Unable to remove Spyware

[Guest]

Defender is unable to remove/detect one particualr SW on my XP machine. In
fact i have tried to remove it manually, but i'm unable to. Here is what i
see:
1) The following files are created:
C:\Program Files\Common
Files\{48B55426-0256-1033-1025-040404200001}\Update.exe
C:\Program Files\Common
Files\{48B55426-0256-1033-1025-040404200001}\system.dll
2) That Update.exe is added to the startup programs
3) Every time i start internet explorer or a new tab, i get a notification
from defender to remove "ClickSpring.PuritySCAN". Defender reports it was
removed correctly, but it will re-appear with the next refresh.
4) From time to time, and application will pop up and minimize to tray (it
seems in italian?). Unless i manually exit it, it will keep generating more
and more process every so often (if i leave the PC on over night, in the
morning i'll have over 20 of those try icons). Here is the info i can gather:
File Name: win119C.tmp.exe
Display Name: Universa Application
Description: Universa Application
Publisher: Publisher Not Available
Digitally Signed By: NOT SIGNED
File Type: Application
Auto Start: No
File Path: C:\WINDOWS\TEMP\win119C.tmp.exe
File Size: 35840
File Version: 1, 0, 0, 1
Date Installed: 1/16/2007 9:40:23 AM
Process ID: 4300
Classification: Not yet classified
Ships with Operating System: No
SpyNet Voting: In Progress

Now, i have tried:
1) Restart on safe mode
2) remove update.exe from the startup programs
3) delete all files described above
4) restart in normal mode

But as soon as i restart in normal mode, a new update.exe is created and
added to the startup programs and the cycle starts again. My next move is to
re-install IE, but not sure that would do any good (then i guess is a
re-image :s)

Thanks in advance!

 

[Guest]

Hello JMD,

Report a possible spyware problem to Microsoft
http://www.microsoft.com/athome/security/spyware/software/support/reportspyware.mspx


If the spyware remains even after you used Ad-aware, Spybot S&D, MSAS, Ewido
and your anti-virus, you can scan with HijackThis. HijackThis is an
excellent tool to discover but it requires expert skill to use. See below
for HijackThis links, including sites where you can post your HJT logs.
Again, this is an expert tool and novices should get help with it. I'm not
kidding.

This is a Ron Kinner case beacuse I cannot find any good advice within any
forum without using HijackThis and to be carefully guided.
Get HijackThis.exe from:
http://tomcoyote.org/hjt/hjt199//HijackThis.exe
http://computercops.biz/HijackThis.html

Save it to C:\hjt (new folder) then Open it and select Scan and Save Log.
Note where you saved the log then send it to him as an attachment. Put
Hijack in the subject so he'll know it's not spªm.

Alternatively you can post it on the Dell Forum ªt:

http://forums.us.dell.com/supportforums/board?board.id=si_hijack

(if it wraps you can go tº:

http://tinyurl.com/ckuzq instead.)

Put Ron in the subject so he will see it. You do not need to have a Dell to
post but you will need to register.

Ron Kinner
Microsoft MVP
(e-mail address removed)

Tutorial
http://www.aumha.org/a/hjttutor.htm
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42

In safe mode - For every user account listed under C:\Documents and
Settings, delete the entire contents of the following folders (but not the
folders themselves):

(Important: One of the normal steps in eliminating malicious programs is to
entirely delete the contents of all Temp folders. Given that, if any data
that you care about is living in those Temp folders, you need to move it to a
safe location now, or it will be erased along with everything else!)

1. Cookies
2. Local Settings\Temp
3. Local Settings\History
4. Local Settings\Temporary Internet Files

- Delete the entire content of your C:\Windows\Temp folder.

- Delete the entire content of your C:\Windows\Prefetch folder.

Note- If you get any messages concerning the deletion of system files such
as desktop.ini or index.dat, just choose to delete those files; they'll be
automatically regenerated by Windows if needed. Windows will allow you to
delete the versions of those files which exist in sub-folders within the main
Temp/Temorary folders, but might not let you delete the versions of those
files that exist in the main Temp folders themselves; this is normal and OK.

- Empty your Recycle Bin.


Reboot normally, run HijackThis .

http://www.bleepingcomputer.com/tutorials/tutorial42.html

http://castlecops.com/HijackThis.html


http://www.bleepingcomputer.com/tutorials/index.php?act=print&tut=42&client=printer


Feel free to mention that I sent you.

Good luck
--

 

[Tom Emmelot]

Hi JMD,

Is a Trojan downloader:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOADER.CTJ

Regards >*< TOM >*<

JMD schreef:

 

[Guest]

HijackTHis is an excellent tool. it took me a while to get it sort it out,
but my PC is running fine now! - Thanks a lot