[jimbeis462]

hi guys

i was just playing around with my mates computer and it seems he has spyware. that's not a problem, we got rid of it.

now i think my computer has spyware. i have an old version of hijack this on here, and when i try to run it from C:\HJT it pops up for about a millisecond then closes. so HJT just doesn't work.

also, when in firefox, firefox will just close randomly. I went onto filehippo.com to get latest version of HJT, but when i click on the HJT link, firefox just shuts down. its the same when i click on any other link on that page

so i tried typing avg anti spyware into google, and bang! firefox closes again. i'm thinking that my spyware is not letting me do things 'anti-spyware' related on the net.

about to run s&d now, but i'm just wondering if anyone else has had this happen before? and what type of spyware it is.

p.s all of this also happens on IE7 too.


* * * * * * * * * * * * * * * * * * * * * * * * *


THIS IS A RUNDOWN OF MY FEEBLE ATTEMPTS AT SPYWARE REMOVAL

Hijack this still won't run. So I can't get antone a log sorry. I also can't start windows in safe mode...
My avg anti virus wont run either.

spybot s&d ran and deleted some spyware
ad-aware ran and deleted some spyware
spy catcher express ran and deleted some spyware
ccleaner ran and deleted stuff
cleanup! ran and deleted some stuff
cwshredder ran and deleted a file
smitfraud fix ran and deleted some stuff
msconfig cleanup ran and deleted startups
ewido wouldn't even let me install (same problem as HJT, opens for a millisecond then closes) (probably because its part of AVG now?)

Also, here are some things that I type into google, then firefox crashes:
avg
ewido - when i click on ewido site
avast
nod32
antivirus
antispyware

and other brands of AV software

Also, the Trend Micro HouseCall online AV scanner won't work either.

Just failed at installing: (by fail i mean the virus is not letting the program run.)
Panda AV
Nod32
Kaspersky


Please help.....
cheers Jim

[evilfantasy]

Let's take another approach.

Please print these instructions as they will be needed later when Internet access is not available.

Download SDFix by AndyManchesta and save it to your desktop.

When using this tool, you must use the Administrator's account or an account with Administrative rights

• Double click SDFix.exe and it will extract the files to %systemdrive%
• (this is the drive that contains the Windows Directory, typically C:\SDFix).
• DO NOT use it just yet.

Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.

• Type Y to begin the cleanup process.
• It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
• Copy and paste the contents of the results file Report.txt in your next reply.

-----

After SDFix is complete and the computer is restarted into Normal mode, try to run HijackThis and post the log along with the SDFix log.

.

[jimbeis462]

Hi thanks for reply.

I mentioned above that I can't start in Safe Mode.

When I try, it loads all the components until it gets to "Mup.sys"
That is where it stops. I left it for about 15 minutes last try and it was still stuck there.

So maybe I could try something that doesn't require safe mode?

Cheers, Jim

[evilfantasy]

Sorry about that. I missed the part of not being able to boot into Safe Mode.

Let's do this.

You have HJT installed right? Given that it is installed to the default location then follow these steps to rename HijackThis and then try to run it.

• • Go to C:\Program Files\Trend Micro\HijackThis.exe
  • Right click on HijackThis.exe and select Rename
  • Type in sniper.exe and press Enter
  • Right-click on sniper.exe and select Send To > Desktop (create shortcut)
• From the desktop open HijackThis.
• Important! If using Windows Vista, Right-click and Run As Administrator
• Click on Do a system scan and save a log file
• HijackThis will scan and then a log will open in notepad.
• Copy & Paste the entire contents of the log in your post.
  • Do not have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

Note: Although we have renamed HijackThis to sniper, we will still refer to it as HijackThis or HJT.

[jimbeis462]

hey.

i don't have HJT installed, I have the stand alone copy, in C:\HJT

I tried what you said, but that also didn't work. I also renamed the folder to sniper too, but to no avail.

I'm currently running an online scan from Panda AV.

Hopefully this helps me.

Any other suggestions?
Cheers Jim

[evilfantasy]

Try this.

Pause the Panda scan.

Download random's system information tool (RSIT) by random/random from and save it to your Desktop.

• Double click on RSIT.exe to run.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open.
• log.txt <will be maximized and info.txt <will be minimized
• Please post the contents of both logs in the next reply.

Also, do you have a flash drive and another computer to transfer files to the infected PC?

[jimbeis462]

Hi.

I have attached the 2 logs.

Yes i have a flash drive and another computer to use.

Cheers

[evilfantasy]

Try to download MBAM and run it then post the log. If you can't download it then transfer over just the installer to the infected computer. Then install and run it. If the installer or the program won't run then try renaming it.

Download Malwarebytes' Anti-Malware (MBAM)

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to the following:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



After MBAM is finished try running a HijackThis scan again and post the log.

[jimbeis462]

a HJT log or a RSIT log?

[evilfantasy]

An MBAM log and a HijackThis log. RSIT should have created a HJT log with it's scan but for some reason it didn't.