Category Archives: Spyware

Spyware

Removing guard.tmp and kldsw.dll

More spyware junk removal.

This time I needed to use l2mfix which you can find at either of these locations.

http://www.downloads.subratam.org/l2mfix.exe
http://www.atribune.org/downloads/l2mfix.exe

Download the zip file and unzip it to your desktop. This will create an l2mfix folder.

From within the folder run the l2mfix.bat file.

Select option #1 for Run Find Log.

Select option #2 for Run Fix. It will reboot your computer and then run the fix on reboot. On some systems the scanning passes may take a while so be patient.

After it is done it will open up notepad with a trace log.

Removing Nail and Aurora Spyware

Got another case of Nail.exe and Aurora popups.

This time I used a combination of 3 tools to remove it.

1) Run Nailfix.

You can find this program all over the net. Here’s one place to find it: nailfix for XP at
http://users/pandora.be/bluepatchy/nailfix.zip and nailfix for Win2K at
http://users/pandora.be/bluepatchy/nailfix2k.zip

2) Unregister aurorahandler.dll and DrPMon.dll. You can do this with the following command: regsvr32 /u dllname

More information here: http://www.spyware-removal-guideline.com/aurora-removal

3) After the unregister I was able to rename the nail.exe file and later delete it.

4) Run ewido. http://www.ewido.net

Ewido was able to catch all the other random-named files that would reinstall Nail.exe.

Removing SurfsideKick3

Ran into a very stubborn case of SurfSideKick3 lately.

This posting eventually did the trick. http://www.cybertechhelp.com/forums/showthread.php?t=87193

I think the most critical part of the procedure was using Reglite to change the registry entry for Windows NT. This allowed the deletion of the repairs.dll which was responsible for reloading SurfSideKick. After repairs.dll was deleted I could then remove the entire SurfSideKick directory and all the related entries from Hijackthis.

Here are the main excerpts from the posting.

1) Download Ewido Security Suite from here: http://www.ewido.net/

Launch Ewido, there should be an icon on your desktop, doubleclick it. The program will now go to the main screen. You will need to update Ewido to the latest definition files.

On the left hand side of the main screen click update and then click on Start Update. The update will start and a progress bar will show the updates being installed. If you have problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates: http://www.ewido.net/en/download/updates/

When installing, under “Additional Options” uncheck : “Install background guard” and “Install scan via context menu”.

Do not run a scan yet.

Now, go to Start> Control Panel> Add or Remove Programs and remove if present:

SurfSideKick 3

Then run HijackThis Do a system scan only and place a check mark next the following entries:

R3 – URLSearchHook: (no name) – CFBFAE00-17A6-11D0-99CB-00C04FD64497 – (no file)
R3 – URLSearchHook: (no name) – {02EE5B04-F144-47BB-83FB-A60BD91B74A9} – E:\Program Files\SurfSideKick 3\SskBho.dll

O2 – BHO: COMMUNICATOR – {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} – E:\WINDOWS\system32\communicator.dll

O3 – Toolbar: COMMUNICATOR – {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} – E:\WINDOWS\system32\communicator.dll

O4 – HKLM\..\Run: [stb] E:\WINDOWS\system32\stb.exe

O4 – HKLM\..\Run: [SurfSideKick 3] E:\Program Files\SurfSideKick 3\Ssk.exe
O4 – HKCU\..\Run: [SurfSideKick 3] E:\Program Files\SurfSideKick 3\Ssk.exe

O9 – Extra button: (no name) – {85d1f590-48f4-11d9-9669-0800200c9a66} – %windir%\bdoscandel.exe (file missing)
O9 – Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 – {85d1f590-48f4-11d9-9669-0800200c9a66} – %windir%\bdoscandel.exe (file missing)

O15 – Trusted Zone: *.akamai.net
O15 – Trusted Zone: http://Download.Windowsupdate.com

O18 – Filter: text/html – {DFAA31C8-A356-4313-9D95-5EDAB46C5070} – (no file)
O20 – AppInit_DLLs: repairs.dll

Close all the windows (browsers, programs) and click Fix checked.

Boot into Safe mode by tapping F8 as your computer restarts. Make sure that you can view hidden files and folders and uncheck “Hide Extensions for Known File Types” and delete the following files or folders highlighted in bold if they are still present:

E:\Program Files\SurfSideKick 3
E:\WINDOWS\system32\stb.exe
repairs.dll< -- Search for it, probably located in System32 Run Ewido. Click on scanner and click Complete System Scan and the scan will begin. During the scan it will prompt you to clean files, click OK. When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK. When the scan is finished, click the Save report button at the bottom of the screen. Save the report to your desktop and close Ewido. 2) Download the following reg file to your desktop. When it is finished downloading double-click on it and say Yes when it asks if you would like to merge the data. fixssk.reg

3) Search for this file:

repairs.dll

Then download Pocket Killbox from here:

http://www.cybertechhelp.com/download/file/pocket-killbox

But don’t run it yet.

Boot into safe mode. Open Pocket Killbox and paste the full file path in the box and click on Delete on Reboot. Next click on the button with the red circle and an X in the middle. You will get a message saying “File with be deleted on next reboot, Process and Reboot now?” Click “Yes” and post a new log when you have rebooted.

4) Download RegLite :

http://www.resplendence.com/downloads

Reboot into Safe Mode

Open Reglite and Copy&Paste the bold text below into the Address Bar and hit Enter

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

In the smaller left hand pane-> Right Click the Windows folder(Highlighted in Blue)

Select Rename-> Rename it to Windoz-> Hit Enter

Now look in the larger right hand pane-> locate and double click AppInit_DLLs

Under Value-> Remove(Delete)-> repairs.dll

Open the Search Assistant(Click Start>>Click Search)
Select All Files and Folders,
Select Advanced Options,
Make sure there is a check by every box under Advanced options

Now under All Files and Folders, enter this into the text box:

repairs.dll

Delete any exact matches

Reboot and Open Reglite again-> go back to the folder you renamed to Windoz and Rename it again, back to Windows.

Have HijackThis fix this entry if its still there

O20 – AppInit_DLLs: repairs.dll

After the protection is remove you should then be able to delete the file…

C:\Windows\System32\repairs.dll <--delete that.

Tempx.exe TEMPEX.A TROJAN

Another one for the spyware files: I kept getting a host of random spyware filenames like tempx, efbpdny, lxaauuc, etc in the registry and msconfig. Booting to safe mode and running Norton Antivirus, AdAware, Spybot, and HijackThis to remove the spyware didn’t work — the files kept coming back.

Tempx.exe seemed to be a consist filename so I did some Google research with disappointing results. All I found were postings saying that tempx.exe is installed by the TEMPEX.A TROJAN but no one showed how to delete it!

What finally worked was running the free scanners from http://housecall.trendmicro.com.

Boot to safe mode and run the scan for viruses, the cwshredder, and spyware.

That cleared up tempx.exe along with all the other random spyware files.

Nice job from Trendmicro!

Aurora Spyware

Ran into the Aurora popup spyware last week. Very difficult to remove using normal spyware cleanup procedures.

This spyware creates a file called Nail.exe in Windows\System32 and is impossible to delete as it recreates itself almost immediately.

Used this program in Safemode to clear out the Aurora popup. http://www.mypctuneup.com/

Needed to run it twice. After that it looks like Aurora was removed.