TechSpot

My computer crushed when I ran spybot in safemode?

By cheesezgigi
Feb 28, 2008
  1. Hello everyone
    I need help with removing spyware/malware from my computer, I was infected with secrity toolbar 7.1 spyware and I tried to follow the instruction from the post Viruses/Spyware/Malware, preliminary removal instructions but when i tried to run spybot in safe mode my computer just crushed and shut itself down. Please anyone know what i should do?
    Thank you
     
  2. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    You may also have a faulty Ram issue. (to top it off)
    You can run Memtest from HERE to confirm
     
  3. cheesezgigi

    cheesezgigi TS Rookie Topic Starter Posts: 16

    somehow i can run avg anti spyware and ad-aware in normal window, I haven't have a chance to do the un memtest because my computer is still scanning with ad-aware.
    thanks tho i will let you know after i finished scanning
     
  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Just so you know it's not that rare for a computer to blue screen when heavily infected and running scans from safe mode. I actually just finished cleaning one that would blue screen everytime I ran AVG in safe mode. After it was clean no problems.

    I'm not ruling out faulty ram just letting you know
     
  5. cheesezgigi

    cheesezgigi TS Rookie Topic Starter Posts: 16

    I ran spybot in normal window mode and its worked so I went back to safe mode and ran it again just to see what happened and it crushed again so right now I am running avg anti-spyware in safe mode just to see what will happen..so what should I do if everytime I run spybot in safe mode and it crushed?what other way I can get my computer clean??
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Don't run Spybot in Safe Mode unless that's the only way you can run it. I do all my scans in Normal Mode.
     
  7. cheesezgigi

    cheesezgigi TS Rookie Topic Starter Posts: 16

    well I was trying to follow the instruction from the post so I should just run all the anti-spyware in normal mode??
     
  8. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    It is ok to run from normal mode if you are crashing in safe mode. Just make sure you attach AVG log, Hijackthis log, and combofix log
     
  9. cheesezgigi

    cheesezgigi TS Rookie Topic Starter Posts: 16

    Hello everyone again
    so I've been working on this the whole day and I think I did the best I can with my limited knowledge :confused:
    I followed the instructions but I couldn't downloaded tool3 at step10 so I skipped that
    and I couldn't run spybot in safe mode so I did all my antispyware in normal mode
    here are my 3 logs
    please help me
    Also I ran AVG anti spyware twice and I uploaded the most recent one do u need to see the first one?if so I will post it up
     
  10. cheesezgigi

    cheesezgigi TS Rookie Topic Starter Posts: 16

    I think I got rid of secruity toolbar 7.1, but I still have pop up internet explorer that direct me to some ads site, please anyone has any input as to what I should do next ??
    any help is much appreciated!
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    If you can see the Domain of the pop-up, you can restrict it.

    First, when you get the pop-up, look in the lower left of the screen. you will see an internet address./ There will be a .com or .net. Notice the word right before either of these- that's the Domain.

    Now open Internet Options in either Tools or the Control Panel> Security tab> Restricted sites> Sites> type the Domain in, followed by the dot com or dot net, like this:
    badad.com or badad.net. Then click on Add Apply> OK.

    That will prevent that from displaying again. But you should be using some kind of pop-up blocker. If you use the Google Toolbar, it has a good one. If not, find another one.
     
  12. cheesezgigi

    cheesezgigi TS Rookie Topic Starter Posts: 16

    I do have google toolbar but somehow it still manage to pop up , one of my friend took a look at my hackjackthis log and he said there are a lot of suspicious things do u think u can look at my log and tell me what exactly is wrong??
    thanks again
     
  13. kritius

    kritius TS Guru Posts: 2,084

    You appear to have a problem called securepccleaner.

    Download and use SDFix. See a detailed guide HERE

    If this does not work then are here are some manual deletion instructions.

    Use Windows File Search Tool to Find SecurePCCleaner Path

    Go to Start > Search > All Files or Folders.

    In the "All or part of the the file name" section, type in "SecurePCCleaner" file name(s).

    To get better results, select "Look in: Local Hard Drives" or "Look in: My Computer" and then click "Search" button.

    When Windows finishes your search, hover over the "In Folder" of "SecurePCCleaner", highlight the file and copy/paste the path into the address bar.

    Save the file's path on your clipboard because you'll need the file path to delete
    SecurePCCleaner in the following manual removal steps.
    "SecurePCCleaner" files can be found in the directory path(s):
    %ProgramFiles%\Common Files\SecurePCCleaner
    %ProgramFiles%\SecurePCCleaner

    Use Windows Task Manager to Remove SecurePCCleaner Processes

    To open the Windows Task Manager, use the combination of CTRL+ALT+DEL or CTRL+SHIFT+ESC.
    Click on the "Image Name" button to search for "SecurePCCleaner" process by name.
    Select the "SecurePCCleaner" process and click on the "End Process" button to kill it.
    Remove the "SecurePCCleaner" processes files: stm.exe

    Use Registry Editor to Remove SecurePCCleaner Registry Values

    To open the Registry Editor, go to Start > Run > type regedit and then press the "OK" button.
    Locate and delete the entry or entries whose data value (in the rightmost column) is the spyware file(s) detected earlier.
    To delete "SecurePCCleaner" value, right-click on it and select the "Delete" option.
    Locate and delete "SecurePCCleaner" registry entries:
    *\shellex\ContextMenuHandlers\secure_del
    ugdccw
    SecurePCCleaner

    Detect and Delete Other SecurePCCleaner Files


    Do this by Start > Run > type cmd and then press the "OK" button.

    To delete the entire folder, type in "rmdir /S name_of_the_folder".
    Select the "SecurePCCleaner" process and click on the "End Process" button to kill it.
    Remove the "SecurePCCleaner" processes files:
    stm.exe
    gdcw
    Uninstall SecurePCCleaner.lnk
    SecurePCCleaner web page.lnk
    SecurePCCleaner unregistered.lnk
    SecurePCCleaner

    also run Hijackthis and delete the following files if there

    O2 - BHO: QQToolbar - {29CF293A-1E7D-4069-9E11-E39698D0AF95} - C:\Program Files\Tencent\QQToolbar\IEBar.dll (file missing)

    O3 - Toolbar: QQToolbar - {29CF293A-1E7D-4069-9E11-E39698D0AF95} - C:\Program Files\Tencent\QQToolbar\IEBar.dll (file missing)

    O4 - HKLM\..\Run: [Salestart(1)] "C:\Program Files\Common Files\SecurePCCleaner\stm.exe" dm=http://securepccleaner.com ad=http://securepccleaner.com sd=http://ilp.securepccleaner.com

    O9 - Extra button: (no name) - {0062C9BD-B349-40DE-91A0-755F37ACD559} - (no file)

    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)

    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)

    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

    Post a new log

    Hope this helps
     
  14. cheesezgigi

    cheesezgigi TS Rookie Topic Starter Posts: 16

    I encountered a lot of problem when I tried to follow your instruction Kritius (but thanks for trying to help me =) first when I tried to use SDFix in safe mode, my computer crushed again!(same as running spybot in safe mode!) and gave me the black screen, so I tried to do it manually but I tried to open my Window Task Manager, it only show a box with three button "end task" "switch to" "new task..." all the other functions are missing!(such as the top parts applications, processes, services..etc" do u know why this is happening?
    and I couldn't Use Registry Editor to Remove SecurePCCleaner Registry Values, maybe i am not following the direction clearly
    but I managed to delete all the files as listed in your post from hijackthis
    also AVG resdent shield always dected threat while opening file: C:\\Windows\system32\drivers\hprocess.sys Trojan horse PSW. Agent.AMF whenever I ran HiJackthis and it couldn't be heal so I just clicked ignored.

    Here is my new Hijackthis log
    any advice is greatly appreciated!!thanks again Kritius for helping such a clueless computer ***** like me =b
     
  15. cheesezgigi

    cheesezgigi TS Rookie Topic Starter Posts: 16

    I ran spybot again and it found "SearchNet" and couldn't remove it anyone know what I can do to get rid of it?
     
  16. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Kill processes:
    searchnet.exe, servehost.exe, serveup.exe

    Delete registry values:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cdnctr
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchNet_Up
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[X]
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Anfad
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ANFAD
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[X]
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_[X]
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FAD
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FAD
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Remote Log
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHpr.InterCept
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHpr.InterCept.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CE496D1-1746-41CD-9489-3C0B93DF10E2}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{52BEA5F9-7E3F-490A-B7E8-9BD5DDDEE5DF}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D1AFED83-9133-4660-8C8F-DAF1B4A3D5A8}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{158919D3-4CAB-4109-9755-9AE794D5B2DE}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{E8D3778F-47D3-4F1F-9245-3D46856936E4}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A0176FE-008B-4706-90F5-BBA532A49731}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CE496D1-1746-41CD-9489-3C0B93DF10E2}
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2A0176FE-008B-4706-90F5-BBA532A49731}
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CE496D1-1746-41CD-9489-3C0B93DF10E2}
    HKEY_LOCAL_MACHINE\SOFTWARE\SearchNet
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZSXZ

    Delete files:
    searchnet.exe, servehost.exe, serveup.exe, snhpr.dll, srvnet32.dll, anfad.sys, fad.sys

    Delete directories:
    C:\Program Files\SearchNet
     
  17. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Wow, how did you get so many infections. Let's try to get some of that off there, we also need to deal with the rootkits. If this were my computer I would wipe the hard drive and start over, if you really want to attempt to fix it I will work with you but no guarantees

    Also, I must tell you -> It will be easier and less time consuming to reinstall your operating system from scratch than it will be to remove these. If you cannot reinstall then please follow below. I will try my best to get it clean. But you should know what you are infected with, I have edited at the bottom of the page with a description

    1)First go to Start -> Control Panel -> Add/remove programs -> Remove any entries which have to do with Viewpoint and QQdoctor and PPfilm and Tencent


    2)CFScript
    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

    3)Show hidden files through windows explorer
    • Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E
    • On the Tools menu in Windows Explorer, click Folder Options.
    • Click the View tab.
    • Under Hidden files and folders, click Show hidden files and folders and Turn Hide protected operating system files off.

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Run Hijackthis and Select Do A System Scan Only
    Put a check mark next to the following entries:
    R3 - URLSearchHook: Tencent SearchHook - {DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9} - C:\Program Files\TENCENT\SSPlus\SAddr.dll
    O2 - BHO: QQCycloneHelper - {00000000-12C9-4305-82F9-43058F20E8D2} - C:\Program Files\Tencent\QQDownload\QQIEHelper01.dll
    O2 - BHO: Tencent Browser Helper - {0C7C23EF-A848-485B-873C-0ED954731014} - C:\Program Files\TENCENT\SSPlus\SAddr.dll
    O4 - HKLM\..\Run: [jfproc] C:\Program Files\ppfilm\jfCacheMgr.exe
    O4 - HKCU\..\Run: [miniqqlive] "C:\Program Files\Tencent\QQLive\MiniQQLive.exe"
    O4 - HKCU\..\Run: [QQDownload] "C:\Program Files\Tencent\QQDownload\QQDownload.exe" autostart
    04 - Startup: ÌÚѶQQ.lnk = C:\Program Files\Tencent\qq\QQ.exe
    O8 - Extra context menu item: &ʹÓ󬼶Ðý·çÏÂÔØ - C:\Program Files\Tencent\QQDownload\geturl.htm
    O8 - Extra context menu item: &ʹÓ󬼶Ðý·çÏÂÔØÈ«²¿Á´½Ó - C:\Program Files\Tencent\QQDownload\getAllurl.htm
    O8 - Extra context menu item: Ìí¼Óµ½QQ±íÇé - C:\Program Files\Tencent\qq\AddEmotion.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O11 - Options group: [TBH] ¨¬¨²???D??????
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
    O23 - Service: .Net Boot Service - Unknown owner - C:\WINDOWS\system32\big5_gb2312.exe (file missing)
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


    Use Windows Explorer to navigate to and delete the following files:
    • Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E

    Files:
    C:\WINDOWS\system32\drivers\hprocess.sys<This file only
    C:\WINDOWS\system32\drivers\Anfad.sys<This file only
    C:\WINDOWS\system32\drivers\FAD.sys<This file only

    Folders:
    C:\Program Files\ppfilm <-This folder only
    C:\Program Files\Tencent <-This folder only
    C:\Program Files\3721<-This folder only
    C:\Program Files\Viewpoint<-This folder only

    After deleting the above Go to Start, click Search, click All files and folders, and then click More advanced options. Click the check boxes to Search system folders and Search hidden files and folders.

    In the search box for All or part of the file name please type SecurePCCleaner If any instances are shown Delete them.

    Search again this time for winpcdoctor If any instances are shown Delete them

    Reboot the computer into Normal Mode

    Run a fresh Scan with Hijackthis and attach the log here along with the C:\combofix.txt

    Edit: After all that is done, I recommend you run spybot and AVG Antispyware from safe mode and remove anything they fiind

    SearchNet is involved with all 3 rootkits. The one that concerns me can be found here
    http://www.threatexpert.com/report.aspx?uid=5705cfd1-1e11-42ad-9949-17d48eb4845d
     
  18. cheesezgigi

    cheesezgigi TS Rookie Topic Starter Posts: 16

    Hi Blind Dragon, I followed your instruction as much as i could, however I couldn't deleted the following:
    Files:
    C:\WINDOWS\system32\drivers\hprocess.sys<This file only
    C:\WINDOWS\system32\drivers\Anfad.sys<This file only
    C:\WINDOWS\system32\drivers\FAD.sys<This file only

    I couldn't find them from the windows explorer but I know they are still there because when I run Hijackthis afterward, AVG screen pop up and find threat detected and it was the same "C:\WINDOWS\system32\drivers\hprocess.sys" but couldn't heal or move to vent becuase access denied.

    and I couldn't Find the following folders I because I belived I uninstalled them already(?)
    C:\Program Files\Tencent
    C:\Program FIles\3721
    C:\Program FIles\Viewpoint


    I did run rootkits earlier but I didn't delete anything so I will post the log along as well
    Please advice me what i should do next
     
  19. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Thank you for being patient. We made good progress so far. I am very busy and will try to have further instructions today.

    For now I need to know if you added items to the Hijackthis ignore list.
     
  20. cheesezgigi

    cheesezgigi TS Rookie Topic Starter Posts: 16

    Thank you Blind Dragon for helping me, you're very modest, you spend so much time helping other people and didn't charge a dime for it!You're the greatest!
    I didn't put anything into ignore list
    and also I got a error msg when I start up my windows
    RUNDLL
    Error loading
    C:\PROGRA~\TENCENT\SSPlus\Spuis.dll
    The specified module could not be found

    and I still couldn't run my spybot in safe mode (shut down again)
     
  21. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Thats because the virus is trying to launch but we removed the program already.

    The error is telling you that the program it is trying to load isn't there.

    There are still quite a few infections and as I said I should have the next steps for you at some point today
     
  22. cheesezgigi

    cheesezgigi TS Rookie Topic Starter Posts: 16

    Thanks Blind Dragon
    I know my laptop is still in quite a trouble since its take uncomfortably long time to load up and to open a program
    I will be waiting for your next instruction
    Kimsland, I tried to follow your instruction to kill seachNet (i know its still there because I ran spybot again and its still pop up) but I couldn't find all the .exe u mentioned and I could located the registry value
    so don't know exactly what cause it(?)

    I just want to let U guys know you're are totally awsome!
     
  23. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Where? In System Restore?

    Spybots should also tell you the location or the filename or some other detail about the infection.

    Open Spybots S &D
    Click on Mode (on Spybots Toolbar)
    Select Advanced
    Select Yes
    Select Tools (on the LHS)
    Select View Report (up the top)
    Select View Report (Top RHS)
    Right click on the report, and Select All
    Right click on the highlighted text, and select Copy

    Paste the report into a new reply
     
  24. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Don't skip kimsland instructions above, but also do this:

    KillBox
    • Download KillBox and unzip/extract it to your desktop from HERE
    • Launch Killbox and place a check in 'Delete on Reboot'.
      In the 'Full path of file to delete' box,copy and paste:
      Code:
      C:\WINDOWS\system32\drivers\Anfad.sys
    • Then press the option ALL Files button
    • Then press the red button with the white cross.
    • A confirmation box pops up asking if you want to reboot now. Select NO
    • In the 'Full path of file to delete' box,copy and paste:
      Code:
      C:\WINDOWS\system32\drivers\hprocess.sys
    • Then press the red button with the white cross. It will provide a window for you to confirm the delete and it will ask if you now wish to reboot,select NO.
    • In the 'Full path of file to delete' box,copy and paste:
      Code:
      C:\WINDOWS\system32\drivers\FAD.sys
    • Then press the red button with the white cross.It will provide a window for you to confirm the delete and it will ask if you now wish to reboot,select YES
    • Allow it to reboot.
      If it doesn't reboot automatically,reboot manually.

    Post any reports it gives you


    'The Avenger by Swandog46'

    • Download The Avenger by Swandog46 from here.
    • Unzip/extract it to a folder on your desktop.
    • Double click on avenger.exe to run The Avenger.
    • Click OK.
    • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
    • Click the Execute button.
    • You will be asked No script has been entered. Do you want to execute a rootkit scan only?.
    • Click Yes.
    • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
    • Click Yes.
    • Your PC will now be rebooted.
    • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
    • Please post this log, along with a new HijackThis log in your next reply.
     
  25. cheesezgigi

    cheesezgigi TS Rookie Topic Starter Posts: 16

    kimsland
    here is the spybot report without following blind dragon instruction he mentioned above
    well searchnet couldn't be remove no matter how many i ran spybot so that's what i mean it keep on popping up

    I will try to do what blind dragon said and see what will happen

    thank you both!
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...