Need Help - Spyware Problem

M

merfman

Posts: 58   +0
I've just completed the walk through to remove spyware from my computer.

here are the HJT, Combofix, AVG Antispyware Logs

Please Help :)
 
Please, need some help to get rid of the problem.

The logs are all posted above.

Thank-you for any help
 
Welcome back merfman

Looks like you possibly have this Abebot Trojan as well as the other half of the forum here

Download and Install SDFix
  • Download SDFix and save it to your Desktop.
  • Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

Run SDFix
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  • Attach Report.txt back here

Malwarebytes' Anti-Malware

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

This thread is for the use of merfman only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Run Hijackthis again and attach the new log here

Also, lets get a 2nd opinion on this

:Run Kaspersky Online AV Scanner:

Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
  • Click on "My Computer"
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Attach the report into your next reply

This thread is for the use of merfman only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
What Next?

How do I send the Combofix log on JS/downloader problem to TechSpot? I did an AVG scan today, but it has been coming back. I'm new. Pretty confusing!!!!
 
Download and Run Norman Removal Tool
  • Download Norman Malware Cleaner to your desktop
  • Restart your computer into safe mode by tapping F8 before windows loads and selecting Safe Mode.
  • Double-click the Norman Icon on your desktop (Vista users Right click and select run as administrator)
  • Agree to the EULA
  • Leave the settings the way they are unless you have more than a C:\ and D:\ then you can those areas to the top section
  • Select Start Scan
  • The log will be saved to your desktop as NFix_currentdate.log, Attach it here


1) Click on Start, Settings, Control Panel

2) Double click on Add/Remove Programs

3) Find "My Web Search" in the list of installed programs and click on Change/Remove to uninstall it. You may also want to uninstall any of the following items associated with FunWebProducts.

* My Web Search (Smiley Central or FWP product as applicable)
* My Way Speedbar (Smiley Central or other FWP as applicable)
* My Way Speedbar (AOL and Yahoo Messengers) (beta users only)
* My Way Speedbar (Outlook, Outlook Express, and IncrediMail)
* Search Assistant - My Way

4) Reboot your Computer and run HijackThis and attach the log
 
Blind Dragon said:
Download and Run Norman Removal Tool
  • Download Norman Malware Cleaner to your desktop
  • Restart your computer into safe mode by tapping F8 before windows loads and selecting Safe Mode.
  • Double-click the Norman Icon on your desktop (Vista users Right click and select run as administrator)
  • Agree to the EULA
  • Leave the settings the way they are unless you have more than a C:\ and D:\ then you can those areas to the top section
  • Select Start Scan
  • The log will be saved to your desktop as NFix_currentdate.log, Attach it here


1) Click on Start, Settings, Control Panel

2) Double click on Add/Remove Programs

3) Find "My Web Search" in the list of installed programs and click on Change/Remove to uninstall it. You may also want to uninstall any of the following items associated with FunWebProducts.

* My Web Search (Smiley Central or FWP product as applicable)
* My Way Speedbar (Smiley Central or other FWP as applicable)
* My Way Speedbar (AOL and Yahoo Messengers) (beta users only)
* My Way Speedbar (Outlook, Outlook Express, and IncrediMail)
* Search Assistant - My Way

4) Reboot your Computer and run HijackThis and attach the log
Click to expand...


should i remove the programs first or after the Norman Malware Scan??
 
CFScript

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\system32\ISECUR~1.CPL
C:\WINDOWS\system32\skujcpwe.exe
C:\WINDOWS\system32\iSecurity.cpl
C:\Documents and Settings\All Users\Application Data\ahyvapsd.dll
C:\DOCUME~1\Mat\LOCALS~1\Temp\DELDIR0.exe
C:\WINDOWS\vyzsvsbg.exe

Registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8311E8F-E459-4D22-89B4-CB9DCF10A425}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"skujcpwe"=-
"iSecurity applet"="iSecurity.cpl" [2008-03-30 18:08 125440 C:\WINDOWS\system32\iSecurity.cpl]
"ahyvapsd"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DELDIR0.EXE"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"6T1E1ueXNd"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"iSecurity"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjyg32]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yaywvvwX]
Click to expand...

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.
 
Disable Teatimer
  • Right click the Spybot -SD Resident Icon located in your system tray, Select Exit Spybot - S&D Resident
  • Open Spybot S&D
  • Click on Mode at the top and make sure that Advanced is checked
  • Expand the Tools tab in the left pane
  • Single click on the Resident Icon also in the left pane
  • Uncheck Resident "TeaTimer" (Protection of over-all system settings) Active
  • Close spybot


CFScript

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\system32\noqkvfse.dll
C:\WINDOWS\system32\cemrxeqd.dll
C:\WINDOWS\system32\zdpdbxsr.exe

Registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3EC135BF-AAD6-D3A1-A843-0B3699F1E5F2}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5447ADBC-9AD8-2D30-46C4-0979F3630B69}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zdpdbxsr"=-
"iSecurity applet"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjyg32]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yaywvvwX]
Click to expand...

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.
 
Blind Dragon said:
Disable Teatimer
  • Right click the Spybot -SD Resident Icon located in your system tray, Select Exit Spybot - S&D Resident
  • Open Spybot S&D
  • Click on Mode at the top and make sure that Advanced is checked
  • Expand the Tools tab in the left pane
  • Single click on the Resident Icon also in the left pane
  • Uncheck Resident "TeaTimer" (Protection of over-all system settings) Active
  • Close spybot


CFScript

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)


Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.
Click to expand...


When i run the ComboFix, the scan does not complete. I let it run for 45 minutes and it will not finish. What do i do?
 
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into Safe Mode
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Run Hijackthis and Select Do A System Scan Only
Put a check mark next to the following entries:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.ca/myway
O2 - BHO: (no name) - {3EC135BF-AAD6-D3A1-A843-0B3699F1E5F2} - C:\WINDOWS\system32\noqkvfse.dll
O2 - BHO: (no name) - {5447ADBC-9AD8-2D30-46C4-0979F3630B69} - C:\WINDOWS\system32\cemrxeqd.dll
O4 - HKLM\..\Run: [zdpdbxsr] C:\WINDOWS\system32\zdpdbxsr.exe
O4 - HKLM\..\Run: [iSecurity applet] rundll32.exe iSecurity.cpl,SecurityMonitor
O20 - Winlogon Notify: winjyg32 - C:\WINDOWS\
O20 - Winlogon Notify: yaywvvwX - C:\WINDOWS\
O21 - SSODL: iSecurity - {A8311E8F-E459-4D22-89B4-CB9DCF10A425} - (no file)

Select Fix Checked

Close Hijackthis

Show hidden files through windows explorer
  • Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E
  • On the Tools menu in Windows Explorer, click Folder Options.
  • Click the View tab.
  • Under Hidden files and folders, click Show hidden files and folders and Turn Hide protected operating system files off.

Use Windows Explorer to navigate to and delete the following files:

Files:
C:\WINDOWS\winjyg32 <-This file only
C:\WINDOWS\yaywvvwX <-This file only
C:\WINDOWS\system32\noqkvfse.dll <-This file only
C:\WINDOWS\system32\cemrxeqd.dll <-This file only
C:\WINDOWS\system32\zdpdbxsr.exe <-This file only

Restart your computer into normal mode

Run a new scan with Hijackthis and attach the log
 
Blind Dragon said:
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.
Use Windows Explorer to navigate to and delete the following files:

Files:
C:\WINDOWS\winjyg32 <-This file only
C:\WINDOWS\yaywvvwX <-This file only
C:\WINDOWS\system32\noqkvfse.dll <-This file only
C:\WINDOWS\system32\cemrxeqd.dll <-This file only
C:\WINDOWS\system32\zdpdbxsr.exe <-This file only

Restart your computer into normal mode

Run a new scan with Hijackthis and attach the log
Click to expand...


So i did all of the previous tasks that you said to accomplish. My computer never found any of the files you told me to delete in Windows Explorer.
Here is the HJT Log
 
you don't need to search for any files to remove norton. click on the link and it says:

Choose your product:

* I have a Norton product that was purchased from my Internet Service Provider (ISP)
* I have Norton 360
* I have a Norton 2008 product
* I have a Norton 2007 product
* I have a Norton 2006 product
* I have a Norton 2005 or 2004 product
* I have a Norton 2003 product
* I have Norton Ghost or Norton Save & Restore
* I have pcAnywhere or WinFax

Just go to the removal tool link provided above, then select your product and it will be removed for you.


Update your Java Runtime Environment
  • First try going to Start -> Control Panel -> double click Java
  • Select the Update Tab at the top of the Java console
  • Click the Check for Updates button at the bottom
  • If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
  • After it installs the newest version Go back to Control Panel -> Add/remove programs
  • Uninstall any older versions of Java


Also I don't see a firewall in your log
You aren't running Firewall Software. Please download and install one of these first!

Use a Firewall - It is very important that you use a Firewall on your computer. If you use the Windows Firewall you might think that's enough but it only controls inbound traffic. Simply using a Firewall in its default configuration can lower your risk greatly. Here are some firewalls which are free for personal use and most commonly used:
Comodo
Kerio
Online Armor
Zonealarm
 
Blind Dragon said:
you don't need to search for any files to remove norton. click on the link and it says:

Choose your product:

* I have a Norton product that was purchased from my Internet Service Provider (ISP)
* I have Norton 360
* I have a Norton 2008 product
* I have a Norton 2007 product
* I have a Norton 2006 product
* I have a Norton 2005 or 2004 product
* I have a Norton 2003 product
* I have Norton Ghost or Norton Save & Restore
* I have pcAnywhere or WinFax

Just go to the removal tool link provided above, then select your product and it will be removed for you.


Update your Java Runtime Environment
  • First try going to Start -> Control Panel -> double click Java
  • Select the Update Tab at the top of the Java console
  • Click the Check for Updates button at the bottom
  • If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
  • After it installs the newest version Go back to Control Panel -> Add/remove programs
  • Uninstall any older versions of Java


Also I don't see a firewall in your log
You aren't running Firewall Software. Please download and install one of these first!

Use a Firewall - It is very important that you use a Firewall on your computer. If you use the Windows Firewall you might think that's enough but it only controls inbound traffic. Simply using a Firewall in its default configuration can lower your risk greatly. Here are some firewalls which are free for personal use and most commonly used:
Comodo
Kerio
Online Armor
Zonealarm
Click to expand...


I did all of this. My Java update only found Java 6 Update 4 though. My computer seems to be rid of the spyware but im still not sure. Is there anything that you want me to do now?
 
Almost there man ;)

If for some reason you couldn't update through the above instructions.
  • Click the following link
    Java Runtime Environment 6 Update 5
  • The 4th option down is the one you want (click Download)
  • Check the box to agree to terms of service
  • Check the box for your operating system and click 'Download selected'at the bottom
  • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
  • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder


Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.




Uninstall the My Web Search option from Add/Remove Programs

1) Click on Start, Settings, Control Panel

2) Double click on Add/Remove Programs

3) Find "My Web Search" in the list of installed programs and click on Change/Remove to uninstall it. You may also want to uninstall any of the following items associated with FunWebProducts.

* My Web Search (Smiley Central or FWP product as applicable)
* My Way Speedbar (Smiley Central or other FWP as applicable)
* My Way Speedbar (AOL and Yahoo Messengers) (beta users only)
* My Way Speedbar (Outlook, Outlook Express, and IncrediMail)
* Search Assistant - My Way

4) Reboot your Computer and run HijackThis

post the log here
 
Hey BlindDragon,

I've run into a few problems.

When i try to download the Java Update the download gets to 6% then says "exceeds number of retrys"

the second issue is when i click on the link for VundoFix i get an "Ad blocked here by SPF"

any way to get around this?
 
I'm guessing you are using internet explorer

I recommend a more secure browser and only use IE when you have no other choice.

Here are 2 more secure browsers to choose from
1)Firefox -> http://www.mozilla.com/en-US/firefox/
2)Opera -> http://www.opera.com/

Try with one of these

After you get one of these you can disable the pop up blocker with in the sunbelt firewall program also known as kerio
 

Similar threads

midian182
Not for the first time: North Korean hackers used fake apps to spread spyware on Android
Replies
4
Views
118
Hotlynx16
H
W
Strange one to get your teeth into...
Replies
2
Views
105
Wazhead
W
S
Apple notifies iPhone users in 98 countries of mercenary spyware attack
Replies
5
Views
387
MTD2019
M

Latest posts

Back