# Sticky  Basic Steps for Removing Spyware... (UPDATED 18 DEC 2011)



## Kung

This is a basic guide for removing spyware. There are always going to be bugs that sometimes necessitate removal by utilizing certain specially-made programs (WinFixer is a great example of that), but overall, using this series of steps will probably take care of 80% of spyware out there.

NOTE: In the rare occasions that *ALL* of the above don't work, feel free to contact myself or other knowledgeable techs here for help. However, as obvious as this statement may sound, we cannot help you unless you contact one of us - preferably BEFORE you have a 3rd party do the same thing we'd help you do, except for much more money.

**UPDATED 14 August 2012**

Many times, spyware processes simply aren't found by the antispyware/antivirus programs; many OTHER times, they ARE found, but the spyware/adware programs are prevented from removing the spyware/adware because the spyware/adware processes cannot be stopped/terminated. The following steps should terminate the processes, allowing their removal; and then your spyware/adware can be removed by the tools you have installed.

*SPYWARE REMOVAL STEPS:*

1. Ensure you can see all files on your computer. (NOTE: Skip this step if already completed above.) There's a reason they call it 'spyware' - it keeps itself well hidden.  To reveal all files: (should be the same for XP, Vista and 7)

- With Windows Explorer (NOT Internet Explorer) open, click on 'Tools' and 'Folder Options', and select the 'View' tab.
- Select 'Show hidden files and folders' and UNselect 'Hide protected operating system files'
- Click OK and OK​
2. The next thing I normally do is to disable System Restore. Why? Simple - those who create spyware/malware/adware/viruses know what it's used for, and know that it rarely gets turned off...and so many of them design said spyware/malware/adware/viruses to reside in the System Restore area. Disabling deletes all system restores, which deletes any bad stuff. To disable:
- (XP) - http://www.computerhope.com/issues/ch000775.htm
- (Vista/7) - http://www.howtogeek.com/howto/windows-vista/disable-system-restore-in-windows-vista/

3. Next, delete your 'trash' files. I normally use a program such as CCleaner or Cleanup!. If, for some reason, you have not already downloaded/installed/updated one of these, you may need to manually delete EVERYTHING in the following folders: (Note - by doing so you will erase all cookies, as well as cached browser information, so make sure you know logons and passwords)

For Windows XP:

- C:\Documents and Settings\[your username]\Cookies
- C:\Documents and Settings\[your username]\Local Settings\Temp
- C:\Documents and Settings\[your username]\Local Settings\Temporary Internet Files
- C:\Temp
- C:\Windows\Temp

For Windows Vista/7:

- C:\Users\[your username]\AppData\Local\Temp
- C:\Users\[your username]\AppData\Local\Microsoft\Windows\Temporary Internet Files
- C:\Windows\Temp

4. Once that's done, if not already done (AND if you are able to), make sure you download AND UPDATE the commonly accepted spyware removal programs. (The current FREE ones recommended are Ad-Aware, Malwarebytes Anti-Malware, and Superantispyware. If you want to spend money, the best one is Spy Sweeper. You also need a good antivirus program. The best paid ones are BitDefender Antivirus, Kapersky Antivirus, and Norton Antivirus; the best free ones are Avast and BitDefender Free. Kapersky Antivirus also has a free online scanner.

5. You then need to boot your computer into Safe Mode. (Why? Because Safe Mode disables ALL unnecessary processes, including many spyware program processes.) To do that, simply reboot your computer, and at the moment it actually reboots, start repeatedly mashing F8 until you get a bunch of options, one of them being 'Safe Mode.' Then, just go from there, answering "Yes" when you get the popup window in Safe Mode.

6. Once you are in Safe Mode, run FULL scans (not 'Smart Scans') with ALL spyware, antivirus and cleanup programs on your computer. Delete everything they find (choosing the options to backup files if it gives you those options), and note the location of any that will not delete.

7. Then reboot your computer into regular mode. 

*IF YOU STILL HAVE PROBLEMS:*

You may need to actually stop the spyware process(es) from running. One of the best tools around for this is also one of the simplest - RKill.

1. Download the Rkill program; what this program does is to stop any viruses/adware/spyware that won't be stopped by a normal antivirus/antispyware/antimalware program, and therefore can't be removed by those programs.

2. Run the Rkill program. It should stop the adware/spyware process. (NOTE: Sometimes *.exe files are prevented from running altogether by the spyware program. If this is the case, then the Rkill.exe process is itself stopped from running as well. In this case, download the Rkill.com program and run it instead.)

3. Once Rkill is done, it should not only have stopped the processes from running, but should ALSO have created some sort of log file that gives the names of the processes AND their locations. You can use this, of course, to go to those locations and manually delete the processes by hand, if needed.

If you can't find the files, or they are located in a hidden folder, then unhide the folders by doing the following steps, and THEN delete the processes manually:

- With Windows Explorer (NOT Internet Explorer) open, click on 'Tools' and 'Folder Options', and select the 'View' tab.
- Select 'Show hidden files and folders' and UNselect 'Hide protected operating system files'
- Click OK and OK​
NOW...you can set about running your spyware/adware/virus removal programs. 

*IF ALL ELSE FAILS:*

What if the above all fail, for some reason? Well, if booting into safe mode prevents most Windows processes (including the bad ones) from running, it stands to reason that the BEST way to prevent any bad processes from running is simple - don't boot into Windows at all.

So how to clean up Windows, yet not boot into Windows? By using a 'live' (bootable) CD of some sort that will boot you into an 'operating' system of sorts and allow you to conduct spyware/virus/adware removal, without actually starting Windows.

My favorite one is actually one I just found out exists today (!) - Windows Defender Offline. It's essentially a bootable version of Microsoft Security Essentials.
.
Here are some of the more common and easily used live CDs: (FYI - the 2nd and 3rd links will require CD burning software that can burn ISOs to a CD, such as ImgBurn or CDBurnerXP.

- This link will tell you how to create an Ubuntu Live CD.

- Kapersky Rescue CD

- BitDefender Rescue CD

These are just some of the ideas. One can also (assuming they have a copy of Windows XP) create an Ultimate Boot CD for Windows (also known as UBCD4Win).

www.ubcd4win.com

It's essentially a customized version of Windows that is bootable from the CD. ALL of the antivirus scanners (as well as Ubuntu, and UBCD4Win) will be more effective than anything scanning while you're actually logged on, simply because of the fact that when you're using a bootable CD, you're NOT logged onto Windows, and therefore nothing can run from that Windows partition - including the spyware.


----------



## Philbee

Thanks Kung,

I will give this a try.

Philbee


----------



## 14yearpcmaker

The new version of Yahoo! toolbar includes a great free spyware scanner!! Takes care of most of my problems!! www.yahoo.com and search for "tool bar"


----------



## momlaffsalot

I hate asking this, I'm sure it's a simple thing, but how do I find Windows Explorer?


----------



## 14yearpcmaker

start===>all programs===>accessories===>windows explorer


----------



## Kung

Actually, even easier than that:

Right-click on 'Start' button, choose 'Explore.'


----------



## comfortablynumb

download and build "UCCD4windows".

it makes an XP disk thats booable into a PE, where it has tons of repair tools ready to use.

plus avast, avg, spybot, adaware, and many others to ferret out crap from the HD while it is idle and not running the XP OS on it.

it is way easier to virus clean when the system the virus is infecting isnt running.

oh aand its totally free.

http://www.ubcd4win.com/


----------



## Willowynd

Actually- NOD 32 is the best pay for AV. It does take some doing for set up though- so not for a novice.


----------



## Kung

I'd disagree (but only to a certain extent). I don't know that it's *THE* best, but it's certainly high on the list. I think it has the highest 'in the wild' catch rate; but not quite the best removal rate.


----------



## HappyYooper

1. Ensure you can see all files on your computer. There's a reason they call it 'spyware' - it keeps itself well hidden. To reveal all files:

- With Windows Explorer (NOT Internet Explorer) open, click on 'Tools' and 'Folder Options', and select the 'View' tab.
- Select 'Show hidden files and folders' and UNselect 'Hide protected operating system files'
- Click OK and OK

Another question....I finished all the steps but do I continue to keep the files & folders as above or change them back to hidden?


----------



## Nevada

MountainMamma91 said:


> Another question....I finished all the steps but do I continue to keep the files & folders as above or change them back to hidden?


It depends on who uses your computer. Those folders and file types are hidden by default because fooling with them can have serious consequences. If you're the only person using that computer then there is no reason to hide them again, but if you have a user that you are leery of you might want to hide them.

Another thing that's in there by default is hiding file extensions (the last three letters after the period; like .doc and .exe). When I sit down at a machine with file extensions hidden I feel handicapped, since I don't know what kind of files I'm working with. I see no logical reason to hide file extensions. I would enable them.


----------



## quietstar

Good Morning..It appears that a relative that has been serving as family computer Guru (well paid) has quietly installed software that provides her access to our Emails. Will the above process reveal this sneaky intrusion and allow it's certain removal?

Thanks for providing an accessable "braintrust" for ignorant folks like me...Glen


----------



## Nevada

quietstar said:


> Good Morning..It appears that a relative that has been serving as family computer Guru (well paid) has quietly installed software that provides her access to our Emails. Will the above process reveal this sneaky intrusion and allow it's certain removal?
> 
> Thanks for providing an accessable "braintrust" for ignorant folks like me...Glen


Could you give us a little more to go on? Are you using POP3 email (Outlook Express, Outlook, FireFox, Eudora, etc.), or web-based email (Hotmail, Yahoo mail, Gmail, etc.)?

What has led you to the conclusion that your email account has been compromised?


----------



## quietstar

Hi Nevada..Both Email accounts are web based Yahoo accounts. Reading of Emails on one account are certain. I suspect my account is also compromised as our Guru replaced my crashed hard drive about 6 months ago and reloaded everything. Thanks for any insight and advice you can provide. By the way, what is BCC forwarding?...Glen


----------



## Nevada

quietstar said:


> Hi Nevada..Both Email accounts are web based Yahoo accounts. Reading of Emails on one account are certain. I suspect my account is also compromised as our Guru replaced my crashed hard drive about 6 months ago and reloaded everything. Thanks for any insight and advice you can provide. By the way, what is BCC forwarding?...Glen


One possibility is that he got your password. How he might have gotten it is anyone's guess, but he may have installed key logging software that records passwords. However, it's also possible that he sat down to work on your computer immediately after you checked email and continued your Yahoo session before it expired. There's just no way to know for sure with the info you gave me. However, I would think that a good spyware & antivirus sweep would catch most key logging software to put that theory to rest.

If I were you I would consider the more obvious possibilities, such as continuing your Yahoo session. If you walked away from a Yahoo session without clicking "logout" then you left the door open for him. Most successful hacking capers are embarrassingly simple. Since he worked so close to you and your machine I'm suspecting a rudimentary explanation.

BCC stands for Blind Carbon Copy. You have three categories of recipients for an email:


To: That's the primary recipient that the email message is directed to. Any words like "you" used in the message refer to the primary recipient.
CC: That's the list of Carbon Copy recipients who are designated to get the message for general interest, such as a manager, supervisor, or other people on a team.
BCC: Blind Carbon Copy recipients also receive a copy of the email, but unlike CC recipients the primary and CC recipients can't see who, if anyone, is a BCC recipient.

If he somehow got into your email account and added himself as a BCC recipient for all of your outgoing email then he's been getting copies of all your email since that time.


----------



## Teleah

2. Delete EVERYTHING in the following folders: (Note - by doing so you will erase all cookies, as well as cached browser information, so make sure you know logons and passwords)

- C:\Documents and Settings\[your username]\Cookies
- C:\Documents and Settings\[your username]\Local Settings\Temp
- C:\Documents and Settings\[your username]\Local Settings\Temporary Internet Files
- C:\Temp
- C:\Windows\Temp


How do I get to this part? Where are these files? thanks


----------



## Kung

To get to the C:/ drive, simply click on "My Computer" and then "C:/". You might have to show the hidden folders; to do that, follow the steps here.

Then, you can get to the other folders from there.


----------



## Sparticle

I've been been having horrible problems with our laptop. It was so slow, after turning it on I'd just walk away for 5 minutes or more. It used to not be like this. Then browser boxes would start popping up left and right and I was constantly closing them. Websites would take forever to load and forget about having a few pages up at once. Then the porn and gambling stuff started popping up. 

So before coming to this thread, I did 

Spybot
System tools scan disk
internet options and got rid of cookies

That did almost nothing and I had to remove spybot because the tea timer was slowing the computer down almost worse than before. Then I ran some free stuff I found online, it found and fixed stuff, but no real performance improvement. So then I bought McAfee thinking that would be cheaper than taking it to a repair shop because it was almost useless it was so slow and you couldn't do anything without boxes popping up all over. That helped some, but not completely.

Then I found this thread and followed everything step by step. Downloaded spy sweeper and ran that in Safe Mode. Ran McAfee scan again, clean disk, defrag - anything I could think of. All of this took from 10am - 10pm last night.

Rebooted the computer and it's still taking a solid 5-10 minutes for everything to come up. Spy sweeper is constantly popping up now that it's blocking stuff. But there still has to be more hidden stuff that needs to go to be causing this. However, the computer is much better after it gets going now. I haven't had any browsers pop up. It's still taking forever for pages to load though. 

Somehow in my steps yesterday, Internet Explorer was deleted, though I only deleted files that were in the directories mentioned above so something else must have done that. 

Windows/ System 32 has many many files that look like this 
$NtUninstallB88742$
and
KB955839

though for each, the last half of the string is a different number for each file.

I ran HiJack this morn but am nervous about posting the log here on a public forum. Is there anything personal in the log, I can't make out most of it.

update: The pain continues. Now maps won't display on Mapquest. :Bawling:


----------



## Sparticle

well it just went to zero operational. It ran for 15 or more minutes and nothing had fully come up. Something is just really weighing it down. That spy sweeper pops up all the time that it's blocking stuff.


----------



## Kung

If you can, boot into Safe Mode and run the HiJack this, and send it to me at my email address. I'll PM it to you. 

Also....I would seriously try downloading and running the Malwarebytes program, at www.malwarebytes.com. It is the ONLY spyware program I know of that removes the 2008 Antivirus spyware thing, I believe. I'll change the main list to reflect this.


----------



## Sparticle

Kung said:


> If you can, boot into Safe Mode and run the HiJack this, and send it to me at my email address. I'll PM it to you.
> 
> Also....I would seriously try downloading and running the Malwarebytes program, at www.malwarebytes.com. It is the ONLY spyware program I know of that removes the 2008 Antivirus spyware thing, I believe. I'll change the main list to reflect this.


Ran hijack this and PM'ed the log to you.

update: after working with Kung for several days, our PC is now spyware free! It actually is faster than it was before. Oh happy day. :clap:


----------



## KatSpradley

Kung I could have used you this afternoon then when the Spyware Protect 2009 started appearing in constant pop ups all afternoon...overtook my IE and so forth...we ended up restored it to a previous day since I knew when it happened and this seems to have removed it; however, we did run Malware scan and it showed it was gone. I can't even think of how it got on...those things are sneaky


----------



## Bootlegger0173

OK, I'm a moron, but I did the Hijack this thing and this is what popped up on the screen. Any idea what it means?


----------



## Bootlegger0173

gfile of HijackThis v1.99.1
Scan saved at 9:50:43 PM, on 4/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe
C:\Program Files\Dell Photo AIO Printer 942\memcard.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\Dell Photo AIO Printer 942\dlbubmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\hijackthis_199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [igfxtray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [igfxhkcmd] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [igfxpers] "C:\WINDOWS\system32\igfxpers.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] "C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe"
O4 - HKLM\..\Run: [Dell Photo AIO Printer 942] "C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe"
O4 - HKLM\..\Run: [DellMCM] "C:\Program Files\Dell Photo AIO Printer 942\memcard.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -


----------



## Bootlegger0173

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: dlbu_device - Dell - C:\WINDOWS\system32\dlbucoms.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe


----------



## Bootlegger0173

I think this is the last of it.

So sorry. Please feel free to delete it all if its too much of a pain.


nning processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe
C:\Program Files\Dell Photo AIO Printer 942\memcard.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\Dell Photo AIO Printer 942\dlbubmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\hijackthis_199\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe


----------



## junkertyge

To Kung,
My husband was on his one website and while he was checking things this pop-ups were coming up saying that my computer has an Trojan has infected my computer. Then this program an Personal AV (anti-virus) was then already scanning my computer online. It founded about 40 Trojans. It said to get rid of them to download this program. So I did. Once downloaded onto my computer I have Icons on my screen and on my tool bar. I thought that it was a one time deal and was about to accept the program until I realized that I already have an Virus program on my computer and why this was not taken care of right away. I then came to realized that this program may be the Trojan/virus. Now I'm trying to get rid of the program and went into my Windows program for Un-installed section and when all my programs list came up I could not find the program that I just installed at all. I did find them in my Free Download Manager and already deleted them. I then re-started my computer thinking that I then deleted the program. I did not because the anti-virus menu keeps coming up on the screen. My virus program I do have is Tred-MicroPC-cillin Internet Security 14. I then scanned my full computer and no Virus or Malicious Trojans were found on my computer. My main problem now is that on my tool bar where this program has the Icon up I keep having pop-ups saying that my computer is infected with different viruses. It says this: Your system is infected with an Trojan Win32.agentazsy an malicious WINDOWS PE EXE and lists others which keeps poping up to be block or closed. Every time I click on block the program opens up on my screen when I'm online or not. I did find out that it's listed under my hard drive C:\Program Files\Personal AV that I installed 8/12/09 12:10pm EST. The pop-ups keeps coming up from my tool bar and I don't know how to get rid of that plus the full program now. This other message keeps coming up as well.
Once launced the Trojan copies its body to the current users Windows start up directory and attempts to steal passwords from the Internet. There are other virues listed as well to keep an eye out of I guess. It don't take anything off at all. So now I have this problem with this other virus program I should have not download at all. Can you help me? To get rid of this program once and for all? I hope that it didn't take important information like my credit card information besides to say I brought this program. I never gave my credit card information at all or even register this program. Thank You.
Nancy


----------



## junkertyge

Hi Kung,
Tonight when I went back on to the Internet my Windows Defender came up with the Trojan Personal Virus Program I mention about this morning and said that it was a severe virus. I was able to take off this virus with my Windows Defender after-all. I forgot I had this feature under my Windows Vista Home Edition program. Thank-you if you read the other message to help me. Glad this is all gone off of my computer now. No Icons or any thing about that program is on it anymore. 
Nancy


----------



## Kung

I did read it; but you beat me to it.


----------



## manygoatsnmore

Is Windows Defender on the XP version? I'm having a similar problem - constant pop-ups saying I need to download an anti spyware program from Advanced Virus Remover because my system has detected a potential hazard (Trojan SPM/LX). It supposedly ran a trial offer scan and detected multiple serious problems.I don't know where this came from, and I pay extra for HughesNet to block spyware, viruses, etc. How do I get rid of this? It's driving me crazy! Every time it pops up, it stops me from typing a post. If I don't close the pop-up, it just adds another and another until I literally can't see the screen.


----------



## Kung

You can get Windows Defender for XP; I think you can also use the new MSE (Microsoft Security Essentials) on it as well. (Someone look at that for me and verify.)

I know that Malwarebytes is quoted as being able to remove it; if you don't have it, download it and install it (www.malwarebytes.com), update it, and then run a full scan.


----------



## 2horses

Kung, one thing you may want to add to your original posting of steps to take to clean your machine is to disable System Restore - it will sometimes hold malware and allow it to reinstall after it's been removed, unless SR is turned off and the restore points deleted.


----------



## Kung

That's odd - I could have sworn that WAS in there, and I'm well aware that it DOES store malware. I almost wonder if I didn't update it, and in doing so, accidentally take it out. I'll make sure that's done tonight.


----------



## manygoatsnmore

Thank you, Kung! Downloaded the software you recommended and I'm free of those nasty pop-ups. :bouncy:


----------



## Kung

:goodjob: Sweet! Glad to hear it.


----------



## Janette

Tell me, Is Smiley Central spyware?


----------



## StaceyS

Kung said:


> You can get Windows Defender for XP; I think you can also use the new MSE (Microsoft Security Essentials) on it as well. (Someone look at that for me and verify.)
> 
> I know that Malwarebytes is quoted as being able to remove it; if you don't have it, download it and install it (www.malwarebytes.com), update it, and then run a full scan.


Just want to say thank you for posting this. Really saved my work computer. The computer guy was trying to convince my boss I needed a new computer.:nanner:


----------



## lharvey

> Just want to say thank you for posting this. Really saved my work computer. The computer guy was trying to convince my boss I needed a new computer.


Your computer guy didn't know you had malware?

Sounds like some of my former customers that have a kid from high school do their computers and only call in an expert when the kids have finally got it so screwed up it will barely run.:rock:


----------



## StaceyS

lharvey said:


> Your computer guy didn't know you had malware?
> 
> Sounds like some of my former customers that have a kid from high school do their computers and only call in an expert when the kids have finally got it so screwed up it will barely run.:rock:


Nope. I have enough brains to question everyone. I knew there had to be a way to fix this. So glad to be a part of HT!


----------



## lharvey

Hope this guy is not a salaried guy.

But I'm sure he gets paid what he is worth.

Sad, very sad


----------



## Judy in IN

I cleaned out my cookies, etc, got rid of restore, but now my computer cannot detect my modem. I know the modem is working because we have 3 laptops and another desktop working from it.

Even India hasn't been able to fix it.


----------



## Kung

lharvey said:


> Your computer guy didn't know you had malware?
> 
> Sounds like some of my former customers that have a kid from high school do their computers and only call in an expert when the kids have finally got it so screwed up it will barely run.:rock:


No kidding. Meanwhile guys like me n you who know our stuff can't get a job (sometimes).


----------



## Jenn

Whew dunno if I did this to myself or if whatever has my PC running like tar did it but I can not open my documents and settings folders as directed in OP! I CAN run Disk Cleanup and it empties many of those files. Right now my defrag is taking over 12 hours... that seems long but I can't recall for sure. I'll reboot in safe mode after that's done or I give up on it some time today.

Can't wait until my geek (DH) gets back from Iraq. Whenever's he's gone and this stuff happens I kid that I'm gonna red cross him back home- illness or death in family! (of computer)


----------



## Kung

A defrag can take that long *IF* you're using it @ the time. Otherwise, yeah, that's taking WAY too long.

First things first - what happens when you DO try to open the D&S folder?


----------



## Jenn

Kung when I try to open D&S and many others it has an arrow symbol over it and when I click on it it says "*** is not accessible. Access is denied." PC was much faster in safe mode but no internet via firefox. BTW I did go to photobucket a week or three after virus concerns from there. But no definite immediate cause effect from that.


----------



## Kung

That's odd - you can't open your D&S folder? I assume you're running Windows XP; if not, and you're running Vista or Windows 7, then search in the "Users" folder instead.

If you ARE using XP, though, you may have to take ownership of that particular folder. NO clue why you suddenly don't have access to it. Question - are you logged on as an administrator? (Or does your logon have administrative access?)


----------



## Jenn

SSSHHHH! I sort of solved my problem- I resurrected DH's 2nd PC. I think when he gets back from Iraq this summer he'll forgive me but I'm not certain. I can now post here after norton sequestered a virus, now to figure out why I can't do my email here!


----------



## dezingg

quietstar said:


> Hi Nevada..Both Email accounts are web based Yahoo accounts. Reading of Emails on one account are certain.


Glen -

Have you tried changing your Yahoo passwords? That would be the easiest change to make and it would make the old password useless. Does your relative log into your computer system remotely to help you with settings? If that is set up, they would have access to a lot of files on your computer. I've never used remote access/login, so I don't know the particulars.

I'm not a computer tech, but I seem to be my sister's go to guy for computer help. She tells me her passwords and at this point I know her passwords as well as my own. I'm not a snoop though, I could care less what is in her or her husband's email accounts. 

- Dave


----------



## soulsurvivor

kung, thank you man for this! I couldn't face another costly computer service cleaning like the most recent one. This looks like something even I can do, and I hope it works for me.

One question, is this something that will need to be done on a daily basis, or maybe several times daily? Seems that this is a nasty adware virus that's being attached to many online venues, not just HT. There are lots of people online asking the same question and it's looking as though everyone is subject to picking up this new AntiVirus adware nasty anywhere online.

I can't help it but I think of these new and more difficult to remove viruses as online terrorism. Do you have any good advice for how to protect from picking up these recent invaders?


----------



## Kung

Oh no, these steps don't need to be done every day. I personally would run all spyware checkers and your virus checker AT LEAST once a week, and make sure that the updates are done to these programs prior to running said programs. But the full set of steps only needs to be done when you have a suspected spyware infestation that for some reason your current spyware checkers can't handle by themselves.


----------



## How Do I

OK. I've been dealing with the AV Security Suite carp for over a week now. I had this same one 6 months to a year ago and got rid of it pretty easily by following bleeping computer removal instructions. I followed the instructions for removing AV Security Suite once again. Everything is showing removed and protected now, but the only problem I have left which nothing seems to detect or help remove is that my Google searches are being redirected to trash sites. I just need to get rid of the redirects in Firefox and I should have this one conquered. Here's the exact problem I'm having.


In this photo:










you can see what looks like a normal Google search for *antivirus software*. What's not so normal is that when you click on the first two ORGANIC search results, you get a PAID search result URL. (See the URL at the bottom of the picture) I was right clicking on the first organic search result which was the AVG Free (free.avg.com) link when the screen capture took place. It's just the first TWO organic search results for ANY given Google search and several times, I've had the actual Google PAID results redirect to the trash sites also. This just happens randomly. I don't know where to even start on fixing this. Haven't been able to find someone having the same problem. Like I said, nothing else is showing anything wrong. I have everything possible installed and checked out, but this one is eluding all available software that I can find to use. Any ideas?


----------



## Kung

Out of curiosity, can you share WHERE they're redirecting to?

If you haven't already, I'd download HiJack This! (www.hijackthis.de - click on the Direct Download link)

Once you've done THAT, run it, choose the 'Scan and save as log' option, then copy and paste the log here and we can analyze it.


----------



## How Do I

It looks like I finally got it taken care of. *ComboFix* fixed the redirects. It was basically redirecting to other "Search" type sites similar to what you were searching for in the first place, just to get you to click on their ads. I think one was ScourWeb or something like that and another was MashUp. Running another scan with Malwarebytes' and then AVG. Hopefully _this_ episode is over!


----------



## Kung

Actually, that was gonna be my first suggestion, aside from HJT; that seems to cure a multitude of sins.  I'm glad it got taken care of.


----------



## 2horses

What/where is ComboFix? Off to search for it.... I'll use any tool that works these days! ARGH!


----------



## How Do I

I downloaded it from BleepingComputer. I guess ComboFix.org is the Official Website, but I _did_ see a list of sites of where _NOT_ to download it and I trust BC, so I just downloaded it through their site. The downloads are located right under *Using ComboFix* on the BC page.


----------



## 2horses

Thanks. Interesting tool!


----------



## Nature_Lover

Hey Kung,
Trend micro developed a new fake AV removal tool, I posted it on Texican's "...disc with virus on it.." thread, but I didn't know whether you saw it.

I've been running it in safe mode:

http://esupport.trendmicro.com/Pages/Fake-Antivirus-FakeAV-Removal-Tool.aspx

It seems thorough, and easier than the other programs I've been using for Thinkpoint.


----------



## junkertyge

My Virus program is ending tomorrow and I want to delete this program off of my computer completely. I want to get the AVAST free virus protector now to see how this one works for viruses. How to delete my old virus program? It's Trend Micro PC-illin Internet Security. Thanks.
nancy


----------



## junkertyge

Hi Kung,
I already took off on my computer the old virus program and all is well with my free AVAST program. no problems at all and is working fine. 
nancy


----------



## country bred

Hi, Kung.

Thanks for developing this spyware removal thread.

_______________________________________________________________
2. Delete EVERYTHING in the following folders: (Note - by doing so you will erase all cookies, as well as cached browser information, so make sure you know logons and passwords)

- C:\Documents and Settings\[your username]\Cookies
- C:\Documents and Settings\[your username]\Local Settings\Temp
- C:\Documents and Settings\[your username]\Local Settings\Temporary Internet Files
- C:\Temp
- C:\Windows\Temp
________________________________________________________________

I have Vista Home Edition. When I unhide the system files, etc., the Documents and Settings folder displays in Windows Explorer. But when I click on it, there's a clanging noise and Vista petulantly says "Access denied." 

1. So how can I delete stuff in the D & S folder?
2. Also, C:\Windows\Temp displays, but not C:\Temp.

What am I doing wrong?

Thanks,
Marcia


----------



## Kung

Marcia - the 'Documents and Settings' folder in Vista/7 is sort of an unusable link; not sure exactly why it's there, but in Vista/7 it's actually under C:\Users\[your username]\Temp.


----------



## country bred

Thanks, Kung.

I see C:\Users\Marcia\, but there's no Temp folder there. There's a Temp folder at C:\Users\All Users\. This Temp folder has a bunch of folders with names like {01FB4998-33C4-4431-85ED . . .}. And it looks like each of these folders contains a copy of the same file -- PostBuild.exe.

Are the files in C:\Users\All Users\Temp the ones I need to delete?

Marcia


----------



## Kung

In short, anything in ANY 'Temp' folder can be deleted. If the system DOES need it, it'll recreate it.


----------



## ceresone

I'm running Mcafee total protection. In running a scan last week, it picked up, and destroyed a trojan virus. Is there anything else I need to be running with this? I'm having a few small problems, but nothing I can nail down.


----------



## Kung

IMHO, I would not run any more antivirus programs, but I WOULD run at least one other cleaner program (e.g., CCleaner, Cleanup!) and one other antispyware program (e.g., Malwarebytes, Superantispyware).


----------



## unregistered5595

XP S3 - Old Dell Latitude D610

I'm running super anti spyware, adaware, malware bytes, occasionally ccleaner and in emergencies Rkill.

Last week Adaware had me upgrade to the new free version. When it was done installing and began scanning, it said there were incompatible programs. At the end of scanning it said that Malware bytes was incompatible and needed to be removed.
I don't want to remove it because I like it.

What to do? Remove it, upgrade to something else, Malware bytes or Adaware, or does this have to do with this being an old XP machine? Thanks in advance.


----------



## Kung

ALL - having just become a tech moderator again, I'll be updating this thread in the coming days, as it's obviously LONG overdue. LOL


----------



## arabian knight

Kung said:


> ALL - having just become a tech moderator again, I'll be updating this thread in the coming days, as it's obviously LONG overdue. LOL


I am sure glad I have a iMac. Although I do run malware/antivirus/ and many others are combined in what I have for protection all in one anti-program. LOL


----------



## Kung

Ditto - although I'll even add a section for that.


----------



## unregistered5595

Kung said:


> ALL - having just become a tech moderator again, I'll be updating this thread in the coming days, as it's obviously LONG overdue. LOL


Glad your smartness is back! Truly. I've been sitting by my computer for what now, a year and half waiting for your reply. (KIDDING--a joke) 

Maybe even start the thread over, most of my software and computers have since changed, so don't answer my previous question.  Glad you are back.


----------



## Kung

ROFL! Ok I won't.  I might just start it over; we'll see.


----------



## OliviaU

Thanks for this awesome resource. Really helpful post.
Olivia at http://www.ampronix.com/


----------



## Ruby

I have a windows 10, last week I received a call from my internet provider saying a program had been downloaded on my computer called Bitt Torent. He said it allowed anyone to see all my stuff on my computer. At the time I was away from my computer and told him I would check into it. I have searched everwhere I know to find it but can't. I did download a game program from facebook but have not used it. I read your instructions on getting rid of spyware for the other (vista and 7) but didn't see anything about 10. Later that day I did get an e'mail from Centurylink with a link to click but was afraid to click on it. Any help would be appreciated.


----------



## weaselfire

Ruby said:


> I have a windows 10, last week I received a call from my internet provider saying a program had been downloaded on my computer called Bitt Torent. He said it allowed anyone to see all my stuff on my computer. At the time I was away from my computer and told him I would check into it. I have searched everwhere I know to find it but can't. I did download a game program from facebook but have not used it. I read your instructions on getting rid of spyware for the other (vista and 7) but didn't see anything about 10. Later that day I did get an e'mail from Centurylink with a link to click but was afraid to click on it. Any help would be appreciated.


Probably deserves to be in a separate post, but download and run some spyware software. Malwarebytes and others have free trials that work well.

Better is to restore to the week before your provider notified you but, if you don't do regular backups or save restore points that may not work.

Jeff

Jeff


----------



## HermitJohn

weaselfire said:


> Probably deserves to be in a separate post, but download and run some spyware software. Malwarebytes and others have free trials that work well.
> 
> Better is to restore to the week before your provider notified you but, if you don't do regular backups or save restore points that may not work.
> 
> Jeff
> 
> Jeff


About time, she has been waiting over 2 years for a response.


----------

