Spyware detector, cant remove!!

[Bigfatgoalie]

Hi all,

I have recently downloaded maxsecure's 'Spyware detector', dont really need it as have other, better stuff now but I cant get rid of it!

When I go to uninstall or add/remove programs and select it nothing comes up and the add/remove application freezes and I have to end application to get out of it. Basically the uninstaller just wont run and just basically doesnty work.

I have tried everything and contaced max secure about this, they very helpfully suggested going start>programs>Spware detector> remove!!! THanks!

Then when I told them it didnt work they suggested I try control panel>add/remove programs>spyware detector! Thanks again!!

Does anyone have any ideas how I can get rid of it, Or does anyone have a removal tool? I have asked Max secure for this and they say they dont have one, I tried reinstalling it and then uninstalling the new version but that doesnt work.

Any ideas would be much appreciated!

Cheers.

 

[raybay]

Have you tried removing it in Safe Mode?
Using a simple registry editor to get it off the startup lists can help... such as RegClean.
There are plenty more detailed recommendations in the archives of this forum you can find with a search... some of the best you can find anywhere.

 

[howard_hopkinso]

Looks like you`re going to have to disable any services the programme runs and manually delete it.

Regards Howard

 

[Bigfatgoalie]

errr, how will I know what services it is using???

And also is manually deleting different to using the unistaller!?

Sorry not great at these kind of things, bit of a beginner really!!

Thanks for your reply

 

[howard_hopkinso]

Ok, post a HJT log after reading this thread HERE and I`ll see if I can help you get rid of it.

Regards Howard

 

[Bigfatgoalie]

Great, thanks for your help, I have attached a log.

 

[howard_hopkinso]

Your system has a trojan as well as the programe you want to get rid of.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Go to add remove programmes in your control panel and uninstall anything to do with(if there). Don`t worry if you can`t uninstall from here.

SpywareDetector

Close control panel.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

SDService

Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

SDService.exe
dxdlg32.exe
LiveUpdateSD.exe
SDSystemTray.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)

O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO

O4 - HKLM\..\Run: [DxDialog] C:\WINDOWS\System32\dxdlg32.exe

O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll

O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\SpywareDetector<Delete the entire folder.
C:\WINDOWS\System32\dxdlg32.exe<This is the trojan.


Reboot into normal mode and rehide your protected OS files.

Go HERE and follow the instructions for AVG Antispyware.

Post a fresh HJT log as well as an AVG Antispyware log and let me know if you`re still having any problems.

Regards Howard

This thread is for the use of Bigfatgoalie only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Bigfatgoalie]

Howard,

Thanks alot for this am now doing.

I dont think you posted the link where you put go "here"

Thanks again.

will give you the results soon

cheers

 

[howard_hopkinso]

Sorry about that. I have now entered the link in my post above.

Regards Howard

This thread is for the use of Bigfatgoalie only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Bigfatgoalie]

Hi Howard, I followed the instructions with mixed results:

I couldnt delete spyware detector via add/remove programs.

When I ran HJT i could not find "023 - service: SDService - Max Secure Software - C:\program files\spywaredetector\sdservice.exe"

And when I went to delete the whole spyware detector file i got a message saying could not delete, it said 'Access denied to SDnotify.dll' make sure disk not write protected or in use etc etc.

The rest i did, so hopefully the trojan has gone! Thanks for that.

I should prob add at this point that I am having another prob with windows. I keep receiving these "application errors" that say "Memory could not be read", i click ok to terminate the program and it ends. These usually come up after I have ended an application, e.g. msn messenger or internet explorer.

I have attached some screen dumps of some of the ones that come up, they basically come up all the time, every time i log in and show no sign of going away.

Its a real problem because I cant do windows update for example. When I run update and it starts installing item 1 i get "update.exe., memory could not be read... etc" and I have to terminate, it gives an error next to download 1, and then does the same for them all so I cant install any of them!

I have postedthis issue in OS, but just thought id let you know about it in case it is related!

Thanks again for your continued help, it really is appreciated.

Cheers.

 

[howard_hopkinso]

I`m sorry, but I won`t open a .doc file due to the risk of viruses etc.

PLease post a fresh HJT and the AVG Antispyware log as either .txt or .log attachments.

Regards Howard

This thread is for the use of Bigfatgoalie only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Bigfatgoalie]

That's no probs, I understand.

What comes up on the application error is a small box with blue banner, the banner says (for example) "MSConfig.exe - Application error".

Then inside the box (there is a red circle with white cross) it says something like "The instruction at "0x77f58dc5" referenced memory at "0x000027b7". The memory could not be "read". Click on OK to terminate program"

The blue banner displays a number of things depending on what I have just closed.

Doing the scan on AVG will take some time so I will post the logs prob tomorrow.

Thanks very much for your time.

cheers

 

[howard_hopkinso]

Ok, no problem. In the meantime do the following.

Download the Pocket Killbox programme from HERE. Extract it to your desktop.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

This is the filepath you need to enter into killbox.

C:\Program Files\SpywareDetector\SDNotify.dll

Once your system has rebooted, rehide your protected OS files.

Regards Howard

This thread is for the use of Bigfatgoalie only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Bigfatgoalie]

Howard, your help has been brilliant, thanks alot.

I used the killbox and have now deleted Spyware detector! Cheers.

I have attached updated AVG and HJT logs.

I have run AVG antispyware one or two times and each time i see this "Downloader.Delf.mm" which i think is a virus/trojan. It is still there even when I use AVG's action to delete/quaranteen it.

I guess this is at least one problem my logs are still showing.

Thanks for your help

 

[howard_hopkinso]

Your HJT log is now clean.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

15DAE254

Close control panel.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\15DAE254<Delete the entire folder.

Reboot into normal mode and rehide your protected OS files.

Go HERE and follow the instruction for the Ccleaner programme.

Post a fresh AVG Antispyware log, only if it finds anything.

Regards Howard

This thread is for the use of Bigfatgoalie only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Bigfatgoalie]

AGhhhh, have made an error,

I was trying to unhide my files and heres what I did,

On my 'Program files' i went right click and the properties.
I checked the attributes box which said hidden and it started moving files, I thought this was worng so tried to reverse it!

Now I cant find my Program files folder!

I know its there because I ran a search which included hidden files/folders and its there but I cant see it!

Sorry

 

[howard_hopkinso]

I don`t know what possessed you to do that.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Open my computer/c drive/program files

Now, right click on your program files folder and select properties, untick the hidden attrbute box and click apply/ok.

Rehide you protected OS files.

Regards Howard

 

[Bigfatgoalie]

Yeah i know, sorry, dont know what came over me! I have sorted that now.

I think I have a problem with the hide/uinhide hidden system files.

I followed the instructions at bleepingcomputer but nothing changes, i.e. i can still see the same files as before, no more and no less. The hidden ones are still hidden.

Also when I go into folder options and the view tab both the 'do not show hidden files' and the 'show hidden files' have a check in the circle next to them.

That cant be right can it??

Maybe I have some protection thing I dont know about??

For example the 15DAE folder i need to delete as part of your instruction I cannot see, I go to windows explorer and check the show all hidden folders/files etc and It is STILL NOT VISABLE.

The only way I cant find it is to go start>Search and search for the folder name with "search hidden files" checked.

This brings the folder up but it is grayed out. So i right click and go properties and uncheck the hide box (like you just told me to do for program files) and now I can see / enter it.

But surely going to folder options in windows explorer and checking the show all files box should make these (and others) visable shouldnt it!??

 

[howard_hopkinso]

I`m not sure what the problem is with you not being able to see hidden files and folders etc, unless you`ve not followed the instructions properly.

Taken from HERE.

Windows XP and Windows 2003

To enable the viewing of Hidden files follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Put a checkmark in the checkbox labeled Display the contents of system folders.
6. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
7. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
8. Remove the checkmark from the checkbox labeled Hide protected operating system files.
9. Press the Apply button and then the OK button and close My Computer.
10. Now your computer is configured to show all hidden files.

Did you successfully delete the folder I asked you to?

Regards Howard

This thread is for the use of Bigfatgoalie only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Bigfatgoalie]

Hi Howard,

Im not sure either about why i cant see hidden files, clearly something wrong.

I located the folder but could not delete, as with spyware detector i got this message when trying to delete:

'Cannot delete, 3c600F9F.dll is in use' etc

Should I use the killbox again to delete it and then try again?? Wanted to ask you before i did, im not sure if this could be like some vital system file or something!?

Also while searching for the folder I found a file called:

'MS15DAE2.dll'

in

C:\Program Files\common files\system

I dont kinow if this is also malicious so I didnt want to delete it and I guess it doesnt show up on HJT / AVG or my system antivirus check so I guess its OK!???

Cheers

 

[raybay]

If it were mine, I would reformat and reinstall... perhaps using another drive so I would have an opportunity to save all the data.

 

[howard_hopkinso]

Do the following.

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply.

when it reboots and post a fresh HJT log.

As for the 'MS15DAE2.dll' file, please give me the full filepath.

Regards Howard

This thread is for the use of Bigfatgoalie only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Bigfatgoalie]

Ok, cheers for this,

Just need some time to sort this and will be back later.

Thanks for your help

 

[Bigfatgoalie]

Hi Howard, thanks for this, seems to have done the trick and the folder has gone!!

Please see the attached output.

I did notice that 'SystemTray SD' is still on the HJT log (Spyware detector).

Im not sure what you mean by the "full file path" as far as I know what i posted is the full file path, that file 'MS15DAE2.dll'

is located at:

C:\Program Files\common files\system

What I am saying is that if I navigate there then that's where the file is. Is that what you meant??

Cheers

 

[howard_hopkinso]

Your HJT log is clean.

I can`t find any info for the MS15DAE2.dll file, therefore I have attached a new Avenger .txt file and you should run the Avenger programme again with the new .txt file I have attached to this post.

Let me know the results and if you`re still having any problems.

Regards Howard

EDIT: I forgot to address the Spywaredetector issue.

Have HJT fix this entry.

O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe

Do a fresh scan with HJT and see if that entry still shows up. If it does, post a fresh HJT log.

This thread is for the use of Bigfatgoalie only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.