My computer crushed when I ran spybot in safemode?

[cheesezgigi]

Hello everyone
I need help with removing spyware/malware from my computer, I was infected with secrity toolbar 7.1 spyware and I tried to follow the instruction from the post Viruses/Spyware/Malware, preliminary removal instructions but when i tried to run spybot in safe mode my computer just crushed and shut itself down. Please anyone know what i should do?
Thank you

 

[kimsland]

You may also have a faulty Ram issue. (to top it off)
You can run Memtest from HERE to confirm

 

[cheesezgigi]

somehow i can run avg anti spyware and ad-aware in normal window, I haven't have a chance to do the un memtest because my computer is still scanning with ad-aware.
thanks tho i will let you know after i finished scanning

 

[Blind Dragon]

Just so you know it's not that rare for a computer to blue screen when heavily infected and running scans from safe mode. I actually just finished cleaning one that would blue screen everytime I ran AVG in safe mode. After it was clean no problems.

I'm not ruling out faulty ram just letting you know

 

[cheesezgigi]

I ran spybot in normal window mode and its worked so I went back to safe mode and ran it again just to see what happened and it crushed again so right now I am running avg anti-spyware in safe mode just to see what will happen..so what should I do if everytime I run spybot in safe mode and it crushed?what other way I can get my computer clean??

 

[Bobbye]

Don't run Spybot in Safe Mode unless that's the only way you can run it. I do all my scans in Normal Mode.

 

[cheesezgigi]

well I was trying to follow the instruction from the post so I should just run all the anti-spyware in normal mode??

 

[Blind Dragon]

It is ok to run from normal mode if you are crashing in safe mode. Just make sure you attach AVG log, Hijackthis log, and combofix log

 

[cheesezgigi]

Hello everyone again
so I've been working on this the whole day and I think I did the best I can with my limited knowledge
I followed the instructions but I couldn't downloaded tool3 at step10 so I skipped that
and I couldn't run spybot in safe mode so I did all my antispyware in normal mode
here are my 3 logs
please help me
Also I ran AVG anti spyware twice and I uploaded the most recent one do u need to see the first one?if so I will post it up

 

[cheesezgigi]

I think I got rid of secruity toolbar 7.1, but I still have pop up internet explorer that direct me to some ads site, please anyone has any input as to what I should do next ??
any help is much appreciated!

 

[Bobbye]

If you can see the Domain of the pop-up, you can restrict it.

First, when you get the pop-up, look in the lower left of the screen. you will see an internet address./ There will be a .com or .net. Notice the word right before either of these- that's the Domain.

Now open Internet Options in either Tools or the Control Panel> Security tab> Restricted sites> Sites> type the Domain in, followed by the dot com or dot net, like this:
badad.com or badad.net. Then click on Add Apply> OK.

That will prevent that from displaying again. But you should be using some kind of pop-up blocker. If you use the Google Toolbar, it has a good one. If not, find another one.

 

[cheesezgigi]

I do have google toolbar but somehow it still manage to pop up , one of my friend took a look at my hackjackthis log and he said there are a lot of suspicious things do u think u can look at my log and tell me what exactly is wrong??
thanks again

 

[kritius]

You appear to have a problem called securepccleaner.

Download and use SDFix. See a detailed guide HERE

If this does not work then are here are some manual deletion instructions.

Use Windows File Search Tool to Find SecurePCCleaner Path

Go to Start > Search > All Files or Folders.

In the "All or part of the the file name" section, type in "SecurePCCleaner" file name(s).

To get better results, select "Look in: Local Hard Drives" or "Look in: My Computer" and then click "Search" button.

When Windows finishes your search, hover over the "In Folder" of "SecurePCCleaner", highlight the file and copy/paste the path into the address bar.

Save the file's path on your clipboard because you'll need the file path to delete
SecurePCCleaner in the following manual removal steps.
"SecurePCCleaner" files can be found in the directory path(s):
%ProgramFiles%\Common Files\SecurePCCleaner
%ProgramFiles%\SecurePCCleaner

Use Windows Task Manager to Remove SecurePCCleaner Processes

To open the Windows Task Manager, use the combination of CTRL+ALT+DEL or CTRL+SHIFT+ESC.
Click on the "Image Name" button to search for "SecurePCCleaner" process by name.
Select the "SecurePCCleaner" process and click on the "End Process" button to kill it.
Remove the "SecurePCCleaner" processes files: stm.exe

Use Registry Editor to Remove SecurePCCleaner Registry Values

To open the Registry Editor, go to Start > Run > type regedit and then press the "OK" button.
Locate and delete the entry or entries whose data value (in the rightmost column) is the spyware file(s) detected earlier.
To delete "SecurePCCleaner" value, right-click on it and select the "Delete" option.
Locate and delete "SecurePCCleaner" registry entries:
*\shellex\ContextMenuHandlers\secure_del
ugdccw
SecurePCCleaner

Detect and Delete Other SecurePCCleaner Files


Do this by Start > Run > type cmd and then press the "OK" button.

To delete the entire folder, type in "rmdir /S name_of_the_folder".
Select the "SecurePCCleaner" process and click on the "End Process" button to kill it.
Remove the "SecurePCCleaner" processes files:
stm.exe
gdcw
Uninstall SecurePCCleaner.lnk
SecurePCCleaner web page.lnk
SecurePCCleaner unregistered.lnk
SecurePCCleaner

also run Hijackthis and delete the following files if there

O2 - BHO: QQToolbar - {29CF293A-1E7D-4069-9E11-E39698D0AF95} - C:\Program Files\Tencent\QQToolbar\IEBar.dll (file missing)

O3 - Toolbar: QQToolbar - {29CF293A-1E7D-4069-9E11-E39698D0AF95} - C:\Program Files\Tencent\QQToolbar\IEBar.dll (file missing)

O4 - HKLM\..\Run: [Salestart(1)] "C:\Program Files\Common Files\SecurePCCleaner\stm.exe" dm=http://securepccleaner.com ad=http://securepccleaner.com sd=http://ilp.securepccleaner.com

O9 - Extra button: (no name) - {0062C9BD-B349-40DE-91A0-755F37ACD559} - (no file)

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

Post a new log

Hope this helps

 

[cheesezgigi]

I encountered a lot of problem when I tried to follow your instruction Kritius (but thanks for trying to help me =) first when I tried to use SDFix in safe mode, my computer crushed again!(same as running spybot in safe mode!) and gave me the black screen, so I tried to do it manually but I tried to open my Window Task Manager, it only show a box with three button "end task" "switch to" "new task..." all the other functions are missing!(such as the top parts applications, processes, services..etc" do u know why this is happening?
and I couldn't Use Registry Editor to Remove SecurePCCleaner Registry Values, maybe i am not following the direction clearly
but I managed to delete all the files as listed in your post from hijackthis
also AVG resdent shield always dected threat while opening file: C:\\Windows\system32\drivers\hprocess.sys Trojan horse PSW. Agent.AMF whenever I ran HiJackthis and it couldn't be heal so I just clicked ignored.

Here is my new Hijackthis log
any advice is greatly appreciated!!thanks again Kritius for helping such a clueless computer ***** like me =b

 

[cheesezgigi]

I ran spybot again and it found "SearchNet" and couldn't remove it anyone know what I can do to get rid of it?

 

[kimsland]

Kill processes:
searchnet.exe, servehost.exe, serveup.exe

Delete registry values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cdnctr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchNet_Up
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[X]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Anfad
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ANFAD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[X]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_[X]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FAD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FAD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Remote Log
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHpr.InterCept
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHpr.InterCept.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CE496D1-1746-41CD-9489-3C0B93DF10E2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{52BEA5F9-7E3F-490A-B7E8-9BD5DDDEE5DF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D1AFED83-9133-4660-8C8F-DAF1B4A3D5A8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{158919D3-4CAB-4109-9755-9AE794D5B2DE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{E8D3778F-47D3-4F1F-9245-3D46856936E4}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A0176FE-008B-4706-90F5-BBA532A49731}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CE496D1-1746-41CD-9489-3C0B93DF10E2}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2A0176FE-008B-4706-90F5-BBA532A49731}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CE496D1-1746-41CD-9489-3C0B93DF10E2}
HKEY_LOCAL_MACHINE\SOFTWARE\SearchNet
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZSXZ

Delete files:
searchnet.exe, servehost.exe, serveup.exe, snhpr.dll, srvnet32.dll, anfad.sys, fad.sys

Delete directories:
C:\Program Files\SearchNet

 

[Blind Dragon]

Wow, how did you get so many infections. Let's try to get some of that off there, we also need to deal with the rootkits. If this were my computer I would wipe the hard drive and start over, if you really want to attempt to fix it I will work with you but no guarantees

Also, I must tell you -> It will be easier and less time consuming to reinstall your operating system from scratch than it will be to remove these. If you cannot reinstall then please follow below. I will try my best to get it clean. But you should know what you are infected with, I have edited at the bottom of the page with a description

1)First go to Start -> Control Panel -> Add/remove programs -> Remove any entries which have to do with Viewpoint and QQdoctor and PPfilm and Tencent


2)CFScript
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)

File::
C:\Program Files\3721\assistse.exe
C:\Documents and Settings\hui yang\Application Data\installer_en[1].exe

Folder::
C:\Program Files\ppfilm
C:\Documents and Settings\hui yang\Application Data\SecurePCCleaner
C:\Program Files\Common Files\SecurePCCleaner
C:\Documents and Settings\All Users\Application Data\SecurePCCleaner
C:\Documents and Settings\hui yang\Application Data\winpcdoctor
C:\Program Files\Common Files\WinPCDoctor
C:\Documents and Settings\All Users\Application Data\winpcdoctor
C:\Documents and Settings\All Users\Application Data\SalesMon
C:\Program Files\HFEE
C:\Documents and Settings\hui yang\Application Data\Move Networks
C:\Program Files\3721

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"jfproc"="C:\Program Files\ppfilm\jfCacheMgr.exe" [2007-08-13 10:53 655360]
"Salestart(1)"="C:\Program Files\Common Files\SecurePCCleaner\stm.exe" [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\assistse]
C:\PROGRA~1\3721\assistse.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\helper.dll]
C:\PROGRA~1\3721\helper.dll

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

3)Show hidden files through windows explorer

• Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E
• On the Tools menu in Windows Explorer, click Folder Options.
• Click the View tab.
• Under Hidden files and folders, click Show hidden files and folders and Turn Hide protected operating system files off.

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Run Hijackthis and Select Do A System Scan Only
Put a check mark next to the following entries:
R3 - URLSearchHook: Tencent SearchHook - {DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9} - C:\Program Files\TENCENT\SSPlus\SAddr.dll
O2 - BHO: QQCycloneHelper - {00000000-12C9-4305-82F9-43058F20E8D2} - C:\Program Files\Tencent\QQDownload\QQIEHelper01.dll
O2 - BHO: Tencent Browser Helper - {0C7C23EF-A848-485B-873C-0ED954731014} - C:\Program Files\TENCENT\SSPlus\SAddr.dll
O4 - HKLM\..\Run: [jfproc] C:\Program Files\ppfilm\jfCacheMgr.exe
O4 - HKCU\..\Run: [miniqqlive] "C:\Program Files\Tencent\QQLive\MiniQQLive.exe"
O4 - HKCU\..\Run: [QQDownload] "C:\Program Files\Tencent\QQDownload\QQDownload.exe" autostart
04 - Startup: ÌÚѶQQ.lnk = C:\Program Files\Tencent\qq\QQ.exe
O8 - Extra context menu item: &ʹÓ󬼶Ðý·çÏÂÔØ - C:\Program Files\Tencent\QQDownload\geturl.htm
O8 - Extra context menu item: &ʹÓ󬼶Ðý·çÏÂÔØÈ«²¿Á´½Ó - C:\Program Files\Tencent\QQDownload\getAllurl.htm
O8 - Extra context menu item: Ìí¼Óµ½QQ±íÇé - C:\Program Files\Tencent\qq\AddEmotion.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O11 - Options group: [TBH] ¨¬¨²???D??????
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O23 - Service: .Net Boot Service - Unknown owner - C:\WINDOWS\system32\big5_gb2312.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Use Windows Explorer to navigate to and delete the following files:

• Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E

Files:
C:\WINDOWS\system32\drivers\hprocess.sys<This file only
C:\WINDOWS\system32\drivers\Anfad.sys<This file only
C:\WINDOWS\system32\drivers\FAD.sys<This file only

Folders:
C:\Program Files\ppfilm <-This folder only
C:\Program Files\Tencent <-This folder only
C:\Program Files\3721<-This folder only
C:\Program Files\Viewpoint<-This folder only

After deleting the above Go to Start, click Search, click All files and folders, and then click More advanced options. Click the check boxes to Search system folders and Search hidden files and folders.

In the search box for All or part of the file name please type SecurePCCleaner If any instances are shown Delete them.

Search again this time for winpcdoctor If any instances are shown Delete them

Reboot the computer into Normal Mode

Run a fresh Scan with Hijackthis and attach the log here along with the C:\combofix.txt

Edit: After all that is done, I recommend you run spybot and AVG Antispyware from safe mode and remove anything they fiind

SearchNet is involved with all 3 rootkits. The one that concerns me can be found here
http://www.threatexpert.com/report.aspx?uid=5705cfd1-1e11-42ad-9949-17d48eb4845d

 

[cheesezgigi]

Hi Blind Dragon, I followed your instruction as much as i could, however I couldn't deleted the following:
Files:
C:\WINDOWS\system32\drivers\hprocess.sys<This file only
C:\WINDOWS\system32\drivers\Anfad.sys<This file only
C:\WINDOWS\system32\drivers\FAD.sys<This file only

I couldn't find them from the windows explorer but I know they are still there because when I run Hijackthis afterward, AVG screen pop up and find threat detected and it was the same "C:\WINDOWS\system32\drivers\hprocess.sys" but couldn't heal or move to vent becuase access denied.

and I couldn't Find the following folders I because I belived I uninstalled them already(?)
C:\Program Files\Tencent
C:\Program FIles\3721
C:\Program FIles\Viewpoint


I did run rootkits earlier but I didn't delete anything so I will post the log along as well
Please advice me what i should do next

 

[Blind Dragon]

Thank you for being patient. We made good progress so far. I am very busy and will try to have further instructions today.

For now I need to know if you added items to the Hijackthis ignore list.

 

[cheesezgigi]

Thank you Blind Dragon for helping me, you're very modest, you spend so much time helping other people and didn't charge a dime for it!You're the greatest!
I didn't put anything into ignore list
and also I got a error msg when I start up my windows
RUNDLL
Error loading
C:\PROGRA~\TENCENT\SSPlus\Spuis.dll
The specified module could not be found

and I still couldn't run my spybot in safe mode (shut down again)

 

[Blind Dragon]

Thats because the virus is trying to launch but we removed the program already.

The error is telling you that the program it is trying to load isn't there.

There are still quite a few infections and as I said I should have the next steps for you at some point today

 

[cheesezgigi]

Thanks Blind Dragon
I know my laptop is still in quite a trouble since its take uncomfortably long time to load up and to open a program
I will be waiting for your next instruction
Kimsland, I tried to follow your instruction to kill seachNet (i know its still there because I ran spybot again and its still pop up) but I couldn't find all the .exe u mentioned and I could located the registry value
so don't know exactly what cause it(?)

I just want to let U guys know you're are totally awsome!

 

[kimsland]

I ran spybot again and its still pop up

Where? In System Restore?

Spybots should also tell you the location or the filename or some other detail about the infection.

Open Spybots S &D
Click on Mode (on Spybots Toolbar)
Select Advanced
Select Yes
Select Tools (on the LHS)
Select View Report (up the top)
Select View Report (Top RHS)
Right click on the report, and Select All
Right click on the highlighted text, and select Copy

Paste the report into a new reply

 

[Blind Dragon]

Don't skip kimsland instructions above, but also do this:

KillBox

• Download KillBox and unzip/extract it to your desktop from HERE
• Launch Killbox and place a check in 'Delete on Reboot'.
  In the 'Full path of file to delete' box,copy and paste:
  

  C:\WINDOWS\system32\drivers\Anfad.sys

• Then press the option ALL Files button
• Then press the red button with the white cross.
• A confirmation box pops up asking if you want to reboot now. Select NO
• In the 'Full path of file to delete' box,copy and paste:
  

  C:\WINDOWS\system32\drivers\hprocess.sys

• Then press the red button with the white cross. It will provide a window for you to confirm the delete and it will ask if you now wish to reboot,select NO.
• In the 'Full path of file to delete' box,copy and paste:
  

  C:\WINDOWS\system32\drivers\FAD.sys

• Then press the red button with the white cross.It will provide a window for you to confirm the delete and it will ask if you now wish to reboot,select YES
• Allow it to reboot.
  If it doesn't reboot automatically,reboot manually.

Post any reports it gives you


'The Avenger by Swandog46'

• Download The Avenger by Swandog46 from here.
• Unzip/extract it to a folder on your desktop.
• Double click on avenger.exe to run The Avenger.
• Click OK.
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
• Click the Execute button.
• You will be asked No script has been entered. Do you want to execute a rootkit scan only?.
• Click Yes.
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
• Click Yes.
• Your PC will now be rebooted.
• After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
• Please post this log, along with a new HijackThis log in your next reply.

 

[cheesezgigi]

kimsland
here is the spybot report without following blind dragon instruction he mentioned above
well searchnet couldn't be remove no matter how many i ran spybot so that's what i mean it keep on popping up

I will try to do what blind dragon said and see what will happen

thank you both!