Now start your PC in safe mode,
Double-click the smitRem.exe and it
will extract the files to a smitRem
folder on your Desktop. Run the
batch file. Now, Scan/Quarantine
with Spyware Detector.
P.S.: Instructions for going to Safe
Mode:
Please reboot your computer in Safe
Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep
once during startup, but before the
Windows icon appears, press F8.
3) Instead of Windows loading as
normal, a menu should appear
4) Select the first option, to run
Windows in Safe Mode.
If
you are getting annoying pop-ups, it could
have after visiting Look2Me.
Please move the L2MeFix Tool to
your Desktop and Double Click
l2mfix.exe. Click the Install button
to extract the files and follow the
prompts, then open the newly added
l2mfix Folder on your Desktop.
Double Click l2mfix.bat and Type 1
and ENTER to select Option #1 for
Run Find Log. Allow it as much time
as it needs to run until NotePad
opens with a log. Save this log. You
will need to post this log back here
later when you come back. NOTE: While
running, if you receive an error
mentioning either of the below:
- C:\windows\system32\cmd.exe
- or C:\windows\system32\autoexec.nt
the system file is not suitable for
running ms-dos and Microsoft windows
applications.
Then choose close to terminate the
application. Then run l2mfix.bat
again and this time select option 5
or see the fixautont.html link in
the l2mfix folder to solve this
error condition. Do not run the fix
portion without fixing this first.
Next Double Click l2mfix.bat and
type 2 and ENTER to select option #2
for Run Fix. Then, press any key to
reboot your machine.
Your computer will go crazy for a
bit, but just let it run. It should
eventually spit out a log in
Notepad. Please also attach this log
to your next message.
Now open your browser and come back
here and post the above two logs as
attachments to your message. Also
indicate your current status.
NOTE: Please do not
run any other options or files in
the l2mfix Folder!
Please download VundoFix.exe to
your desktop. Double-click
VundoFix.exe to extract the files.
This will create a VundoFix folder
on your desktop. After the files are
extracted, please reboot your
computer into Safe Mode. You can do
this by restarting your computer and
continually tapping the F8 key until
a menu appears. Use your up arrow
key to highlight Safe Mode then hit
enter. Once in safe mode open the
VundoFix folder and Double Click on
KillVundo.bat You will first be
presented with a warning.
It should look like this:
VundoFix V2.15 by Atri
By pressing enter you agrees that
you are using this at your own risk
Press enter to continue...
At this point press enter one
time.
Next you will see:
Type in the file path as instructed
by the forum staff
and then press enter:
At this point please type the
following file path (make sure to
enter it exactly as below!):
Here you will place the exact full
filename and path of the infected
file as shown on the O2 & O20
entries in HJT that have matching
DLL filenames. Please be aware you
may have more than one O20 line and
some may be valid. Only put the
infected full filename path here.
This can be done by finding the full
filename and path at the end of the
"O2 - BHO: MSEvents
Object" entry in your HJT log.
For example (yours will be
different) if you have the below
entries in your log:
O2 - BHO: MSEvents Object -
{52B1DFC7-AAFC-4362-B103-868B0683C697}
- C:\WINDOWS\Fonts\badfile.dll
O20 - Winlogon Notify: badfile -
C:\WINDOWS\Fonts\badfile.dll
O20 - Winlogon Notify: igfxcui -
C:\WINDOWS\SYSTEM32\igfxsrvc.dll
Only the first two are actually
related to Virtumunde. The
igfxsrvc.dll file is a valid dll.
Notice that the badfile.dll appears
on both the O2 and O20 lines. This
is the problem file you need to
enter. So for this example, what you
would need to enter into the tool
before pressing F6 is the below full
filename and path:
C:\WINDOWS\Fonts\badfile.dll
Press Enter to continue with the
fix.
Next you will see:
Please type in the second file path
as instructed by the forum staff
then press enter:
At this point please type the
following file path (make sure to
enter it exactly as below!):
Here you will need to place the
exact file location with the
infected filename spelled backwards
and ending with.* For example, if
the infected file is
C:\WINDOWS\Fonts\badfile.dll you
would enter C:\WINDOWS\Fonts\elifdab.*
so it will remove ALL files of this
infection.
Press Enter to continue with the
fix.
The fix will run then HijackThis
will open, if it does not open
automatically please open it
manually.
In HiJackThis, please place a check
next to the following items and
click FIX CHECKED:
Here you will remove the O2 &
O20 entries in HJT.
Examples of the O2 & O20 are
below...
O2 - BHO: MSEvents Object -
{52B1DFC7-AAFC-4362-B103-868B0683C697}
- C:\WINDOWS\Fonts\badfile.dll
O20 - Winlogon Notify: badfile -
C:\WINDOWS\Fonts\badfile.dll.
After you have fixed these items,
close Hijackthis.
Press enter to exit the program then
manually reboot your computer.
Once your machine reboots please
attach a fresh HJT log from normal
mode.
Every
time I run a scan, the same spyware
programs are detected even after I delete
them.
We
are continuously adding new spyware
definitions to destroy them. Some
spyware are very persistent.
Scan your PC, quarantine the spywares,
click on the Recover
button, select all and then click on Delete.
Restart your PC, Click on Recover
button again and delete all the
quarantined spywares. Scan again and
click on the Export Worm
button and mail us the report with
reference to this issue. This will help
our Research Team to review issues on
your PC and add new spyware definitions
and you will be able to access new
definitions through live update. You can
also provide names of toolbars or popup
ads that you see on your PC.
This is most likely
caused by a spyware program that
recreates it self when deleted such as
About:Blank or a spyware program that
uses processes that cannot be terminated
and deleted during the spyware scan.
Three of the most
common solutions are listed below:
The first step is to
reboot your computer into “Safe
Mode” This will prevent your
computer from loading any non essential
programs.
To get into safe mode,
reboot your computer and continually hit
the F8 key while
booting up. You will then be taken
to a screen where you can choose to
start your computer in safe mode.
Once booted up, go to the Add/Remove
programs in Control
Panel and make sure that there
are no strange search toolbars
or Programs listed.
Remove such types of strange softwares
from your PC.
Then run the Spyware
scan again and delete all
spywares found. Then reboot your
computer and see if the problemis
resolved or not.
This could be related to a spyware
program called CoolWebSearch,
this is one of the most difficult
spyware programs to catch because the
creators update it so often. Fortunately
there is a very simple to use removal
tool that is specifically for CoolWebsearch.
This could be a
variant of About:blank
which is a very difficult program to
defeat and unfortunately cannot be
removed by any single spyware removal
program.
What makes this
particular spyware so troublesome is
that it uses what is called a respawning
file. When the spyware files are
detected and deleted this respawning
file automatically regenerates the
spyware problem thus reinfecting your
system. It is hard to get rid of because
this file could be named something as
innocent as abcgh.jpg and would not be
detected as spyware. Each time it
is recreated, it changes the name of the
file.
The best step by step
explanation I could find is here:
If this does not
resolve your problem or you are
experiencing problems with other Spyware
programs, please review the other
solutions contained on this page.
I
cannot get rid of CoolWebSearch, CWSIE,
FastSearch, and FastSearchWeb!
These
spyware programs are some of the
variants of CoolWebSearch, a notoriously
difficult spyware program to remove
because new variations are constantly
being released. Fortunately there is a
removal utility designed to specifically
detect and remove many of the
CoolWebSearch variants. You can download
this utility for free at the link below: http://cwshredder.net/bin/CWShredder.exe
After
I run a spyware scan and delete the
spyware infections I still get ATDMT.com
when I run another scan.
The
entry for ATDMT.com is a simple
advertising cookie like you might get
visiting any web page. It is not
harmful nor does it collect personal or
sensitive information. The reason
it keeps returning is because cookies
are used on almost every web site these
days to track advertising costs, save
login information so you do not need to
login every time you access a page, etc.
It’s good to delete them to keep your
system from being clogged up but it will
not harm your PC.
My
desktop keeps changing to an ad/warning
that my system I infected with Spyware the
file referenced is c:/windows/web/desktop.html:
--------------------------Solution
#1------------------------------
Go to Control Panel
>> Display
>> Desktop
>>Customize Desktop
>> WEB>
Under the web pages
there will be an entry for the page
displaying on your desktop.
Highlight and delete this and hopefully
you will get your desktop back.
If you are able to
delete the entry the real test will to
reboot your computer and see if the
problem returns.
Reboot your computer
in “Safe Mode”.
This will prevent your computer from
loading any non essential programs.
To get into safe mode,
reboot your computer and continually hit
the F8 key while
booting up. You will then be taken
to a screen where you can choose to
start your computer in safe mode.
Once booted up go to the add/remove
programs control panel and make certain
there are no strange search tool bars or
program listed and remove any that are
found.
Also follow the steps
in Solution 1 to ensure no strange pages
are set to your desktop.
Then run the Spyware
scan again and delete all spywares
found. Then reboot your computer
and see if the problem was resolved or
not.
I
cannot get rid of searchmaid.com
--------------------------Solution
#1------------------------------
Go to Control Panel
>> Display
>> Desktop
>>Customize Desktop
>> WEB>
Under the web pages
there will be an entry for the page
displaying on your desktop.
Highlight and delete this and hopefully
you will get your desktop back.
If you are able to
delete the entry the real test will to
reboot your computer and see if the
problem returns.
Reboot your computer
in “Safe Mode”.
This will prevent your computer from
loading any non essential programs.
To get into safe mode,
reboot your computer and continually hit
the F8 key while
booting up. You will then be taken
to a screen where you can choose to
start your computer in safe mode.
Once booted up go to the add/remove
programs control panel and make certain
there are no strange search tool bars or
program listed and remove any that are
found.
Also follow the steps
in Solution 1 to ensure no strange pages
are set to your desktop.
Then run the Spyware
scan again and delete all spywares
found. Then reboot your computer
and see if the problem was resolved or
not.
Clicking
on the Export Worms button on the main
GUI (Graphical User Interface) of
spyware detector lets you send mail to
our Research team for review. It
contains the scanned spyware entries on
your PC and few other file/registry
entries which help our Research Team
review issues on your PC. We then add
new definition and you eliminate spyware
found on YOUR PC in the next Live
Update.
What
is Live Update?
We
are continuously updating our database
of spywares, bad cookies, host files,
bad BHOs and bad Active X for your
protection. You can get benefit of those
updates and the range of operation of
spyware detector increases manifold. We
provide you the latest list by Live
Update option. Click on 'Live Update'
button on the main GUI of Spyware
Detector. A window opens, which
downloads the new versions of database
file, version file and other files
necessary to upgrade your PC.
What
is spyware?
Spyware
is a technical name for any software
that tracks the user’s activities
without user’s permission; when he is
online and passes the information to a
third party. Spywares are programs,
which use your computer without your
permission or knowledge, and try to
accumulate our private information and
use our own computer resources to relay
it to someone else. Another potential
problem is that many Spywares are poorly
written, "contains bugs or
errors", and can cause problems
with the normal operation of your
computer, because of which the
web-browser experiences "General
Protection Faults", hangs, or
freezes it may be due to one or more of
these types of programs interfering with
its proper function. Spywares come in
the Trojan horse category of viruses.
Spywares are distributed mainly through
the Internet, via freeware downloads or
through underground hacker sites.
Spywares are also sometimes bundled
along with some commercial software, as
a means to track the usage of the
software and collect data regarding the
user.
What
is adware?
Adware
is the most common kind of spyware,
adware generates several types of ads,
possibly keyed to the sites you visit on
the Internet. May download programs onto
your PC without your knowledge.
Read
More
(Spyware
cleaning Requires $29.95 purchase
includes a 1-year subscription)
Copyright 2004-2005
SpywareDetector.com. All rights reserved.
