|
1. Been infected with spyware? Tell us about your problem. 2. Protect your PC from viruses, spyware. 3. For fast automatic spyware removal, try CounterSpy, SUPERAntiSpyware |
How to remove core.cache.dsk and parportt.sys
If your computer was infected, you got popups everywhere, the popups were appearing in Internet Explorer as well as Firefox and all popup blockers were not stopping the invasion.
The popups had several ad networks:
url.cpvfeed.com
upspiral.com
searchlocal.ws
xads.zedo.com
aavalue.com
Spybot found Smitfraud-c.core and and cant remove it, file core.cache.dsk. comes back every time when you reboot.
Download HijackThis and save the file to your desktop. Double click on the file for install.
Download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your desktop.
Download Combofix by sUBs and save to your desktop.
Download CCleaner. Double click on the file for install.
Reboot your computer in Safe Mode by doing the following:
1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.
Start HijackThis. Click “Do a system scan only.” and put a checkmark next to the following items:
O20 - Winlogon Notify: ****** -******.dll (file missing)
Where ****** is random chars, agggdbc for example (google this dll for confirm)
Close all browser and other windows except for HijackThis. Click “Fix Checked”.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd.
Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).
You will be prompted : “Registry cleaning - Do you want to clean the registry ?“; answer “Yes” by typing Y and press “Enter” in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer “Yes” by typing Y and press “Enter”.
The tool may need to restart your computer to finish the cleaning process; if it doesn’t, please restart it into Normal Windows.
Run Combofix.
Close any open browsers. Double click on combofix.exe and follow the prompts.
Run CCleaner.
Click Analyze button. After scan your system, click Run Cleaner.
Download and install SuperAntiSpyware Home Edition Free Version.
Now Start SuperAntiSpyware. On the main screen click on ‘Scan your computer’. Check: ‘Perform Complete Scan’. Click ‘Next’ to start the scan.
Superantispyware will now scan your computer,when it’s finished it will list all/any infections found. Make sure everything found has a checkmark next to it,then press ‘Next’. Click on ‘Finish’ when you’ve done.
If you are still having problems with spyware after completing these instructions, it`s possible, then please follow the steps: How to use Spyware Removal Forum
Include into your post follow logs:
February 14, 2008 on 4:33 am | In Spyware protection and removal, Tutorials - "How to" | No Comments |smitfraudfix log (can be found at the root of the system drive, usually at C:\rapport.txt)
combofix log
superantispyware log
Submit to: Digg | SlashDot | Del.icio.us
How to remove CID popups
Symptoms:
1. Popup with words CiD in upper left of title bar appears when starting IE.
2. Popup re-appears every few minutes. If you leave the machine and come back later, will be many popups on the screen.
3. Adaware, spybot shows nothing.
The CiD pop-up is an optional sponsor for Windows Live! Plus! (messenger addon). Upon installation it will ask you if you whould show your support by allowing it to install intergrated sponsor support.
If you have this installed on your PC just go to Control Panel - add/remove programs - and select Microsoft Live Plus and you’ll get the option of removing the sponsor support only.
Download NoLop.exe to your desktop.
Download CCleaner. Double click on the file for install.
Download and install SuperAntiSpyware Home Edition Free Version.
Launch SuperAntiSpyware and click on ‘Check for updates’. Once the updates have been installed,exit SuperAntiSpyware. Do not run it just yet.
Uninstall these programs because they are bundled with the CID malware. Go to Start, then Control Panel and then Add/Remove Programs. Click Remove on any of the following:
CiD Help
CiD Manager
DivoCodec
Download Plugin for Internet Explorer
Lop.com
LOP SEARCH
Messenger plus or messenger plus and client
Download Plugin for Internet Explorer
Bitdownload
Zone Media
WinZix
Search Plugin
Window Search
Window Searching
Bitgrabber
BitRol
Bitdownload
Browser Enhancer
Netpumper
Torrent101
W3player
Ultimate Browser Enhancer
Note: if you’re asked for a Verification code, please enter the numbers that appear in the window.
Reboot your computer.
Close any other programs you have running as this will require a reboot. Double click NoLop.exe to run it.
1. Click the button labelled “Search and Destroy”.
2. When scanning is finished you will be prompted to reboot only if infected,click ‘OK’.
3. Now click the “REBOOT” Button.
A Message should popup from NoLop, if not,double click the program again and it will finish.
Note:
If you receive the error,that mscomctl.ocx or one of its dependencies are not correctly registered, please download mscomctl.ocx package,run for install. After that rerun the program.
Download Deljob.exe and save it on your desktop.
Doubleclick Deljob.exe.
Now download Combofix by sUBs and save to your desktop.
Close any open browsers. Double click on combofix.exe and follow the prompts.
Run CCleaner.
Click Analyze button. After scan your system, click Run Cleaner.
Now Start SuperAntiSpyware. On the main screen click on ‘Scan your computer’. Check: ‘Perform Complete Scan’. Click ‘Next’ to start the scan.
Superantispyware will now scan your computer,when it’s finished it will list all/any infections found. Make sure everything found has a checkmark next to it,then press ‘Next’. Click on ‘Finish’ when you’ve done.
If you are still having problems with spyware after completing these instructions, it`s possible, then please follow the steps: How to use Spyware Removal Forum. Post the content of the deljob log (file logit.txt on your desktop) in your post.
January 23, 2008 on 9:06 am | In Spyware protection and removal, Tutorials - "How to" | 1 Comment |Submit to: Digg | SlashDot | Del.icio.us
How To Remove cyberstoll.com, search-daily.com hijacker and WebHancer spyware
Symptom:
When you do a Google search, you got a search results, but if you click on one of the results, you got redirect to cyberstoll.com or search-daily.com
Download HijackThis and save the file to your desktop. Double click on the file for install.
Download CCleaner. Double click on the file for install.
Download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your desktop.
Download LspFix and extract the content to your desktop.
Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found: WebHancer.
Reboot your computer in Safe Mode by doing the following:
1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.
Start HijackThis. Click “Do a system scan only.” and put a checkmark next to the following items:
O2 - BHO: (no name) - {F71D25F6-E9F6-401B-AD3D-AB9F7D36E6C7} - C:\WINDOWS\system32\dinpu.dll
Close all browser and other windows except for HijackThis. Click “Fix Checked”.
Reboot your PC.
Run LSPFix.exe
Check the I know what I’m doing box.
In the Keep box, select the webhdll.dll (Protocol handler) and move it to the Remove box by clicking the >> button.
When you are done click Finish>>.
When LSP-Fix is done removing the LSP you will see a summary box. At this point the LSP has been removed and you can press OK to shutdown LSP-Fix.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd.
Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).
You will be prompted : “Registry cleaning - Do you want to clean the registry ?“; answer “Yes” by typing Y and press “Enter” in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer “Yes” by typing Y and press “Enter”.
The tool may need to restart your computer to finish the cleaning process; if it doesn’t, please restart it into Normal Windows.
Open notepad and copy/paste the text in the quotebox below into it:
@echo off
sc stop gzncfggw
sc delete gzncfggw
exit
Save this as fix.bat to your Desktop (remember to select Save as file type: All files in Notepad.).Double-click on the fix.bat.
Run CCleaner.
Click Analyze button. After scan your system, click Run Cleaner.
If you are still having problems with spyware after completing these instructions, it`s possible, then please follow the steps: How to use Spyware Removal Forum
January 9, 2008 on 4:11 am | In Spyware protection and removal, Tutorials - "How to" | No Comments |Submit to: Digg | SlashDot | Del.icio.us
How to fix shell.exe, spoolvs.exe problem
Symptoms:
- Start > Settings -> Control panel is missing
- Task bar icons informing you of an infection and taking you to legit looking security panel
- System pop ups and IE pop ups
- When you start PC, you can get a message: “Windows cannot find ‘C:\Windows\shell.exe’ Make sure you typed the file name correctly….”
Download HijackThis and save the file to your desktop. Double click on the file for install.
Download CCleaner. Double click on the file for install.
Download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your desktop.
Download VundoFix and save the file to your desktop.
Download SDFix and save the file to your desktop. Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix)
Boot your PC in Safe Mode.
1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode
Open the SDFix folder and double-click RunThis.bat.
- Type Y to begin the cleanup process.
- It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard).
Double-click VundoFix.exe to run it.
- When VundoFix opens, click the Scan for Vundo button.
- Once it’s done scanning, click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo. - When completed, it will prompt that it will reboot your computer, click OK.
Reboot in SafeMode again.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd.
- Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).
- You will be prompted : “Registry cleaning - Do you want to clean the registry ?“; answer “Yes” by typing Y and press “Enter” in order to remove the Desktop background and clean registry keys associated with the infection.
- The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer “Yes” by typing Y and press “Enter”.
- The tool may need to restart your computer to finish the cleaning process; if it doesn’t, please restart it into Normal Windows.
Backup Your Registry with ERUNT
After that you should post your logs:
- hijackthis log
- smitfraudfix log (can be found at the root of the system drive, usually at C:\rapport.txt)
- sdfix log (usually at C:\sdfix\logReport.txt)
- vundofix log (usualy at C:\vundofix.txt )
to spyware help forum and wait answer (before you should create a free forum account).
November 26, 2007 on 9:53 am | In Spyware protection and removal, Tutorials - "How to" | 7 Comments |Submit to: Digg | SlashDot | Del.icio.us
How to remove savetheinformation.com and secirityonpage.com hijackers
Symptoms:
- IE pop-up windows, mostly to a site called www.savetheinformation.com but also to some other sites
- Yellow baloons from taskbar prompting to download antispyware software.
- Grey pop-ups, like error messages, also prompting to download antivirus/spyware software.
- 2 programs added to start menu program list: online security guide and live safety center
- when you open an IE window it goes to www.savetheinformation.com
Download VundoFix and save the file to your desktop.
Download HijackThis and save the file to your desktop. Double click on the file for install.
Download CCleaner. Double click on the file for install.
Disable your Anti-Spyware Program, once your PC is clean you can re-enable.
Double-click VundoFix.exe to run it.
When VundoFix opens, click the Scan for Vundo button.
Once it’s done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
If you still have a problems, the follow steps:
Download FixSTI.reg to your desktop.
Double-click on the FixSTI. When it asks if you would like to merge the information, press the Yes button and then the OK button when it is done.
Run HijackThis, Close all programs leaving only HijackThis running. Place a check against each of the following if found, making sure you get them all and not any others by mistake:
O2 - BHO: (no name) - {33BF7E26-185B-46C7-87FB-A8F94C7E696C} - C:\WINDOWS\system32\pmnlk.dll
O2 - BHO: (no name) - {5a2e9fa3-5acd-4013-961b-aae311cdb902} - C:\WINDOWS\system32\****.dll (file missing)
O2 - BHO: (no name) - {60D97635-E582-E002-F541-EA2B589ED998} - C:\WINDOWS\system32\****.dll (file missing)
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\****.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\****.dll
O2 - BHO: (no name) - {BACEB7AF-8D88-456E-82D0-7BEB9A4410FE} - C:\WINDOWS\system32\****.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\****.dll
O20 - Winlogon Notify: **** - C:\WINDOWS\SYSTEM32\****.dll
Where **** a random chars, for example: xjegktl, nuyix, ldbvcpwu, khcmkrws …
Now close all others windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.
Run CCleaner.
Click Analyze button. After scan your system, click Run Cleaner.
If you still have a problems with your PC or cannot remove hijackers follow the steps outlined in the topic linked below:
Spyware removal - Read Before Posting.
savetheinformationcom & secirityonpagecom-hijackers
Don`t forget, we want help you, make logs and post to spyware removal forum!
November 18, 2007 on 6:00 am | In Browser Hijacking, Spyware protection and removal, Tutorials - "How to" | 3 Comments |Submit to: Digg | SlashDot | Del.icio.us
How to remove Pcsecuritylab.com Hijacker
Pcsecuritylab.com is a browser hijacker.
It may also change desktop wallpaper, shows message:
Warning! SpyWare Threat Detected on Your PC!
You will also periodically get fake security warning:
Your Security and Privacy are at risk: Spyware has been detected. Click HERE to remove it.
It automatically runs on every Windows startup. Pcsecuritylab.com is a very high security risk threat and should be removed immediately as to prevent harm to your computer and your privacy.
Download HijackThis and save the file to your desktop. Double click on the file for install.
Download CCleaner. Double click on the file for install.
Download Avenger and unzip to your desktop.
Open notepad and copy/paste the text in the quotebox below into it:
REGEDIT4
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000012-890e-4aac-afd9-eff6954a34dd}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ABA9A9C-8791-4d61-8D5B-BCC9448EA573}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A6E432B4-D4C2-43B3-BF55-C364F8F7362A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e690500e-1dd1-11b2-a943-9ecd016314d0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
“Userinit”=”C:\\WINDOWS\\system32\\userinit.exe,”
Save this as Fix.reg to your Desktop (remember to select Save as file type: All files in Notepad.).
Double-click on the Fix.reg. When it asks if you would like to merge the information, press the Yes button and then the OK button when it is done.
Start HijackThis. Click “Do a system scan only.” and put a checkmark next to the following items:
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar…p=ZJxdm186NJUS
Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.
Run Avenger.
Check the ‘Input script manually’ option. Click the Magnifying Glass icon. In the box that opens, copy,then paste the following text:
Files to delete:
C:\WINDOWS\system32\dpqaqlqx.bin
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\vvgeowbv.exe
C:\WINDOWS\system32\ace16win.dllFolders to delete:
C:\WINDOWS\system32\Mz15r
C:\WINDOWS\PerfInfo
C:\WINDOWS\McAfee.com
C:\Program Files\LimeWire
C:\WINDOWS\system32\acespy
Then click on ‘Done’.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.
Run CCleaner.
Click Analyze button. After scan your system, click Run Cleaner.
Reboot your PC.
If you are still having problems with spyware after completing these instructions, it`s possible, then please follow the steps outlined in the topic linked below:
Spyware removal - Read Before Posting
Submit to: Digg | SlashDot | Del.icio.us
How to remove xlavra (Trojan-Downloader.Win32.Agent) and Wintools adware
WinTools is an adware that adds a toolbar to your browser and generating annoying popups and balloon dialogs.
Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found: WinTools, WhenU, SearchUpgrader
Download HijackThis and save the file to your desktop. Double click on the file for install.
Download CCleaner. Double click on the file for install.
Download Avenger and unzip to your desktop.
Download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop.
Reboot your computer in Safe Mode by doing the following:
1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.
Start HijackThis. Click “Do a system scan only.” and put a checkmark next to the following items:
R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482E-80C0-3A1E5238A565} - (no file)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O3 - Toolbar: (no name) - {8B224779-3B0E-4FEA-8AE1-B66C20DD840F} - (no file)
O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O20 - AppInit_DLLs: C:\WINDOWS\system32\sulimo.dat
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)
Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.
Open notepad and then copy and paste the lines below into it.
@echo off
sc stop WinToolsSvc
sc delete WinToolsSvc
Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
Double-click on fixes.bat file to execute it.
Run Avenger.
Check the ‘Input script manually’ option. Click the Magnifying Glass icon. In the box that opens, copy,then paste the following text:
Files to delete:
C:\WINDOWS\xlavba3.exe
C:\WINDOWS\system32\sulimo.datFolders to delete:
C:\Program Files\Common files\SearchUpgrader\
C:\Program FilesVVSN\
C:\PROGRA~1\COMMON~1\WinTools\
Then click on ‘Done’.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.
Boot your PC in Safe Mode.
1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode
Open the SmitfraudFix folder and double-click smitfraudfix.cmd. Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).
You will be prompted : “Registry cleaning - Do you want to clean the registry ?“; answer “Yes” by typing Y and press “Enter” in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer “Yes” by typing Y and press “Enter”.
The tool may need to restart your computer to finish the cleaning process; if it doesn’t, please restart it into Normal Windows.
Run CCleaner.
Click Analyze button. After scan your system, click Run Cleaner.
Reboot your PC.
Disable system restore to flush out infected restore points. Reboot your computer again. Turn on Windows System Restore. After that click START > ALL PROGRAMS > ACCESSORIES > SYSTEM TOOLS > SYSTEM RESTORE. click on “create new restore point” > click on NEXT and follow the prompts.
If you are still having problems with spyware after completing these instructions, it`s possible, then please follow the steps outlined in the topic linked below:
Spyware removal - Read Before Posting
Submit to: Digg | SlashDot | Del.icio.us
SnoopFree Privacy Shield - informs you when another programme is wanting to log your keystrokes
SnoopFree Privacy Shield works in a unique and powerful way against all spy software. Detect all known and unknown spy software programs. SnoopFree software protects your privacy by watching for suspicious programs running on your computer. A suspicious program is any program that tries to watch your keyboard, take pictures of your screen or read text from un-owned windows. These three activities are the cornerstone of all modern spy software.
Download SnoopFree Privacy Shield
Read more: How to detect keylogger on my computer ?
November 12, 2007 on 8:50 pm | In Free Software, Spyware protection and removal | No Comments |Submit to: Digg | SlashDot | Del.icio.us
Comodo BOClean - Anti-Malware - 100% Free
BOClean software protects you against a full spectrum of malware, automatically removing these programs from memory, your hard disk and your registry without the need to reboot or drop your internet connection. BOClean safely neutralizes these threats instantly without any risk of damage to your files or computer. Updates are FREE, and the update download and installation process is (or, in the case of network deployment, can be) completely automated.
BOClean Features
- Destroys malware and removes registry entries
- Does not require a reboot to remove all traces
- Disconnects the threat without disconnecting you
- Generates optional report and safe copy of evidence
- Automatically sweeps and detects INSTANTLY in the background
- Configurable “Stealth mode” completely hides BOClean from users
- Update automatically from a network file share
- Protects itself from malware tampering or shutdown
- FREE daily malware database updates from our web site
- Update file can be shared/pushed on a server for easy maintenance
- Optional rollback of update to an earlier version
- Full spectrum malware coverage and protection
Download Comodo BOClean Free Anti-Malware
Submit to: Digg | SlashDot | Del.icio.us
How to remove IE Defender
IE Defender a rogue antispyware application that is starting to infect a lot of users. This particular infection is harder to remove. Also IE Defender installed in your Internet Explorer browser that hijacks searches you input into the Google and Yahoo search engines. When infected your Internet Explorer opens Google or Yahoo and make search request you will see a hijacked search result listing. You will also periodically get fake message:
Google Error
Your computer is infected! Some of your search results were changed by spyware
You have to clean your PC and we recommendto use our ANTISPYWARE!
For remove IE Defender spyware, make follow steps:
Download FixIED.reg and save the file to your desktop.
Download CCleaner. Double click on the file for install.
Download Avenger and unzip to your desktop.
Download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found: IE Defender
On your desktop find and double-click on the FixIED.reg file that you just downloaded. When it asks if you would like to merge the information, press the Yes button and then the OK button when it is done.
Run Avenger.
Check the ‘Input script manually’ option. Click the Magnifying Glass icon. In the box that opens, copy,then paste the following text:
Files to delete:
C:\Windows\System32\bDivX.dll
C:\Windows\System32\bDivX.dll.bak
C:\WINDOWS\system32\IR9V0_QCX.dll
C:\WINDOWS\system32\IR9V0_QCX.dll.bak
C:\Windows\System32\Video32.dll
C:\Windows\System32\Video32.dll.bak
C:\WINDOWS\system32\IntelVideo.dll
C:\WINDOWS\system32\IntelVideo.dll.bak
C:\WINDOWS\system32\IntelVideoDivX.dll
C:\WINDOWS\system32\IntelVideoDivX.dll.bak
C:\WINDOWS\system32\XunLeiBHO_Now.dll
C:\WINDOWS\system32\XunLeiBHO_Now.dll.bak
C:\Windows\System32\dx50codec.dll
C:\Windows\System32\dx50codec.dll.bak
C:\Windows\System32\a3gpcodec.dll
C:\Windows\System32\a3gpcodec.dll.bak
C:\WINDOWS\system32\aDivX.dll
C:\WINDOWS\system32\aDivX.dll.bak
C:\WINDOWS\system32\mp3avi.dll
C:\WINDOWS\system32\mp3avi.dll.bak
C:\Windows\System32\VideoMP3.dll
C:\Windows\System32\VideoMP3.dll.bak
Then click on ‘Done’.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.
Boot your PC in Safe Mode.
1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode
Open the SmitfraudFix folder and double-click smitfraudfix.cmd. Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).
You will be prompted : “Registry cleaning - Do you want to clean the registry ?“; answer “Yes” by typing Y and press “Enter” in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer “Yes” by typing Y and press “Enter”.
The tool may need to restart your computer to finish the cleaning process; if it doesn’t, please restart it into Normal Windows.
Run the Panda online virus scan.
- Once you are on the Panda site click the Scan your PC button
- A new window will open…click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Run CCleaner.
Click Analyze button. After scan your system, click Run Cleaner.
Disable system restore to flush out infected restore points. Reboot your computer again. Turn on Windows System Restore. After that click START > ALL PROGRAMS > ACCESSORIES > SYSTEM TOOLS > SYSTEM RESTORE. click on “create new restore point” > click on NEXT and follow the prompts.
If you are still having problems with spyware after completing these instructions, then please follow the steps outlined in the topic linked below
Spyware removal - Read Before Posting
November 10, 2007 on 9:09 am | In Rogue Anti Spyware, Spyware protection and removal, Tutorials - "How to" | No Comments |Submit to: Digg | SlashDot | Del.icio.us
SUPERAntiSpyware Free for home use
Easily remove over 1 million pests and threat components such as VirusRay, AntiVirGear, VirusProtectPro, DriveCleaner, SmitFraud, Vundo, WinFixer, SpyAxe, SpyFalcon, WinAntiVirus, AntiVermins, AntiSpyGolden and thousands more!
# Quick, Complete and Custom Scanning of Hard Drives, Removable Drives, Memory, Registry, Individual Folders and More! Includes Trusting Items and Excluding Folders for complete customization of scanning!
# Detect and Remove Spyware, Adware, Malware, Trojans, Dialers, Worms, KeyLoggers, HiJackers, Parasites, Rootkits and many other types of threats.
# Light on System Resources and won’t slow down your computer like many other anti-spyware products. Won’t conflict with your existing anti-spyware or anti-virus solution!
# Repair broken Internet Connections, Desktops, Registry Editing and more with our unique Repair System!
Download SUPERAntiSpyware
Submit to: Digg | SlashDot | Del.icio.us
ComboFix another free anti spyware tool
This tool removes SurfSideKick, QooLogic, Look2Me or any combination of that group.
Also nicely picks out Vundo infections.
One of the better things it does is pick files recently created which can give clues to other infections. You can use it to unhook any dll in the system32 folder.You can use it to delete up to as many as 8 files using its command line functions.
Also it deletes a bunch of files related to the infections above automatically and is updated fairly regularly.
For use combofix, Download ComboFix from Here to your Desktop.
- Double click combofix.exe and follow the prompts.
- When finished, it shall produce a log for you.
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall
Post the log at spyware remover help forum and finally remove the items as directed by the Member helping you. This involves no analysis of the list contents by you. That will be done by the Help Forum Staff.
October 8, 2007 on 8:39 pm | In Free Software, Spyware protection and removal | 46 Comments |Submit to: Digg | SlashDot | Del.icio.us
McAfee free rootkit remover
McAfee have made free rootkit remover is a program designed and developed by McAfee Avert Labs to proactively detect and clean rootkits that are running on the system.
McAfee Rootkit Detective should only be used by knowledgeable individuals at the direction of, and with the support of, a representative from McAfee Avert Labs or McAfee Technical Support. Improper usage of this tool could result in damage to your applications or operating system.
Features
* Designed to proactively detect the system objects like processes, files and registry that are hidden to the user.
* Provides information about all running processes in the system.
* Provides information about various system hooks like SSDT(System Service Descriptor Table) hooks, user/kernel IAT/EAT(Import/Export Address Table) hooks.
* Allows the user to clean/remove the malicious objects from the system by renaming/deleting the hidden files/registry.
* Allows the user to terminate the malicious processes.
* Users can submit samples using the submission feature present in the tool.
* Users can also collect the samples manually after renaming them and submit to stinger@avertlabs.com for further analysis.
Download Rootkit Detective 1.0
Read more here
Submit to: Digg | SlashDot | Del.icio.us
Automatic removal HaxDoor trojan
This trojan allows others to access the computer, drops more malware, installs itself in the Registry.
For check your PC, Download HijackThis and save the file to your desktop.
Double click on the file to extract it to it’s own folder on the desktop.
Now you need to run HijackThis and click “Do a system scan only”. If your found any simulat entry
O20 - Winlogon Notify: pptp32 - C:\WINDOWS\SYSTEM32\pptp32.dll
O20 - Winlogon Notify: avpe32 - C:\WINDOWS\SYSTEM32\avpe32.dll
then you have HaxDoor trojan infection!
For remove the serious infection, please follow these instructions step by step.
Download haxfix.exe. Save it to your desktop.
Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
Checkmark “Create a desktop icon”.
Click “Next”.
When the installation is completed, make sure that the checkmark “Launch HaxFix” is placed.
Click “Finish”.
A red “dos window” (dos box) will open.
Select option 2. Run auto fix by typing 2, and then pressing Enter.
If an infection is found, you’ll get a message to close all other open windows.
Close them, except the red dos window from haxfix and then press Enter.
The computer will reboot.
Haxdoor can drops more malware, also if you are still having problems with your PC , then please follow the steps outlined in the topic linked below Spyware removal - Read Before Posting
June 24, 2007 on 6:27 pm | In Spyware protection and removal, Trojan, Tutorials - "How to" | No Comments |Submit to: Digg | SlashDot | Del.icio.us
Automatic removal MBS Account Manager
MBS Account Manager is a program from Micro Bill Systems in the UK. The program provides billing and collection services for websites (mostly adult in nature). This software is potentially unwanted as apart from constantly displaying demands for money for it’s services, attempts to install further unwanted components using ActiveX. MBS Account Manager will display a bill as a pop-up, when the bill is ignored, the popups become more frequent.
A HijackThis log will show two running processes and a Startup entry similar to one of these:
O4 - HKLM\..\Run: [mbssm32] C:\WINDOWS\system32\mbssm32.exe
O4 - HKLM\..\Run: [mbssm32] C:\WINDOWS\system32\smvalid.exe
4 months ago, i have wrote about MBS spyware , if old instructions don`t work, try next steps:
1. Download the Brute Force Uninstaller to your desktop.
Right click the BFU folder on your desktop, and choose Extract All. Click “Next” and then in the box to choose where to extract the files to, Click “Browse”. Click on the + sign next to “My Computer”. Click “Next”, and Uncheck the “Show Extracted Files” box and then click “Finish”.
2. Download the MicroBill Removal script. Save it in the same folder you made earlier (c:\BFU). Then, please go to Start > My Computer and navigate to the C:\BFU folder. Start the Brute Force Uninstaller by double-clicking BFU.exe
3. Behind the scriptline to execute field click the folder icon and select mbs.bfu. Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.) Wait for the complete script execution box to pop up and press OK. Press exit to terminate the BFU program.
4. Restart your computer.
If you are still having problems with spyware after completing these instructions, then please follow the steps outlined in the topic linked below Spyware removal - Read Before Posting.
June 14, 2007 on 6:29 am | In Spyware protection and removal, Tutorials - "How to" | 11 Comments |Submit to: Digg | SlashDot | Del.icio.us
How to remove MBS spyware
Symptoms: pop-ups coming up everytime when you start your computer.
Download HijackThis and save the file to your desktop.
Double click on the file to extract it to it’s own folder on the desktop.
Download FileASSASSIN and save to your desktop (this tool is compatible with Win 2000/NT/XP only).
* Start fa-setup.exe for install
* Start FileASSASSIN.
* Select the following file(s) C:\WINDOWS\system32\rtnfs.exe, C:\WINDOWS\system32\mbssm32.exe to delete by dragging it onto the text area or select it using the (…) browse button.
* Select a removal method. Start with “Attempt FileASSASSIN’s method of file removal.”
* Click delete and the removal process will begin.
* If that did not work then, start the program again and this time check “Use delete on reboot function from windows.”.
Note: If you cannot find the file, you may have to Reconfigure Windows XP to show hidden files, folders.
Now you need to run HijackThis and click “Do a system scan only.” Place a check next to the following entries (if they are still there):
O4 - HKLM\..\Run: [Windows_Protect] rtnfs.exe
O4 - HKLM\..\Run: [mbssm32] C:\WINDOWS\system32\mbssm32.exe
O4 - HKLM\..\RunServices: [Windows_Protect] rtnfs.exe
Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.
Reboot your PC.
Run the Panda online virus scan.
- Once you are on the Panda site click the Scan your PC button
- A new window will open…click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Update: If you are still having problems with MBS spyware try Automatic removal MBS Account Manager
February 9, 2007 on 6:43 am | In Spyware protection and removal, Tutorials - "How to" | 3 Comments |Submit to: Digg | SlashDot | Del.icio.us
Found new security scam sites
SunbeltBlog reported about some new security scam sites:
securecheck(dot)biz, IP: 85.255.117.204
yourguardonline(dot)biz, IP: 85.255.117.204
esafetypage(dot)com, IP: 85.255.118.243
eprotectpage(dot)com, IP: 85.255.118.246
esecuritypage(dot)com, IP: 85.255.118.246
November 21, 2006 on 6:55 am | In Spyware protection and removal | No Comments |Submit to: Digg | SlashDot | Del.icio.us
Found new rogue antispyware - PestCapture / how to remove
Sunbelt blog reported about new rogue antispyware PestCapture.
PestCapture uses dlls that are the same as that of another rogue antispyware - Spysheriff
For protect your PC, add these sites into your blocklist:
pesttrap(dot)com
pesttrap(dot)com
Innovagest2000(dot)com
1stantivirus(dot)com
Anti-virus-pro(dot)com
Spycontra(dot)com
Spydeface(dot)com
Virushammer(dot)com
For remove PestCapture from your computer, make follow steps:
Download CCleaner. Double click on the file for install.
Download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found: PestCapture
Next, please reboot your computer in Safe Mode by doing the following:
1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd. Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended)
You will be prompted : “Registry cleaning - Do you want to clean the registry ?“; answer “Yes” by typing Y and press “Enter” in order to remove the Desktop background and clean registry keys associated with the infection.The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer “Yes” by typing Y and press “Enter”
Reboot your PC.
Run CCleaner.
Click Analyze button. After scan your system, click Run Cleaner.
Your computer should now be free of the PestCapture infection.
If you are still having problems with spyware after completing these instructions, then please follow the steps outlined in the topic linked below: Spyware removal - Read Before Posting
Submit to: Digg | SlashDot | Del.icio.us
Don’t be a victim or how to make better choices
There are some current tools out there which may help users make better choices (or block their bad choices). I’m just going to talk about browser toolbars. For the user class of not completely hopeless up to expert I really recommend McAfee’s SiteAdvisor. This toolbar works with Firefox and IE and will provide more prominent and granular indicators that a site is dubious (or downright malicious). Users will need to keep an eye on their browser corner (which may require education) or optionally glance at the pretty red, yellow, green icons next to their google search results (RED means BAD)
Also for those looking at getting involved in the community sign up to be a reviewer. Help SiteAdvisor catch and correctly flag all those bad sites that try oh so hard to look legit.
So back to phishing. Netcraft has a really nice toolbar which can provide visual clues (YMMV) as well as speed bumps to doing something unsafe. It can actually block access to a site pending user verification (ok so we all know most users click OK on anything that pops up to get it out of the way)
Extra protection for your Firefox: NoScript allows JavaScript, Java and other executable content only for trusted domains of your choice, e.g. your home-banking web site.
This whitelist based preemptive blocking approach prevents exploitation of security vulnerabilities (known and even unknown!) with no loss of functionality…
Experts do agree: Firefox is really safer with NoScript ;-)Works with: Firefox 1.0 - 3.0a1, Mozilla 1.7 - 1.8
A spoofed website is typically made to look like a well known, branded site (like ebay.com or citibank.com) with a slightly different or confusing URL. The attacker then tries to trick people into going to the spoofed site by sending out fake email messages or posting links in public places - hoping that some percentage of users won’t notice the incorrect URL and give away important information. This practice is sometimes known as “phishing”. SpoofStick makes it easier to spot a spoofed website by prominently displaying only the most relevant domain information.
You may want to run your Web browser inside the sandbox most of the time. This way any incoming, unsolicited software (spyware, malware and the like) that you download, is trapped in the sandbox. Changes made to your list of Favorites or Bookmarks, hijacking of your preferred start page, new and unwanted icons on your desktop — all these, and more, are trapped in and bound to the sandbox. You could also try a new toolbar add-on, browser extension or just about any kind of software. If you don’t like it, you throw away the sandbox, and start again with a fresh sandbox. On the other hand, if you do like the new piece of software, you can re-install it outside the sandbox so it becomes a permanent part of your system.
Sandboxie intercepts changes to both your files and registry settings, making it virtually impossible for any software to reach outside the sandbox.
Sandboxie traps cached browser items into the sandbox as a by-product of normal operation, so when you throw away the sandbox, all the history records and other side-effects of your browsing disappear as well.
Expect this warning and popup trend to continue. Google is taking steps to prevent accidental wrong exits (see http://www.stopbadware.org/ for details on this initiative)
The next versions of IE and Firefox should have some of these protections built in. None of these will remove the need for user education (good luck explaining hostnames and mouse-overs to grandma). The criminals will figure out ways to circumvent these technologies and users will continue to ignore all the annoying popup warning windows and glaring red warning symbols. Its just human nature. If only it were as simple as just telling people to “only surf trusted sites”. Right. uh huh.
August 28, 2006 on 11:48 pm | In Best Programs, Free Software, Internet Browsers and Mail and News readers, Spyware protection and removal, Tips | No Comments |Submit to: Digg | SlashDot | Del.icio.us
Automatic remove Titan shield
Good news, some days ago in the smitfraudfix have been added Titan Shield signatures.
[HKEY_CURRENT_USER\Software\ADV] (Soon removed with SpywareSheriff)
%USERPROFILE%\Application Data\Microsoft\Internet Explorer\Quick Launch\TitanShield Antispyware.lnk
%USERPROFILE%\Local Settings\Application Data\TitanShield\*.*
%STARTMENU%\Programs\TitanShield Antispyware\*.*
%STARTMENU%\Programmes\StartUp\titanshield.lnk
%DESKTOP%\TitanShield Antispyware.lnk
%PROGRAMFILES%\TitanShield Antispyware\*.*
If you have problems with TitanShield, download and try smitfraudfix.
June 13, 2006 on 3:31 am | In Spyware protection and removal, Tips | No Comments |Submit to: Digg | SlashDot | Del.icio.us
Next Page »
Previous Posts:
- How to remove new rogue antispywares Malware Bell and IE Antivirus
- How to remove softwarereferral/safewebnavigate hijackers and etlrlws toolbar
- How to uninstall combofix
- Found new rogue antispyware programs
- How to remove braviax.exe/cru629.dat/users32.dat malware
- VirusHeat rogue antispyware - How To Remove
- Fresh updates to Ad-Aware and SpyBot-search & Destroy
- How to remove core.cache.dsk and parportt.sys
- How to remove CID popups
- How To Remove cyberstoll.com, search-daily.com hijacker and WebHancer spyware
- How to remove Video Add-on and antispyware/security toolbar 7.1
- Trojan Vundo/Virtumonde turns a good file into a Trojan-Dropper
- How to make Internet Explorer more secure
- New updates to Ad-Aware and SpyBot-search & Destroy
- How to remove webcry.com hijacker
- Found first Christmas malware
- Found some new fake codecs
- Cannot View Hidden Files And Folders. How to fix
- Hijacker will not let me download anti spyware program - how to fix
- How to fix shell.exe, spoolvs.exe problem
Categories:
- Pop-Up Blockers and Firewalls (rss) (5)
- Adware (rss) (10)
- Anti Virus Software (rss) (11)
- Best Programs (rss) (3)
- Browser Hijacking (rss) (13)
- Critical patch (rss) (21)
- Exploits & Vulnerabilities (rss) (58)
- FAQ (rss) (8)
- Free Software (rss) (63)
- Identity Theft (rss) (8)
- Internet Browsers and Mail and News readers (rss) (12)
- Linux (rss) (4)
- Malware (rss) (11)
- Online Scanners (rss) (11)
- Phishing (rss) (2)
- Rogue Anti Spyware (rss) (34)
- Rookit (rss) (3)
- spyware (rss) (2)
- Spyware protection and removal (rss) (74)
- Tips (rss) (78)
- Trojan (rss) (35)
- Tutorials - "How to" (rss) (65)
- Updates (rss) (16)
- Virus (rss) (19)
- Worms (rss) (14)
Archives:
- May 2008 (1)
- April 2008 (1)
- March 2008 (4)
- February 2008 (3)
- January 2008 (2)
- December 2007 (7)
- November 2007 (27)
- October 2007 (4)
- July 2007 (2)
- June 2007 (3)
- April 2007 (1)
- March 2007 (6)
- February 2007 (6)
- December 2006 (1)
- November 2006 (2)
- October 2006 (7)
- September 2006 (2)
- August 2006 (10)
- July 2006 (7)
- June 2006 (22)
- May 2006 (18)
- April 2006 (12)
- March 2006 (24)
- February 2006 (33)
- January 2006 (52)
- December 2005 (50)
- November 2005 (66)
Blogroll
- Sans Org - Internet Storm Center
- Spyware RU
- Sun Belt Blog
Help Us:
- MyAntiSpyware needs your support. Please make link from your site to us.
Use the button:
