Free Malware Removal Forum

[maxijanko]

Hi all,

After some days fighting to have access to my computer because it rebooted in all modes possible, I accessed yesterday.
I began to run all the antispyware software I have in the computer: Ad-aware, Spybot, Superantispyware, AVG anti-spyware and I remove lots of spyware, adware and afterwards, I downloaded SpywareDoctor. This tool is the only one which detects Drive Cleaner and Adware.Sogou but I can't remove them.

Do you know what the method is to remove this spyware: Drive Cleaner and Adware.Sogou? Is there any free antispyware software to remove them effectively?

Many thanks in advance for your help.

[curlylad]

Hello maxijanko and welcome to Malware Removal

My name is curlylad and I will be helping you to remove any infection(s) that you may have.

I have to let experts check the content of my fixes before I post them so be patient.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess , simply post back with your query and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.



OK, the first thing I need you to do is download HijackThis

• Click this link HijackThis to start the download process
• Click the Save button, click My Computer button on the left
• Double click C Drive, double click Program Files
• Click the Create a new folder button (3rd from the left of the 4 buttons next to the Save in dialog box)
• Name the folder HJT or HijackThis and double click to open it
• When the new folder opens click Save button bottom right
• Next click the Run button
• Click Do a system scan and save a log file
• A log file will now be created in a Notepad document
• Copy and paste the log and post it back to this thread, Do Not start a new thread.

I will review the infromation and advise of any further steps as soon as possible.

[maxijanko]

Hi curlylad,

I have a heavy problem. I thought I had repaired partially the computer because I was able to access Windows normal session without problems 2 days ago. I ran all the antispyware software in order to clean the computer and remove all the spyware. Today it has crashed again and I have the same problem as some days before: I can't access to the Windows session, impossible.

As I have mentioned in the other message, with SpywareDoctor I detected Clean Driver and Adware.Sogou but I was unable to remove them. The crash is because of them? Maybe, I have a big problem.

This is the log of Hijackthis of 2 days ago, after starting the computer in normal mode and having ran all the antispyware software.




Logfile of HijackThis v1.99.1
Scan saved at 23:27:55, on 18/03/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Archivos de programa\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Archivos de programa\SpyCatcher 2006\SpyCatcher.exe
C:\Archivos de programa\SpyCatcher 2006\Protector.exe
C:\Archivos de programa\SpyCatcher 2006\Scheduler daemon.exe
C:\Archivos de programa\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\Xavier\Mis documentos\Mis_documentos\Antispyware\Hijackthis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Archivos de programa\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Archivos de programa\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar3.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\01.02.5000.1021\es\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\01.02.5000.1021\es\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar3.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Archivos de programa\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [avast!] C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [AgenteADSL_15] C:\Archivos de programa\Telefonica\KitAIM\AimExDll.exe AimGestA.dll 10 run
O4 - HKLM\..\Run: [SunServer] C:\Archivos de programa\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Archivos de programa\SpyCatcher 2006\SpyCatcher.exe" reminder
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE
O4 - Global Startup: Inicio rápido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Archivos de programa\SpyCatcher 2006\Protector.exe
O16 - DPF: {39D420B3-E0EB-424C-89AA-C24F8DE7EF79} (KooPlayer Control) - http://www.vivitv.com/KooPlayer.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://mire1989.spaces.live.com//PhotoU ... nPUpld.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: interceptor.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[curlylad]

Good Evening maxijanko

I need you to enable your Anti Virus program and Firewall to be running as your system starts up, they are not doing this at the moment.
Please follow this instruction

• Click Start, click Run
• In the Open: dialog box type msconfig
• The system configuration utility window opens
• Click the Startup tab
• On the left under the heading Startup Item, find the process ashDisp.exe, click the box to the left of this which will place a green tick in the box.
• On the left again under Startup Item, find the process zlclient.exe, again click the box to the left of this item to place a tick in the box.
• Click the Apply button, click OK
• Close the system configuration utility window.

Next I would like to see if you can perform an online scan

Please go HERE to run PandaActiveScan...


• Once you are on the Panda site click the Scan your PC button
  
• A new window will open...click the Check Now button
  
• Enter your Country
  
• Enter your State/Province
  
• Enter your e-mail address and click send
  
• Select either Home User or Company
  
• Click the big Scan Now button
  
• If it wants to install an ActiveX component allow it
  
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  
  
• When download is complete, click on My Computer to start the scan
  
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to your desktop.

OK try and generate a fresh HijackThis log for me and post that back along with the Panda Active Scan log.

[maxijanko]

Hi curlylad,

I can't follow the steps you have recommended because as I have mentioned, I don't have access to the Windows session in safe mode, nor in normal mode, I can't do absolutely anything.

Today afternoon, I have introduced the installation CD of Windows XP in order to access to the Recovery Console.
I have executed chkdsk /p and chkdsk /r, the machine is only able to reach 25% completed, when reaches it, the disk begins to make noise as it can't continue. Therefore, I am not able to repair the disk in the recovery console.

However, yesterday I found in the web of Microsoft a document entitled: "How to recover from a corrupted registry that prevents Windows XP from starting". Also, another one: "How do I repair Windows XP?"

In this guide, the steps to repair Windows XP are showed.
In Setup there is an option as this: To set up Windows XP now, press ENTER.
Pressing enter, the next screen shows two options:
1. To repair the selected Windows XP installation, press R
2. To continue installing a fresh copy of Windows XP without repairing, press ESC.

So at this point, the Windows XP installation to be repaired must be selected and the R key pressed.

However, in my computer, the second menu it is different, it is like this:
1. To install Windows Xp in the selected partition, press ENTER
2.To create a partition in the non-partitioned space, press C
3. To remove the selected partition, press D

And in the bottom of the screen I have the following:
C: Partition 1 [unknown]

Why is it different to the other one showed in Microsoft website?

What can I do? I want to try to repair the Windows XP, but the first option will kill the current one and I will lose the data.

[curlylad]

Good Evening maxijanko

We will try this and see how we get on.

Please read the following article which runs you through how to start Windows XP by using the last known good configuration feature.

LINK - http://support.microsoft.com/kb/307852

Also at the base of the document under the heading REFERENCES there is another article which may be of help to you.

http://support.microsoft.com/kb/306084/ How to restore Windows XP to a previous state


Try the steps outlined in the documents and report back to let me know how you got on.

[NonSuch]

Due to inactivity, this topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.