Spyware almost gone (supposedly).

[TornadoTK]

I've followed the instructions in the stickies, and have hopefully gotten rid of most of my spyware, however one keeps coming back and splitting, and I don't know how to get rid of it. Here's the following HJT log, but before now, it's been jumping around, and I think it was opening processes as well.

EDIT: Also worth mentioning, I downloaded Ewido yesterday, and it will not open anymore, due to crashing. Possible spyware issue?

 

[howard_hopkinso]

Hello and welcome to Techspot.

Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name. See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

rdgUS2404.exe
ALCMTR.EXE
PowerReg Scheduler.exe

Close task manager.

Run HJT with no other programmes open(except notepad).Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00310} - C:\WINDOWS\system32\compstuid.dll

O2 - BHO: C:\WINDOWS\system32\clbcatix.dll - {D4DFC1D8-2D2E-4962-B0D0-389FBA0F76B5} - C:\WINDOWS\system32\clbcatix.dll

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [SdScansGG] rundll32.exe C:\WINDOWS\stup_tmp.#32,Ini

O4 - Startup: PowerReg Scheduler.exe

O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://9dragons.acclaim.com/acclaim.cab

O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123

O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe

O16 - DPF: {A2E05F45-F127-4092-B9F7-9A02C3E04C77} (HGPlugin7USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin7USA.cab
O16 - DPF: {AA33C66F-71DB-43E9-B559-3CBE4398E9A9} (BugsGameStarts Class) - http://au.bugsgames.net/game/GBugsGameStart.cab

Fix all O18 - Protocol: entries.

O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\g8813578.dll

O20 - Winlogon Notify: clbcatex - C:\WINDOWS\system32\clbcatix.dll

O20 - Winlogon Notify: winghy32 - C:\WINDOWS\SYSTEM32\winghy32.dll

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\stup_tmp.#32,Ini
ALCMTR.EXE
PowerReg Scheduler.exe Search your system for these files and delete all instances of them.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

These are the filepaths you need to enter into killbox.

C:\WINDOWS\SYSTEM32\winghy32.dll
C:\WINDOWS\system32\clbcatix.dll
C:\WINDOWS\g8813578.dll
C:\WINDOWS\system32\compstuid.dll
C:\WINDOWS\Downloaded Program Files\rdgUS2404.exe

Once your system has rebooted, turn system restore back on and post a fresh HJT log.

Regards Howard :wave: :wave:

This thread is for the use of TornadoTK only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[TornadoTK]

Reporting for Duty!

I didn't delete most of the 08 entries in fear of all of my logitech products going broke. Here's the log file.

Also, ALCMTR.EXE is a RealTek sound application. Is it safe to delete? I renamed it just in case..

EDIT: Seems things work out now, but looks can be deceiving. Waiting for your confirmation.

 

[howard_hopkinso]

You can safely remove the ALCMTR.EXE file. It`s classified as spyware, even though it does belong to Realtek. That`s because it sends info back to realtek. Deleting the file won`t affect your sound card at all.

You can also safely fix all the 018 protocol enties I mentioned. It won`t affect your Logitech mouse or keyboard.

Your HJT log is now clean.

Just have HJT fix these inactive entries.

O2 - BHO: C:\WINDOWS\system32\clbcatix.dll - {D4DFC1D8-2D2E-4962-B0D0-389FBA0F76B5} - C:\WINDOWS\system32\clbcatix.dll (file missing)

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\clbcatix.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\clbcatix.dll (file missing)

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\system32\clbcatix.dll (file missing)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\system32\clbcatix.dll (file missing)

Fix all 018 protocol entries.

O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\g8813578.dll (file missing)

O20 - Winlogon Notify: clbcatex - C:\WINDOWS\system32\clbcatix.dll (file missing)

O20 - Winlogon Notify: winghy32 - winghy32.dll (file missing)

Click on the fix checked button and close HJT.

Regards Howard

 

[TornadoTK]

Thanks for all the help, I'll be sure to come back if anyone near me has any trouble.

Spyware stoppers unite! =P

EDIT: Lock if necessary.

 

[howard_hopkinso]

No problem.

If you have any further virus/spyware problem, please post in this thread.

Regards Howard

This thread is for the use of TornadoTK only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.