Need help removing spywares

By culus
Nov 11, 2005
  1. Earlier today I opened a file which installed some kind of spyware on my computer. I got a message from Microsoft Antispyware telling me a program called UCmore was trying to install. I recieved two options, allow or remove. I clicked remove, but it didn't do the trick. Now I keep getting popups at least once per minute.

    Last time I tried to remove a spyware from my computer myself using HijackThis, I sqrewed the computer up even more, thats why I thought I might ask for expert help this time. I have attached my a HijackThis log...
  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    C:\Documents and Settings\Ørjan Storebø\Skrivebord\HijackThis.exe
    Put HijackThis in e.g. C:\Program Files\HJT and NOT in Temp or on the Desktop/Skrivebord!.

    First Read: Only use these HJT-instructions when asked!
    /R/ unRegister the xxx.DLL in that line
    Transfer the text from between these dotted lines underneath to between the dotted lines of that post.
    Make sure to follow ALL instructions in SEQUENCE, and in HiJackThis tick/fix ALL lines indicated here!
    Fix ALL your O1 - Hosts: entries
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe (file missing)
    Fix ALL your O16 - DPF: entries
    /R/ O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\fp6203joe.dll

    STOP using that crappy IE (other than for Windows-updates) and install Firefox from
  3. culus

    culus TS Rookie Topic Starter

    For some reason I'm not able to /R/ O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\fp6203joe.dll. Every time I reboot my computer the file changes it's name, and when I try unRegistering it I get a message saying it is in use by another program, even when I close explorer in the task manager in safe mode. I still get popups all the friggin time.
  4. beerabuser30

    beerabuser30 TS Enthusiast Posts: 200

    Kind of a dumb question but do you have adaware? And have you tried running it?
  5. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Go to

    * Download here:
    * Unzip the contents of to a convenient location.
    * Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
    * A command prompt will open and it will search your computer for malicious files.
    * Once it has finished a Notepad window will pop up with output.txt.
    * Copy/paste the entire contents of output.txt into your next post.

    PLEASE DO NOT REBOOT or power down the computer, until I reply back or the infected file names will change!!!
  6. culus

    culus TS Rookie Topic Starter

    Here's the log you asked for:

    Warning! This utility will find legitimate files in addition to malware.
    Do not remove anything unless you are sure you know what you're doing.

    ------- System Files in System Directory -------

    Volumet i stasjon C er uten navn.
    Volumserienummeret er 2848-9915

    Innhold i C:\WINDOWS\System

    ------- Hidden Files in System Directory -------

    Volumet i stasjon C er uten navn.
    Volumserienummeret er 2848-9915

    Innhold i C:\WINDOWS\System

    ---------------- User Agent ------------


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

    ------------------ Results ------------------

    No matches found.

    ------------ Strings.exe Qoologic Results ------------

    -------------- Strings.exe Aspack Results -------------

    ----------------- HKLM Run Key ------------------

    -------------- Strings.exe Umonitor Results -------------


    "ATIPTA"="\"C:\\Programfiler\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
    "zBrowser Launcher"="C:\\Programfiler\\Logitech\\iTouch\\iTouch.exe"
    "Resume copy"="copyfstq.exe /startup"
    "DAEMON Tools-1033"="\"C:\\Programfiler\\D-Tools\\daemon.exe\" -lang 1033"
    "QuickTime Task"="\"C:\\Programfiler\\QuickTime\\qttask.exe\" -atboottime"
    "ccApp"="\"C:\\Programfiler\\Fellesfiler\\Symantec Shared\\ccApp.exe\""
    "Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
    "gcasServ"="\"C:\\Programfiler\\Microsoft AntiSpyware\\gcasServ.exe\""
    "NetLimiter"="C:\\Programfiler\\NetLimiter\\NetLimiter.exe /s"
    "Acrobat Assistant 7.0"="\"C:\\Programfiler\\Adobe\\Adobe Acrobat 7.0\\Distillr\\Acrotray.exe\""





  7. culus

    culus TS Rookie Topic Starter

    beerabuser30: No I haven't tried running adAware, I use Microsoft Antispyware, but it doesn't seem to be able to remove this spyware. I also tried running Norton Antivirus, but it has no effect either.
  8. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Click Start/Run, type regedit and click OK.
    Go to this key and delete the highlighted part
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    by rightclicking it, and select Delete.

    Can't find anything else wrong.

    Using the same instructions as before, fix this:
    /R/ O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\gp26l3fs1.dll

    If the name has changed, stay in Safe Mode, and repeat for the 'new' name.
  9. culus

    culus TS Rookie Topic Starter

    I just downloaded Spysweeper and ran it on my computer and it seems to have cleaned it completely from spywarez. No more popups, yay!
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...