SpyWare Still There

[Bob]

I have been running Spybot Search and Destroy v1.3 with latest updates.
Everytime I run Spybot I have the same registry item listed to remove.

I have tried repeatedly to get rid of this stuff and it is still on my
machine.

Error during check!: Z-Demon (Ungültiger Datentyp für '') ()

MyWebSearch: Settings (Registry key, nothing done)

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser
Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D}

MyWebSearch: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store
Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}
Thanks for any help.
Bob

 

[David H. Lipman]

Try the following...
1) Download the following three items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download SYSCLEAN.COM and place it in that directory.
Download the Trend Pattern File by obtaining the ZIP file.
For example; lpt313.zip

Extract the contents of the ZIP file and place the contents in the same directory as
SYSCLEAN.COM.

2) Update Adaware with the latest definitions.
3) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode and shutdown as many applications as possible.
5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using both the
Trend Sysclean utility and Adaware
7) If you are using WinME or WinXP,Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) If you are using WinME or WinXP, create a new Restore point

* * * Please report back your results * * *

--
Dave




I have been running Spybot Search and Destroy v1.3 with latest updates.
Everytime I run Spybot I have the same registry item listed to remove.

I have tried repeatedly to get rid of this stuff and it is still on my
machine.

Error during check!: Z-Demon (Ungültiger Datentyp für '') ()

MyWebSearch: Settings (Registry key, nothing done)

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser
Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D}

MyWebSearch: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store
Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}
Thanks for any help.
Bob

 

[Phil C]

Try the following...
1) Download the following three items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download SYSCLEAN.COM and place it in that directory.
Download the Trend Pattern File by obtaining the ZIP file.
For example; lpt313.zip

Extract the contents of the ZIP file and place the contents in the same
directory as
SYSCLEAN.COM.

2) Update Adaware with the latest definitions.
3) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode and shutdown as many applications as
possible.
5) Using both the Trend Sysclean utility and Adaware, perform a Full
Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform
using both the
Trend Sysclean utility and Adaware
7) If you are using WinME or WinXP,Re-enable System Restore and
re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~
600MB),
8) Reboot your PC.
9) If you are using WinME or WinXP, create a new Restore point

* * * Please report back your results * * *

Dave,

What an absolutely cracking post. I've printed it out just in case I should
ever need the info in it ... and I suggest anybody else reading this thread
who is concerned about darn worms/parasites etc that won't go away.

Thanks fella.

Phil.>

 

[David H. Lipman]

Thank you Phil.

Please check out Clay's Web Site on anti-malware information...
http://www.claymania.com/nav-map.html

And...
http://www.claymania.com/removal-trojan-adware.html


--
Dave




|
| | > Try the following...
| > 1) Download the following three items...
| >
| > Trend Sysclean Package
| > http://www.trendmicro.com/download/dcs.asp
| >
| > Latest Trend signature files.
| > http://www.trendmicro.com/download/pattern.asp
| >
| > Adaware SE (free personal version v1.05)
| > http://www.lavasoftusa.com/
| >
| > Create a directory.
| > On drive "C:\"
| > (e.g., "c:\New Folder")
| > or the desktop
| > (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")
| >
| > Download SYSCLEAN.COM and place it in that directory.
| > Download the Trend Pattern File by obtaining the ZIP file.
| > For example; lpt313.zip
| >
| > Extract the contents of the ZIP file and place the contents in the same
| > directory as
| > SYSCLEAN.COM.
| >
| > 2) Update Adaware with the latest definitions.
| > 3) If you are using WinME or WinXP, disable System Restore
| > http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
| > 4) Reboot your PC into Safe Mode and shutdown as many applications as
| > possible.
| > 5) Using both the Trend Sysclean utility and Adaware, perform a Full
| > Scan of your
| > platform and clean/delete any infectors/parasites found.
| > (a few cycles may be needed)
| > 6) Restart your PC and perform a "final" Full Scan of your platform
| > using both the
| > Trend Sysclean utility and Adaware
| > 7) If you are using WinME or WinXP,Re-enable System Restore and
| > re-apply any
| > System Restore preferences, (e.g. HD space to use suggested 400 ~
| > 600MB),
| > 8) Reboot your PC.
| > 9) If you are using WinME or WinXP, create a new Restore point
| >
| > * * * Please report back your results * * *
|
| > --
| > Dave
| Dave,
|
| What an absolutely cracking post. I've printed it out just in case I should
| ever need the info in it ... and I suggest anybody else reading this thread
| who is concerned about darn worms/parasites etc that won't go away.
|
| Thanks fella.
|
| Phil.>
|
|

 

[Phil C]

Thank you Phil.

Please check out Clay's Web Site on anti-malware information...
http://www.claymania.com/nav-map.html

And...
http://www.claymania.com/removal-trojan-adware.html

Dave,

Brill. I've added them to my favourites.

See ya,

Phil

 

[Martin]

I have been running Spybot Search and Destroy v1.3 with latest updates.
Everytime I run Spybot I have the same registry item listed to remove.

I have tried repeatedly to get rid of this stuff and it is still on my
machine.

Error during check!: Z-Demon (Ungültiger Datentyp für '') ()

It's an error with Spybot S&D.

http://forums.net-integration.net/index.php?showtopic=24389

 

[John Belliveau]

Sometimes using Spybot S & D you need to do more than just the default
scans. For this problem in particular, you'll need to enable Advanced
Mode. Then click on 'Tools' in the left pane and make sure that
ActiveX, BHO, and System Startup are checked. Then, select each of
these categories and find the item you are looking for in the list.

For the ActiveX in particular, Spybot may not be able to remove it - you
may have to start the Registry Editor (regedit), do a search or navigate
to the key, and delete all instances found. Then go to system startup
and make uncheck anything that appears related, so that it doesn't
re-install on your next startup.

John

 

[Bob]

It's an error with Spybot S&D.

You must be right. I have scanned repeatedly with ad-ware and the
SysClean app. I tried safe mode and normal. Ad-ware did find
additional objects that SpyBot Search and Destroy didn't find.
Sysclean did not find any files.

After all of this Spybot still finds the Z-Demon everytime it is run.
Has not done this till recently.

Thanks,
Bob

 

[Nunya]

Sorry for top posting, but that appears to be the logical order of the
thread. Just wanted to toss in that another trick nasty programs use to
survive reboots even in safe mode is the use of AppInit_DLLs. I just
did battle with such a beast. See the following information at
microsoft.com for more information on AppInit_DLLs:

http://support.microsoft.com/kb/q197571/

<excerpt>
SUMMARY

The AppInit_DLLs value is found in the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

All the DLLs that are specified in this value are loaded by each
Microsoft Windows-based application that is running in the current log
on session.

MORE INFORMATION

The AppInit DLLs are loaded by using the LoadLibrary() function during
the DLL_PROCESS_ATTACH process of User32.dll. Therefore, executables
that do not link with User32.dll do not load the AppInit DLLs. There are
very few executables that do not link with User32.dll.
</excerpt>

*** NOTE: Nasties using this trick will even survive booting in to safe
mode.

I removed this malware by booting Bart's Preinstalled Environment
(BartPE) bootable live windows CD/DVD, available from:

http://nu2.nu/pebuilder/

This is a fully self-contained environment. So, from here I was free to
delete the offending malware, remove the startup pointers from the
registry and other locations, etc.

Moral of the story, even safe mode isn't enough sometimes. For those
times, thank you Bart Lagerweij for BartPE and PE Builder!

Even if this isn't on target for the thread, I hope someone finds the
information useful.

Doug

 

[Larry Sabo]

I have been running Spybot Search and Destroy v1.3 with latest updates.
Everytime I run Spybot I have the same registry item listed to remove.

I have tried repeatedly to get rid of this stuff and it is still on my
machine.

Error during check!: Z-Demon (Ungültiger Datentyp für '') ()

MyWebSearch: Settings (Registry key, nothing done)

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser
Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D}

MyWebSearch: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store
Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}
Thanks for any help.
Bob

Have you installed the "Spybot - Search and Destroy DSO Exploit Fix
1.3.1 TX " available from http://www.majorgeeks.com/download4392.html

I did that and updated Spybot again, and discovered a large 22
additional spyware items immediately after running Spybot without that
patch just moments before.

Cheers,
Larry

 

[Bob]

I did the download mentioned 1.3.1 TX and that fixed the problem. I
don't get the error anymore.

Thanks for all of the great help!