Need help removing spywares

Status
Not open for further replies.
Earlier today I opened a file which installed some kind of spyware on my computer. I got a message from Microsoft Antispyware telling me a program called UCmore was trying to install. I recieved two options, allow or remove. I clicked remove, but it didn't do the trick. Now I keep getting popups at least once per minute.

Last time I tried to remove a spyware from my computer myself using HijackThis, I sqrewed the computer up even more, thats why I thought I might ask for expert help this time. I have attached my a HijackThis log...
 
C:\Documents and Settings\Ørjan Storebø\Skrivebord\HijackThis.exe
Put HijackThis in e.g. C:\Program Files\HJT and NOT in Temp or on the Desktop/Skrivebord!.

First Read: Only use these HJT-instructions when asked!
/R/ unRegister the xxx.DLL in that line
Transfer the text from between these dotted lines underneath to between the dotted lines of that post.
Make sure to follow ALL instructions in SEQUENCE, and in HiJackThis tick/fix ALL lines indicated here!
...................................................................................................
Fix ALL your O1 - Hosts: entries
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe (file missing)
Fix ALL your O16 - DPF: entries
/R/ O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\fp6203joe.dll
...................................................................................................

STOP using that crappy IE (other than for Windows-updates) and install Firefox from www.getfirefox.com
 
For some reason I'm not able to /R/ O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\fp6203joe.dll. Every time I reboot my computer the file changes it's name, and when I try unRegistering it I get a message saying it is in use by another program, even when I close explorer in the task manager in safe mode. I still get popups all the friggin time.
 
Go to http://forums.spywareinfo.com/index.php?showtopic=40153

* Download FindIt9Xme.zip here: http://www.thatcomputerguy.us/downloads/findit9xme.zip
* Unzip the contents of FindIt9Xme.zip to a convenient location.
* Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
* A command prompt will open and it will search your computer for malicious files.
* Once it has finished a Notepad window will pop up with output.txt.
* Copy/paste the entire contents of output.txt into your next post.

PLEASE DO NOT REBOOT or power down the computer, until I reply back or the infected file names will change!!!
 
Here's the log you asked for:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------

Volumet i stasjon C er uten navn.
Volumserienummeret er 2848-9915

Innhold i C:\WINDOWS\System


------- Hidden Files in System Directory -------

Volumet i stasjon C er uten navn.
Volumserienummeret er 2848-9915

Innhold i C:\WINDOWS\System


---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0DEDCFB1-74B8-8A7A-FC8F-2283AFCF773A}"=""


------------------ Locate.com Results ------------------

No matches found.

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="\"C:\\Programfiler\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"UpdReg"="C:\\WINDOWS\\Updreg.exe"
"zBrowser Launcher"="C:\\Programfiler\\Logitech\\iTouch\\iTouch.exe"
"Resume copy"="copyfstq.exe /startup"
"DAEMON Tools-1033"="\"C:\\Programfiler\\D-Tools\\daemon.exe\" -lang 1033"
"QuickTime Task"="\"C:\\Programfiler\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="C:\\Programfiler\\Java\\jre1.5.0_04\\bin\\jusched.exe"
"ccApp"="\"C:\\Programfiler\\Fellesfiler\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"razer"="C:\\Programfiler\\Razer\\razerhid.exe"
"iTunesHelper"="\"C:\\Programfiler\\iTunes\\iTunesHelper.exe\""
"gcasServ"="\"C:\\Programfiler\\Microsoft AntiSpyware\\gcasServ.exe\""
"NetLimiter"="C:\\Programfiler\\NetLimiter\\NetLimiter.exe /s"
"CTHelper"="CTHELPER.EXE"
"Acrobat Assistant 7.0"="\"C:\\Programfiler\\Adobe\\Adobe Acrobat 7.0\\Distillr\\Acrotray.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



 
beerabuser30: No I haven't tried running adAware, I use Microsoft Antispyware, but it doesn't seem to be able to remove this spyware. I also tried running Norton Antivirus, but it has no effect either.
 
Click Start/Run, type regedit and click OK.
Go to this key and delete the highlighted part
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0DEDCFB1-74B8-8A7A-FC8F-2283AFCF773A}"=""
by rightclicking it, and select Delete.

Can't find anything else wrong.

Using the same instructions as before, fix this:
/R/ O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\gp26l3fs1.dll

If the name has changed, stay in Safe Mode, and repeat for the 'new' name.
 
I just downloaded Spysweeper and ran it on my computer and it seems to have cleaned it completely from spywarez. No more popups, yay!
 
Status
Not open for further replies.
Back