Answered: Computer not virus clean

squeegee00 · 05-06-2006

I believe ive obtained w32.myzor.fkyf virus, or at least thats what the computer tells me when this one thing pops up telling me my computers infected. My internet settings have also been tampered with and computer has identified having trojan horses during sweeps and scans. i dont know if i can permanently get it off of my computer. Have scanned computer with Spyware Doctor and SpySweeper. I need to know wether i should take it to go get it fixed (computer goes very slow and assume it is linked to w32 problem, correct me if im wrong) or wether u people think its possible for me to fix it myself, and if possible how. please respond to post or email me at pope_squeegee@yahoo.com

Hengis · 05-06-2006

Welcome to the forum.

We have a great system for ridding your PC of nasty pests. Follow the [Pre-Work] link in my signature below. Complete all of the tasks and post the logs you generate back into this post as attachments.

squeegee00 · 05-07-2006

sorry for not following instructions before youre supposed to post, must of not seen them. anyway here are the logs.

joe5 · 05-07-2006

You can run Ewido again and let it fix what it finds this time.

Note:
Even if you do not find some of the files mentioned or you do not see SpywareQuake in Add/Remove programs or the folder for it, just
continue with ALL steps thru to the end.

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixquake.reg and then click save. it to your Desktop. We will use it later
after a reboot into safe mode.

REGEDIT4

[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{1C3B31AE-FD16-D2CE-43FF-DC4CD5C1BC5E}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{35A88E51-B53D-43E9-B8A7-75D4C31B4676}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{AC1B4DA2-12FA-31F2-1A7D-CD2B14E6AD4E}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{C9FA1DC9-1FB3-C2A8-2F1A-DC1A33E7AF9D}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CD5E2AC9-25CE-A1C5-D1E2-DC6B28A6ED5A}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{EA26CE12-DE64-A1C5-9A4F-FC1A64E6AC2E}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler]
"{1C3B31AE-FD16-D2CE-43FF-DC4CD5C1BC5E}"=-
"{35A88E51-B53D-43E9-B8A7-75D4C31B4676}"=-
"{AC1B4DA2-12FA-31F2-1A7D-CD2B14E6AD4E}"=-
"{C9FA1DC9-1FB3-C2A8-2F1A-DC1A33E7AF9D}"=-
"{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}"=-
"{CD5E2AC9-25CE-A1C5-D1E2-DC6B28A6ED5A}"=-
"{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D}"=-
"{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}"=-
"{EA26CE12-DE64-A1C5-9A4F-FC1A64E6AC2E}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SpywareQuake"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SpyFalcon"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\explorer\run]
"dcomcfg.exe"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\SpywareQuake.com]

[-HKEY_LOCAL_MACHINE\SOFTWARE\SpywareQuake.com]
[-HKEY_LOCAL_MACHINE\SOFTWARE\SpyFalcon]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{b0398eca-0bcd-4645-8261-5e9dc70248d0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{7A932ED2-1737-4AB8-B84D-C71779958551}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objecta\{7A932ED2-1737-4AB8-B84D-C71779958551}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7A932ED 2-1737-4AB8-B84D-C71779958551}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A5C7051 0-5A01-B2A5-CF84-D6DC13859967}]

[-HKEY_CLASSES_ROOT\CLSID\{1C3B31AE-FD16-D2CE-43FF-DC4CD5C1BC5E}]
[-HKEY_CLASSES_ROOT\CLSID\{35A88E51-B53D-43E9-B8A7-75D4C31B4676}]
[-HKEY_CLASSES_ROOT\CLSID\{7A932ED2-1737-4AB8-B84D-C71779958551}]
[-HKEY_CLASSES_ROOT\CLSID\{AC1B4DA2-12FA-31F2-1A7D-CD2B14E6AD4E}]
[-HKEY_CLASSES_ROOT\CLSID\{B0398ECA-0BCD-4645-8261-5E9DC70248D0}]
[-HKEY_CLASSES_ROOT\CLSID\{C9FA1DC9-1FB3-C2A8-2F1A-DC1A33E7AF9D}]
[-HKEY_CLASSES_ROOT\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}]
[-HKEY_CLASSES_ROOT\CLSID\{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D}]

Now download smitRem.exe written by noahdfear and save the file to your Desktop. Double click on the smitRem.exe file and click the Start button to extract it to its own folder named SmitRem on the desktop.
(this should be the default selection). Do not run anything else related to the program yet!

Now you will need to print or save these instructions locally (to a text file on your Desktop) for later reference. This is necessary
because you must not have any browers open and must not connect to the internet while following the below steps. Now disconnect your cable to the internet (physically unplug it).

After saving the instructions, reboot into Safe mode
Now once in safe mode, goto Add/Remove programs and uninstall Spyware Quake and/or SpyFalcon (if they are found).

Now double-click on the fixquake.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to
the Desktop) and when it prompts to Add in to the registry, say yes.

Run Windows Explorer by right clicking Start & Select Explore
Navigate to your %System32% folder C:\Windows\system32 )or C:\Winnt\system32 depending on how/which OS you have installed.)
Look for the following files based upon where you have Windows installed:

%System32%\dxmpp.dll
%System32%\ginuerep.dll
%System32%\stickrep.dll
%System32%\__delete_on_reboot__stickrep.dll
%System32%\suprox.dll
%System32%\xenadot.dll
%System32%\sivudro.dll
%System32%\twain32.dll
%System32%\dvdcap.dll
%System32%\reglogs.dll
When you locate the files, right click on them and select Rename. Change the dll extension to DDD. For example: rename xenadot.dll to xenadot.DDD We will fully delete the files later.

Now open the smitRem folder on your Deskop, double click on it to access the folder, then double click the RunThis.bat file to start
the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. If you cannot get RunThis
.bat to work in safe mode, REBOOT into normal mode (with no internet connection) and repeat the above step from the point of booting in safe
mode.

The tool will create a log named smitfiles.txt in the root of the drive that you ran the batch file on, eg;
Local Disk C: or partition where your operating system is installed. Upload this file later after reboot. Now reboot your system into normal mode.

Now after reboot relocate the DLL files we renamed with a DDD extension in the above step and delete them. If you have a problem deleting these files, try rebooting one more time into safe mode and attempt another deletion. If it still does not delete, [COLOR=purple]make sure you tell us later.[/color] Also delete the below files and folders if found:

C:\Program Files\AdwareSheriff
C:\Program Files\Spyware Quake
C:\Program Files\SpywareQuake.com
C:\Program Files\SpyFalcon
C:\Windows\System\1024 (or C:\Winnt\System\1024 )
%System32%\1024
%System32%\dcomcfg.exe
%System32%\atmclk.exe
%System32%\dfrgsrv.exe
%System32%\hp????.tmp ( where ???? is any 4 random characters)
%System32%\mssearchnet.exe
%System32%\nvctrl.exe
%System32%\ot.ico
%System32%\simpole.tlb
%System32%\stdole3.tlb
C:\Documents and Settings\[Current User Account]\Start Menu\Programs\SpywareQuake <---- where [Current User
Account] is the actual user account name you are logged into.

Reconnect your cable to the internet.
Now attach your smitfiles.txt log and a new Hijackthis log.

squeegee00 · 05-09-2006

thank you very much!!!!, really appreciate the help

joe5 · 05-09-2006

Youre welcome ofcourse.

When youre done please post smitfiles.txt log and a new Hijackthis log to check if everyting is gone.

squeegee00 · 05-14-2006

followed instructions up until the point where u told me to look for the following files with dll extentions to change to DDD. i couldnt go any further because when i reached the system32 folder(which was in C:\Windows\I386\system32), there was only two files;an NT layer DLL named "NTDLL.DLL" and a Windows ST setup named SMSS as windows described it.

05-06-2006	#1
squeegee00 Bronze Member Join Date: May 2006 Posts: 5	Computer not virus clean I believe ive obtained w32.myzor.fkyf virus, or at least thats what the computer tells me when this one thing pops up telling me my computers infected. My internet settings have also been tampered with and computer has identified having trojan horses during sweeps and scans. i dont know if i can permanently get it off of my computer. Have scanned computer with Spyware Doctor and SpySweeper. I need to know wether i should take it to go get it fixed (computer goes very slow and assume it is linked to w32 problem, correct me if im wrong) or wether u people think its possible for me to fix it myself, and if possible how. please respond to post or email me at pope_squeegee@yahoo.com

05-06-2006	#2
Hengis PCHF Founder & Owner Join Date: Jan 2004 Location: The PCHF Bunker Posts: 14,085 PC Experience: Microsoft Certified Professional	Welcome to the forum. We have a great system for ridding your PC of nasty pests. Follow the [Pre-Work] link in my signature below. Complete all of the tasks and post the logs you generate back into this post as attachments. __________________ Pre-Work / System File Checker / Promote PCHF!

05-07-2006	#4
joe5 Elite Member Join Date: Jun 2005 Location: Netherlands Posts: 9,025	You can run Ewido again and let it fix what it finds this time. Note: Even if you do not find some of the files mentioned or you do not see SpywareQuake in Add/Remove programs or the folder for it, just continue with ALL steps thru to the end. Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixquake.reg and then click save. it to your Desktop. We will use it later after a reboot into safe mode. REGEDIT4 [-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{1C3B31AE-FD16-D2CE-43FF-DC4CD5C1BC5E}] [-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{35A88E51-B53D-43E9-B8A7-75D4C31B4676}] [-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{AC1B4DA2-12FA-31F2-1A7D-CD2B14E6AD4E}] [-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{C9FA1DC9-1FB3-C2A8-2F1A-DC1A33E7AF9D}] [-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}] [-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CD5E2AC9-25CE-A1C5-D1E2-DC6B28A6ED5A}] [-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D}] [-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{EA26CE12-DE64-A1C5-9A4F-FC1A64E6AC2E}] [-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler] "{1C3B31AE-FD16-D2CE-43FF-DC4CD5C1BC5E}"=- "{35A88E51-B53D-43E9-B8A7-75D4C31B4676}"=- "{AC1B4DA2-12FA-31F2-1A7D-CD2B14E6AD4E}"=- "{C9FA1DC9-1FB3-C2A8-2F1A-DC1A33E7AF9D}"=- "{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}"=- "{CD5E2AC9-25CE-A1C5-D1E2-DC6B28A6ED5A}"=- "{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D}"=- "{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}"=- "{EA26CE12-DE64-A1C5-9A4F-FC1A64E6AC2E}"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "SpywareQuake"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "SpyFalcon"=- [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\explorer\run] "dcomcfg.exe"=- [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\SpywareQuake.com] [-HKEY_LOCAL_MACHINE\SOFTWARE\SpywareQuake.com] [-HKEY_LOCAL_MACHINE\SOFTWARE\SpyFalcon] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{b0398eca-0bcd-4645-8261-5e9dc70248d0}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{7A932ED2-1737-4AB8-B84D-C71779958551}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objecta\{7A932ED2-1737-4AB8-B84D-C71779958551}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7A932ED 2-1737-4AB8-B84D-C71779958551}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A5C7051 0-5A01-B2A5-CF84-D6DC13859967}] [-HKEY_CLASSES_ROOT\CLSID\{1C3B31AE-FD16-D2CE-43FF-DC4CD5C1BC5E}] [-HKEY_CLASSES_ROOT\CLSID\{35A88E51-B53D-43E9-B8A7-75D4C31B4676}] [-HKEY_CLASSES_ROOT\CLSID\{7A932ED2-1737-4AB8-B84D-C71779958551}] [-HKEY_CLASSES_ROOT\CLSID\{AC1B4DA2-12FA-31F2-1A7D-CD2B14E6AD4E}] [-HKEY_CLASSES_ROOT\CLSID\{B0398ECA-0BCD-4645-8261-5E9DC70248D0}] [-HKEY_CLASSES_ROOT\CLSID\{C9FA1DC9-1FB3-C2A8-2F1A-DC1A33E7AF9D}] [-HKEY_CLASSES_ROOT\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}] [-HKEY_CLASSES_ROOT\CLSID\{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D}] Now download smitRem.exe written by noahdfear and save the file to your Desktop. Double click on the smitRem.exe file and click the Start button to extract it to its own folder named SmitRem on the desktop. (this should be the default selection). Do not run anything else related to the program yet! Now you will need to print or save these instructions locally (to a text file on your Desktop) for later reference. This is necessary because you must not have any browers open and must not connect to the internet while following the below steps. Now disconnect your cable to the internet (physically unplug it). After saving the instructions, reboot into Safe mode Now once in safe mode, goto Add/Remove programs and uninstall Spyware Quake and/or SpyFalcon (if they are found). Now double-click on the fixquake.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes. Run Windows Explorer by right clicking Start & Select Explore Navigate to your %System32% folder C:\Windows\system32 )or C:\Winnt\system32 depending on how/which OS you have installed.) Look for the following files based upon where you have Windows installed: %System32%\dxmpp.dll %System32%\ginuerep.dll %System32%\stickrep.dll %System32%\__delete_on_reboot__stickrep.dll %System32%\suprox.dll %System32%\xenadot.dll %System32%\sivudro.dll %System32%\twain32.dll %System32%\dvdcap.dll %System32%\reglogs.dll When you locate the files, right click on them and select Rename. Change the dll extension to DDD. For example: rename xenadot.dll to xenadot.DDD We will fully delete the files later. Now open the smitRem folder on your Deskop, double click on it to access the folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. If you cannot get RunThis .bat to work in safe mode, REBOOT into normal mode (with no internet connection) and repeat the above step from the point of booting in safe mode. The tool will create a log named smitfiles.txt in the root of the drive that you ran the batch file on, eg; Local Disk C: or partition where your operating system is installed. Upload this file later after reboot. Now reboot your system into normal mode. Now after reboot relocate the DLL files we renamed with a DDD extension in the above step and delete them. If you have a problem deleting these files, try rebooting one more time into safe mode and attempt another deletion. If it still does not delete, [COLOR=purple]make sure you tell us later.[/color] Also delete the below files and folders if found: C:\Program Files\AdwareSheriff C:\Program Files\Spyware Quake C:\Program Files\SpywareQuake.com C:\Program Files\SpyFalcon C:\Windows\System\1024 (or C:\Winnt\System\1024 ) %System32%\1024 %System32%\dcomcfg.exe %System32%\atmclk.exe %System32%\dfrgsrv.exe %System32%\hp????.tmp ( where ???? is any 4 random characters) %System32%\mssearchnet.exe %System32%\nvctrl.exe %System32%\ot.ico %System32%\simpole.tlb %System32%\stdole3.tlb C:\Documents and Settings\[Current User Account]\Start Menu\Programs\SpywareQuake <---- where [Current User Account] is the actual user account name you are logged into. Reconnect your cable to the internet. Now attach your smitfiles.txt log and a new Hijackthis log. __________________ - PCHF Team. - (NL) - Mal-ware Eradicator! - - Online AV Scans - HijackThis! - Bootdisk.com - ATF-Cleaner - Stinger - 'Prework' - 'Afterwork' - PCHF Rules - Donate to PCHF. And get>

05-09-2006	#6
joe5 Elite Member Join Date: Jun 2005 Location: Netherlands Posts: 9,025	Youre welcome ofcourse. When youre done please post smitfiles.txt log and a new Hijackthis log to check if everyting is gone. __________________ - PCHF Team. - (NL) - Mal-ware Eradicator! - - Online AV Scans - HijackThis! - Bootdisk.com - ATF-Cleaner - Stinger - 'Prework' - 'Afterwork' - PCHF Rules - Donate to PCHF. And get>

Similar discussions...
Thread	Thread Starter	Forum	Replies	Last Post
Pending: computer clean-up	robert taupier	Hard Drives	7	05-11-2008 05:34 PM
Need help to clean my computer	guaribas	[Fixed] Hijackthis! Logs	15	01-04-2008 01:34 PM
[Resolved] Is my computer clean?	echostrider	[Fixed] Hijackthis! Logs	3	03-08-2007 07:03 AM
[Clean] problems with computer hijack this log	Moosemawen	[Fixed] Hijackthis! Logs	2	01-09-2006 10:43 PM
[CLEAN] elitebar & online virus/spyware scanner Panda	nanook	[Fixed] Hijackthis! Logs	3	07-15-2005 01:12 AM

05-14-2006	#7
squeegee00 Bronze Member Join Date: May 2006 Posts: 5	followed instructions up until the point where u told me to look for the following files with dll extentions to change to DDD. i couldnt go any further because when i reached the system32 folder(which was in C:\Windows\I386\system32), there was only two files;an NT layer DLL named "NTDLL.DLL" and a Windows ST setup named SMSS as windows described it.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode