HolidayBuyer's Guide

Spyware, Viruses, & Security forum

General discussion

Unable to remove spyware/viruses!!

by Guet Pooi / May 27, 2008 12:34 AM PDT

I have a Dell Pentium 4CPU 1.5Ghz and 128MB RAM. This is loaned to me by a friend who has not used it for some time. I have just installed antivirus AVG8 Free and Adaware2008 Free.

Both AVG and Adaware detected threats but are unable to remove them. Adaware found 8 Adware.CDN, 8 Adware.ToolbarDeepDrive and 3 BDSearch Plugin. When it came to remove them, it said 'cannot remove file' and then 'the file will be removed when the computer is restarted'. When the computer is restarted, I saw on the screen Adware initializing boot cleaning and all the files listed. But when the scan is run again, the same number of malwares are found.

With AVG it will always leave 2 spywares the it was unable to remove.

The computer has downloaded Windows Update but has been unable to install security update KB931784 even after many attempts.

The computer is very slow. Often when I try to start Internet Explorer, it hangs. When I press crtl-alt-del to access the Task Manager, I see the CPU usage as high as 100%! When I clicked on 'Process' there were 27 processes on the list.

Any help is very much appreciated.

Thank you.

Discussion is locked
You are posting a reply to: Unable to remove spyware/viruses!!
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Unable to remove spyware/viruses!!
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
I would give.......
by Marianna Schmudlach / May 27, 2008 1:01 AM PDT

Malwarebytes AntiMalware a try:

Operating Systems: Microsoft

Collapse -
MBAB found nothing
by Guet Pooi / May 27, 2008 7:12 PM PDT
In reply to: I would give.......

Thanks, Marianna. I really appreciate the detailed instructions given. I followed through. But guess what? It found no malwares! I wonder what that means. I noticed it took a far shorter time to scan and the number of objects scanned is also far less than that of Adaware and AVG. During the scan AVG's Resident Shield Alert kept popping up! I am enclosing the report for your information. I will get Adaware to scan again to see what it says. Will keep you posted. Thanks again.

Malwarebytes' Anti-Malware 1.12
Database version: 793

Scan type: Quick Scan
Objects scanned: 38320
Time elapsed: 12 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Collapse -
During the scan AVG's Resident Shield Alert kept popping up!
by Marianna Schmudlach / May 28, 2008 12:07 AM PDT
In reply to: MBAB found nothing

and what did the alert(s) tell you??

Collapse -
What did it tell you?
by Guet Pooi / May 29, 2008 2:20 AM PDT

It said: "Accessed file is unwanted. Potentially unwanted program. File name:C:\Program files\CNNIC\Cdn\cdnforie.dll. Threat name: AdwareGeneric2.UC. Detected on open." and many similar others.

I finally found CNNIC with 'search' and deleted in in safe mode. Ran AVG and this time it seemed able to remove all threats without any problem!

But when I ran Adaware, I got exactly the same number and same kind of threats and same kind of response! During the scan, another Resident Shield Alert popped up. This time it is "c:\windows\system32\cdn.dll. Threat name: AdwareGeneric.BQZ. Detected on open."

I have got 2GB of virtual memory, with 1.96GB available. But during Adaware scan just now, a warning said it was low on virtual memory,and Windows was trying to increase it....

Well, how bad is my situation?

Collapse -
Adware.Cnnic
by Marianna Schmudlach / May 29, 2008 3:19 AM PDT
In reply to: What did it tell you?
This time it is "c:\windows\system32\cdn.dll.

That one also belongs to Adware.Cnnic

Have a look here : Adware.Cnnic Removal Instructions IF you can find the other files on your computer.

Maybe you try first:

Download and scan with SUPERAntiSpyware Free for Home Users

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):

Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.

* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
Collapse -
Oops... link is here....
by Marianna Schmudlach / May 29, 2008 3:20 AM PDT
In reply to: Adware.Cnnic
Collapse -
Super Anti Spyware caught some
by Guet Pooi / May 30, 2008 1:48 AM PDT
In reply to: Adware.Cnnic

Marianna, I did just as you directed. I scanned, but it only caught 12 items all under Documents & Settings. Remembering that Adaware caught 19, I decided to scan in safe mode, and this time it caught 8 Trojan.CNNIC/variant with some familiar file names that AVG's Resident Shield kept throwing at me. I wonder if this is all.
Perhaps I will rescan tomorrow.
Do you think it will be easier to just reformat the harddisk?
Thanks a lot, Marianna.

Collapse -
Good.......
by Marianna Schmudlach / May 30, 2008 2:08 AM PDT

Remember, the "ugly stuff" will also be in your system restore points.

Scan tomorrow - after updating your AVG AND Super AntiSpyware - again in safemode. IF the scans come up clean......

Then browse to the C:\documents and settings\Owner\local settings\temp folder and delete all files and folders in it.
Then browse to the C:\Windows\Temp folder and delete all files in it.
Then in internet explore click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.

Then reboot to normal mode.

.....

TO CLEAR OLD SYSTEM RESTORE POINTS

On an infection-free computer, make a new restore point:

- Launch System Restore from its Start Menu | Programs | Accessories shortcut (or directly launch C:\Windows\System32\restore\rstrui.exe from a Run box).
- Select "Create a restore point." Click Next and follow out the menus.

Then, purge all restore points except the most recent:

- Run Disk Cleanup, either from its Start Menu shortcut, or from right-click + Properties on C: in My Computer, or from directly launching C:\Windows\System32\cleanmgr.exe from a Run box).
- After it scans, click the More Options tab, then Clean Up in the System Restore section, confirm the action, then click OK to run it.

That's it!

Collapse -
Back to square one!
by Guet Pooi / May 30, 2008 7:15 PM PDT
In reply to: Good.......

Hi Marianna, I scanned with Superantispyware and AVG in safe mode as suggested. Super did not find anything, while AVG found quite a number of tracking cookies which it cleaned up.

I could not find the c:\documents and settings\owner\local settings\temp folder. I did find c:\windows and the temp folder under it. When I ran the cursor over it, it had approx 600kb and some files. But when I opened it, no file was listed. So I couldn't proceed. Kindly advise.

Then I remembered Adaware found some adware.ToolbarDeepdrive malwares which were not reflected in the Super search. So I thought I would scan with Adaware. But it didn't seem to want to start. I did a search, and there were many, many toolbars listed.

Then I reboot to normal and did the scan with Adaware. The result was exactly like before - 8 adware.CDN, 8 adware.ToolbarDeepdrive and 1 dataminer. Only this time when asked to remove the threats, it did not say it cannot remove the file.

Also, during the scanning, AVG Resident shield popped up at least twice with C:\windows\system32\cdn.dll and c:\system Volume Information\restore...(a long string of numbers)...sys.

I also notice there is plenty of internet activities - within a short span of time, my broadband connection has received and sent hundreds of thousands of bytes, even though I was not doing any surfing.

Am I back to square one?

Collapse -
Can you SEE the HIDDEN files?
by Marianna Schmudlach / May 30, 2008 11:23 PM PDT
In reply to: Back to square one!

IF not:

1. Click "Start".
2. Click 'My Computer'
3. Select the 'Tools' menu
4. Click 'Folder Options'.
5. Select the 'View' tab.
6. Under the 'Hidden files and folders' heading, select 'Show hidden files and folders'.
7. Uncheck the 'Hide protected operating system files (recommended)' option.
8. Click 'Yes' to confirm.
9. Uncheck the 'Hide file extensions for known file types'.
10. Click 'OK'.

...

Do you have teatimer ENABLED in Ad-aware? DISABLE it, otherwise it WILL interfere with the fixes.

Do you have CCleaner? IF not,

Download CCleaner HERE and install it.

Before first use, check under Options, Settings, and ensure "Only delete files in Windows Temp folder older than 48 hours" is unchecked.

Then open it and select the items you wish to clean up.

In the Windows Tab:

I recommend cleaning all entries in the "Internet Explorer" section except Cookies.
Clean all the entries in the "Windows Explorer" section
Clean all entries in the "System" section
Clean all entries in the "Advanced" section.

In the Applications Tab:

Clean all except cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

Then click the "Run Cleaner" button
.....

Now run AVG in SAFEMODE and also SuperAnti Spyware.

ONLY as a "guide" have a look here:

http://www.exterminate-it.com/malpedia/remove-cnnic-update

Collapse -
Just to be sure
by Guet Pooi / May 31, 2008 2:35 AM PDT

Hi Marianna, a few questions before I start. I don't want to mess up again.
1. My Ad-aware is 7.1.0.8. Its user interface does not seem to have any options, except for scanning. I can't find 'teatimer'. Seeing that Ad-aware does not seem to play a part in this cleaning process, do you want me to uninstall it first?

2. In CCleaner, under System, 2 entries - start menu shortcut and deskstop shortcuts - are left unchecked. Do you want me to check that also?

3. Will Ccleaner also clean out the files in the temp folders that you wanted me to? I have unhidden the files, but still one temp folder refused to reveal its files either in 'browse' or 'search'.

4. Do you want me to run Ccleaner in normal or safe mode?

I had a look at the CNNIC site. It's frightening.

Thanks. Have a good weekend!

Collapse -
Re: Ad- aware
by Marianna Schmudlach / May 31, 2008 3:36 AM PDT
In reply to: Just to be sure

1. Is enough IF you disable it.

2. CCleaner under System...... I have ALSO checked start menu shortcut and deskstop shortcuts in MY CCleaner Wink


3. Yes, CCleaner will also clean the temp.files. The one temp.folder > can you rightclick on it and look under properties? What is the name of that temp.folder?

4. Yes, you can run CCleaner in safemode.


Thanks - you have a great weekend too.... I will be in\out of the house over the weekend - only FYI - so you are NOT wondering where I am "hiding":)

Stay cool, calm and collected Wink

Collapse -
Done all
by Guet Pooi / May 31, 2008 11:49 PM PDT
In reply to: Re: Ad- aware

Hi Marianna,
This is what I have done in safe mode:

1. Run Ccleaner. It cleaned tons of files.

2. Run AVG. Found tons of cookies and one cdn.dll. It closed on its own. So I assumed it's ok.

3. Run SuperAntiSpyware. Found no threat.

4. Check on the temp folders, mostly empty, except one which I deleted. Check on Internet Explorer and Morzilla also.

5. Reboot. Create new restore point and purge the rest.

I hope this is all. I will run ad-aware tomorrow to see if it's ok. Right now i want to assume it's ok. But I have just connected my broadband connection to write this post, and already it has sent out over 200,000 bytes and received over 1.8 million bytes!

Will let you know tomorrow. I truly appreciate your patience and your encouragement.

Collapse -
"senior moment"......... or whatever you call it...
by Marianna Schmudlach / May 31, 2008 4:14 AM PDT
In reply to: Just to be sure

teatimer is for SpybotS&D and Ad-watch is for Ad-aware, but don't know IF the newest version of Ad-aware still has it.

Collapse -
a little mistake
by 4Denise / June 2, 2008 2:48 AM PDT

Teatimer is Spybot Search & Destroy, not AdAware.

Denise

Collapse -
Guess, you missed it.........
by Marianna Schmudlach / June 2, 2008 3:23 AM PDT
In reply to: a little mistake
Collapse -
Yes, I did
by 4Denise / June 2, 2008 3:40 AM PDT

I saw it right after I posted. Sorry.

Denise

Collapse -
What OS ? RAM Extremely Small 4 New LARGER...
by tobeach / May 27, 2008 4:16 PM PDT

modern programs like Adaware 2008 (20+ megs). 27 processes running while connected to net (here) is quite good so too many start-ups is, in general, not the problem.

If Marianna's suggestion doesn't get 'em, try removing in safe mode/or
using "Move on Boot" program (Google it). If it's a plug-in it may be able to be manually un-installed by un-installing toolbar & plug-in. Happy

Collapse -
More info please
by Guet Pooi / May 27, 2008 7:24 PM PDT

Thanks, Tobeach. I am not too computer savvy, so will appreciate more detailed instructions. How do I go about removing some unneccessary programs? I went to System Information last night and found that I only have 10.10 MB available physical memory. Is that significant? I also took a look at 'Tasks Running' and found a number of files with 'path' etc. not available. Is it normal?
Thanks.

Collapse -
Carol's Suggestion 4 KB...Is Excellent....
by tobeach / May 28, 2008 4:18 PM PDT
In reply to: More info please

Assuming you have XP.Which?Home?Pro? Sp1 or Sp2? Sp3? Total HD Size?

Have you or even CAN you do a defrag? If free space on HD is less than about 30% of total (depending on which OS) you may not be able to without creating some space by deleting excess programs not used or moving some storage files like WMV or Audio files onto a separate storage medium (DVD/CD/USB Flash drive).

Most programs are listed in your Control Panel>Add/Delete Programs Icon>List. See if "toolbar" mentioned is listed there. If so you may be able to un-install from there(if a legit one...If a Malware one maybe more difficult).

Some things resist removal if they're running (from boot-up).Often scanner "can't remove" means either 1) Item is an installed program and must be manually un-installed from Add/Delete Progs or 2)needs Safe Mode to stop running first Often they can be removed/un-installed if running in Safe Mode since most items are not loaded/started in this mode. How to start in safe mode:
http://www.pchell.com/support/safemode.shtml
Do Not be dismayed by weird appearance of desktop in SF. You can use as if normal. It will return to normal when rebooted to normal mode.

Could NOT find specific info via Google for either of named problems. Perhaps mis-spelled ??
Freeware "Toolbar Cop" may help in removal of both Toolbar & BD browser search re-direct. Do Not Click on any "Sponsored Links". Author Ramesh.:
http://windowsxp.mvps.org/toolbarcop.htm

Path not available MAY mean someone has done an un-install already(perhaps not complete). Also may mean system files are damaged.
To correct damaged system files , try running System File Checker.
If XP, based on an on board back-up copy of XP(read only) used to correct files. If copy is corrupted, it may tell you to insert XP or SP2(if patch applied) disk or to indicate location of SP2 info to get new,
clean copy inserted. Good to have disk at hand. To Run SFC:

Left click on My Computer(open)
Right click on "C" or your OS drive if another letter.
Left click Properties and then click Tools Tab.
Left click on "Error Checking"> Check Now.
Left click to enter check mark in "Auto Fix System File Errors"
Left click on "Start".
Computer will have to reboot to begin repairs.
Just leave alone (you're locked out anyway) 'til process finished.

Hope of some help. Happy

Collapse -
Got some removed
by Guet Pooi / May 29, 2008 2:26 AM PDT

Thanks, tobeach. I went to safe mode and got the suspected file CNNIC removed. Also removed a toolbar from Add/Remove program. But overall situation not much improved.
I have XP home edition and SP2. Harddisk is 40G with more than 70% free. I went to defrag and analyzer said no need to defrag.

Collapse -
Regarding the installation of KB931784
by Carol~ Forum moderator / May 28, 2008 8:27 AM PDT

Guet..

You never mentioned which operating system you're using. I'm presuming it's Windows XP. Many user's had the same problem with KB931784 last year. Go to your Control Panel and see if Add/Remove indicates the update was installed. If so, delete the update. Empty your Temporary Internet Files and reboot. If you have Automatic Updates enabled, temporarily disable it until the below procedure is entirely completed.

After you restart the computer, try this suggestion for installing problematic updates, offered by Ottmar Freudenberger. (I would create a Restore Point first)

Create a folder directly off your C drive and call it "Downloads". (C\Downloads) If it isn't "C", change it accordingly.

"Save" the update to your harddisk, where you created the C\Downloads folder.

http://www.microsoft.com/downloads/details.aspx?FamilyID=eeaee4a7-4858-4b6b-9c6d-a9f1eae19b51

After manually downloading the update to your Downloads folder, go to Start>Run and type (or paste) the following in the appropriate space:

"C:\Downloads\WindowsXP-KB931784-x86-ENU.exe" /o

Keep the quotes and note there is a space between the last quotation mark and /o

Press OK then Enter. Reboot. Remember to re-enable Automatic Updates.

The update should install without creating any further problems. If you still have a problem, or receive any error messages, make sure to read "Known Issues" here and see if it applies to you. There are other things you can try, but the above seems to work in many cases.

Carol

Collapse -
Thanks
by Guet Pooi / May 29, 2008 2:29 AM PDT

Thanks, Carol. Will follow your instruction tomorrow. The update is still waiting, but I got to sleep now.

Collapse -
Re: Done all
by Marianna Schmudlach / June 1, 2008 1:07 AM PDT

Great Job !

Are you up-to-date with ALL Microsoft patches? To be sure - go to Windows Update and check.

Do you have the latest Sun Java installed?
Go here to check: http://www.java.com/en/download/installed.jsp

What you also could do is,

go here: http://secunia.com/software_inspector/

Feature Overview - The Secunia Online Software Inspector:
* Detects insecure versions of common/popular applications installed on your computer
* Verifies that all Microsoft patches are applied
* Assists you in updating your computer and problems
* Runs through your browser. No installation or download is required


....but first ENJOY your Sunday - tomorrow is another day Wink

You Are Very Welcome Happy

Collapse -
Out of the woods at last?!
by Guet Pooi / June 2, 2008 1:50 AM PDT
In reply to: Re: Done all

Hi Marianaa,

Trust you have had a good weekend.

Well, I scanned the computer in normal mood with
1. Ad-aware. Found a few cookies of TAI 3, which it removed.

2. SuperAntiSpyware. Found 1 Adware Tracking Cookies which it removed.

During these last two scans, AVG Resident Shield popped up with "Potentially Unwanted Programme c:\Windows\system32\cdn.dll".

3. AVG. Found the above spyware c:\windows\system32\cdn.dll and moved it to virus vault.

Do I need to purge restore point again? I did not do it this time. I can do it in the next scan, if necessary.

Does it mean that I am out of the woods at last?

Thank you for your additional advice. I did not know that I have to check at Windows Update, thinking that enabling Automatic Windows Update was enough. I went there and it asked me to install Service Pack 3, etc. which I did.

Will look at the other sites later on.

Thanks again, Marianna. You have been a really great help.

Collapse -
It sounds this way ;)
by Marianna Schmudlach / June 2, 2008 3:19 AM PDT

Thanks, yes I had a great weekend - is only a "pity" it flies by like nothing Sad

You can DELETE everything you have in AVG's vault. Reboot

Yes, I would purge the restore points again like you did last time so you have a CLEAN computer.

I also would recommend installing:

SpywareBlaster:

SpywareBlaster 4.0

Prevent the installation of spyware and other potentially unwanted software!

Spyware, adware, browser hijackers, and dialers are some of the fastest-growing threats on the Internet today.
By simply browsing to a web page, you could find your computer to be the brand-new host of one of these unwanted fiends!

More here: http://www.javacoolsoftware.com/spywareblaster.html

and

SpywareGuard 2.2

SpywareGuard provides a real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.

An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware! And you can easily have an anti-virus program running alongside SpywareGuard.

SpywareGuard now also features Download Protection and Browser Hijacking Protection!

http://www.javacoolsoftware.com/spywareguard.html

You Are Very Welcome and Happy SAFE Computing Happy

Collapse -
Thanks & MOre Questions
by Guet Pooi / June 3, 2008 11:38 PM PDT
In reply to: It sounds this way ;)

Hi Marianna, I scanned again with AVG, and this time it found absolutely NOTHING! Halelujah, Praise God, and a big thank you to you.
I don't think anybody else would have been so patient to get me through this. It has been a very educational week for me. I have printed out all your posts, so I can refer to it in future.

Right now I have already installed in my computer
1. AVG 2008
2. Ad-aware 2008
3. SuperAntiSpyware

Questions:
1. If I also installed SpywarBlaster 4.0 and SpyGuard 2.2, will they conflict each other?

2. My computer is an old horse with only 128 M Ram. And at the moment only 10 M is available. Will it be advisable to install them now, or wait until I am able to install more Ram?

3. Or shall I uninstall Ad-aware and install these last two instead?

Thank you again.

Collapse -
Yippee :)
by Marianna Schmudlach / June 4, 2008 12:36 AM PDT

Great to hear Happy

1. As you already have AVG 8 on your computer, I would WAIT installing SpywareBlaster till AVG FIXED their "findings" about the ActiveX kill bits SpywareBlaster is setting. There should be a fix "soon". No problem installing SpywareGuard.

2. Yes, would be a GOOD idea to get MORE RAM Wink

3. Is up to you with Ad-Aware - but...... I would prefer to have SuperAntiSpyware and MalwareBytes Anti-Malware on MY computer Wink

You Are Very Welcome Happy

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

The Samsung RF23M8090SG

One of the best French door fridges we've tested

A good-looking fridge with useful features like an auto-filling water pitcher and a temperature-adjustable "FlexZone" drawer. It was a near-flawless performer in our cooling tests.