Active
    • Close spybot

    Also under Tools you can double-click System Startup in the right pane and disable programs from running at startup. This will free up system resources. For example if you don't use MSN Messenger everytime you run your computer you can disable it, then when you want to use it you can launch it through Start -> all programs, or make a shortcut on the desktop for it. That way it doesn't use resources when you aren't using it. Don't disable any entries in green though.

    And just to be sure
    Set correct settings for files
    • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
    • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
    • If unchecked please check Hide protected operating system files (Recommended)
    • If necessary check "Display content of system folders"
    • If necessary Uncheck Hide file extensions for known file types.
    • Click OK

    clear system restore points

    • This is a good time to clear your existing system restore points and establish a new clean restore point:
      • Go to Start > All Programs > Accessories > System Tools > System Restore
      • Select Create a restore point, and Ok it.
      • Next, go to Start > Run and type in cleanmgr
      • Select the More options tab
      • Choose the option to clean up system restore and OK it.
      This will remove all restore points except the new one you just created.
     
  15. realdallasdiva

    realdallasdiva TS Rookie Topic Starter

    combofix

    I had a problem with combofix and ran the Deckard scanner...so the combofix step needs to be amended?
     
  16. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    It will still uninstall combofix, unless you already uninstalled.

    And that is why included the just in case part at the bottom of the last post
     
  17. realdallasdiva

    realdallasdiva TS Rookie Topic Starter

    Thank you

    Thank you Blind Dragon! This took a couple days, but you were so patient withy me. I owe you!
     
  18. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Not a problem. If you have any more issues please let me know through this thread.

    Regards,

    Blind Dragon
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...