Feedback
Skip to content

Why donate?

Which type of operating system are you running?



20 August 2007

A typical case of spyware removal

In this document I'll show how to clean a typical spyware infection with the help of FreeFixer. The spyware identified in this case was non-consensually installed on my lab computer just by visiting a web site. The spyware distributors are able do this by exploiting security holes in the web browser. Another common distribution method is to bundle the spyware with another program, such as file sharing programs. If you are a first time user of FreeFixer this is recommended reading before proceeding to clean your own machine.

Identifying spyware components

Screenshot of SpyVampire, UltimateCleaner and the new icons

The first sign of infection was the computer all of a sudden started running very slow while browsing a web site. Later on new icons and a pop-up adverts appeared on the desktop and two new programs - SpyVampire and UltimateCleaner 2007 - appeared on the computer. The Task Manager was also disabled, preventing me from shutting down the intruding processes.

The first step is to identify the various spyware components that are installed on the infected machine, so I download and install FreeFixer and scan the infected machine. The scan result:

FreeFixer v0.19 log
http://www.freefixer.com/
Operating system: Windows NT 5.1
Log dated 2007-08-17 13:42

System policies
HKCU\..\policies\system, DisableTaskMgr = 1

Browser Helper Objects
{98B822AD-6BE7-49BC-B773-97240B774080}, HttpGuard Class, C:\WINDOWS\system32\AClient.dll

Registry Startups
HKLM\..\Run, avp = C:\WINDOWS\avp.exe
HKLM\..\Run, System = C:\WINDOWS\System32\kernelwind32.exe
HKLM\..\Run, smgr = mgrs.exe
HKCU\..\Run, MSMSGS = "C:\Program\Messenger\msmsgs.exe" /background
HKCU\..\Run, SpyVampire = C:\Program\SpyVampire\SpyVampire.exe

Processes (15 whitelisted)
C:\Program\Messenger\msmsgs.exe 
C:\Program\FreeFixer\freefixer.exe 
C:\WINDOWS\avp.exe 
C:\WINDOWS\mgrs.exe 
C:\Program\ucleaner_setup.exe 

If you have plenty of experience removing spyware you can probably immediately identify the unwanted files and settings from the scan result. However, as a first time user it can be difficult, so I'll show some techniques that will help you along the way. Let's look at the first process entry in the scan result:

C:\Program\Messenger\msmsgs.exe 
By clicking the more info link in FreeFixer's application scan result, you can get additional info about the msmsgs.exe file. The version information for msmsgs.exe indicates that it is part of Microsoft's Messenger. You can also see that most of the other users chose to keep this file. I'm running Messenger on this machine and other users have voted to keep this file, so it seems to be legitimate and I move on to the next file in the scan result:
C:\Program\FreeFixer\freefixer.exe 
This is the FreeFixer program. Better keep this file.
C:\WINDOWS\avp.exe
The file above seems suspicious. The version information says that it's an Anti-Virus Project (AVP) spyware removal module by a company called MskSoftStudy Corp. I know for a fact that I've never installed any anti-virus program on this machine, and definitely not from a company called MskSoftStudy Corp. However, before removing this file I want to be 100% sure it's a spyware file so I upload it at Jotti's malware scanner and the result speak volumes:

File: avp.exe
Status: INFECTED/MALWARE
MD5: acbdefe4d65b897395a1d2388b246145
Packers detected: -
Bit9 reports:

Scanner results
Scan taken on 18 Aug 2007 07:31:51 (GMT)
A-Squared Found nothing
AntiVir Found TR/Dldr.Alphabet.LH1
ArcaVir Found nothing
Avast Found Win32:Alphabet-D
AVG Antivirus Found Downloader.Generic5.BNH
BitDefender Found Generic.Drop.Alpha.C153CCA5
ClamAV Found Trojan.Downloader-11633
CPsecure Found nothing
Dr.Web Found Trojan.DownLoader.25873
F-Prot Antivirus Found W32/Downldr2.AMHV
F-Secure Anti-Virus Found Trojan-Downloader.Win32.Alphabet.k
Fortinet Found Nonaco!tr
Kaspersky Anti-Virus Found nothing
NOD32 Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found Troj/Nonaco-Gen
VirusBuster Found Trojan.DL.Alphabet.BJ
VBA32 Found Trojan-Downloader.Win32.Alphabet.k

14 scanners reports this is a bad file, so I check the "Delete" checkbox in FreeFixer. To assist other users that find this file on their computers I post a comment about my findings. The remain two files,
C:\WINDOWS\mgrs.exe 
C:\Program\ucleaner_setup.exe 

seems suspicious too. Most legitimate files has proper version information clearly stating a product and company name, the files above has no version information what so ever and ucleaner_setup.exe, seems to be part of the unwanted UltimateCleaner software. Both files are detected at Jotti's scanner, so I check these for removal as well.

By using the same procedure on the remaining files in the scan result, I check these for removal:

{98B822AD-6BE7-49BC-B773-97240B774080}, HttpGuard Class, C:\WINDOWS\system32\AClient.dll
HKLM\..\Run, avp = C:\WINDOWS\avp.exe
HKLM\..\Run, System = C:\WINDOWS\System32\kernelwind32.exe
HKLM\..\Run, smgr = mgrs.exe
HKCU\..\Run, SpyVampire = C:\Program\SpyVampire\SpyVampire.exe
The last entry that I check for removal is:
HKCU\..\policies\system, DisableTaskMgr = 1

since I want to remove the setting that prevent me from starting the Task Manager.

Removing the spyware

Now that I've identified the spyware and the unwanted settings and checked them for removal, I just press the "Fix" button and FreeFixer starts to delete the unwanted files and settings. In this case FreeFixer were able to immediately delete all files except AClient.dll:

The following file could not be removed at the moment. It will be deleted when you reboot your machine. Please reboot as soon as possible.

C:\WINDOWS\system32\AClient.dll

What happens now is that FreeFixer has registered this file for deletion to occur before the login prompt appear. The following screen will appear during the reboot:

FreeFixer's Native Deleter removing AClient.dll

To verify that all unwanted files were removed, I log in and scan the system again, and now a clean log appears:

FreeFixer v0.19 log
http://www.freefixer.com/
Operating system: Windows NT 5.1
Log dated 2007-08-17 14:01

Registry Startups
HKCU\..\Run, MSMSGS = "C:\Program\Messenger\msmsgs.exe" /background

Processes (15 whitelisted)
C:\Program\Messenger\msmsgs.exe 
C:\Program\FreeFixer\freefixer.exe 

Comments

spiney writes

5 thumbs

I am really impressed with your software & will recomend it forthwith

thanks

# 2 Oct 2009, 14:45

David writes

0 thumbs

Попробуем посмотрим как сработает

# 16 Jan 2010, 12:45

patrick cruz writes

1 thumb

really good thanx

# 21 Jan 2010, 22:11

Antivirus writes

1 thumb

Well Haven't heard about FreeFixer yet. Will try.

# 22 Sep 2010, 6:21

Dusty writes

1 thumb

Delta.toolbar was where BrowserDefender.exe was hidden on my computer.

# 12 Aug 2013, 15:50

Gerrit writes

2 thumbs

Able to remove "SimpleFilesUpdate" Uninstall did not work, freefixer did the job.

# 24 Nov 2014, 12:11

Lynn Hrnciar writes

0 thumbs

I downloaded freefixer and while I've been running the scan I have been reading through "A typical case of spyware removal" because I am basically in the dark about which files are safe to remove and which are now. I really appreciate how much time and detail you have provided in order to make sur e people like me have the best chance of using your software without a problem. As I have been reading I recognize quite a few of the names of files I have been questioning and wondering what to do with! And some, of course, that I might have made a mistake by deleting had I not read your words or guidance and wisdom. I still don't know as much as I wish I could know about these things but this is the first time that I have attempted to take action that I have actually felt like I am on the right track and not just hoping I'm on the right track. I wish I could thank you for all of the time and effort you have invested by paying for the full software. Unfortunately I live on my SSI Disability ($733 per month) which doesn't even cover all of my monthly expenses but if I had it or if someday my financial circumstances change I will happily pay for the full program. I may not be able to buy it myself but I can reccommend your software and you can share any part of this message you feel may help someone else gain confidence and to take action against malware. It is such a huge problem for all of us on the internet but especially for those like myself that don't have all of the expertise or answers and who are not able to afford the cost of repairs, full programs or new computers, not to mention the terrible cost of losing computer access or having personal information stolen and used for identity fraud, the worst crime of all in my opinion. But before I go off and start preaching about integrity and the lack of let me again just say thank-you for all the hard work you have done and your sincere desire to help others to not be so helpless! Now I will bravely go forth and view my scan results and begin the process of removing the malware I am sure will be in my report. I have also opened 'jotti's malware' program in another window so it will be ready for me to access as I read what you have written and follow your advise to be as sure as possible about what the results are saying befroe deleting! I know my computer is in trouble, especially because of the 'update your video viewer' site that continuosly keeps opening and is so had to close! I had also been trying to identify files that I have been finding on my computer and actually have one of the details of one of those opened reveally it's location. This will be confirmed by your freefixer I'm sure. Please send me anything you would like promoted to get the word out about your freefixer download. I want to share as much as I can with my friends on facebool. I have around 800 friends now...all people I have known or gotten to know playing fb games or as friends or family of friends! Recently I have added over 100 new friends just after my 40th class reunion! So maybe if I share the information in the best way I can I will be able to support yopu by sending you new people who can afford the very minimal cost for your full program that is still beyond my financial reach! Again, thanks for everything you are doing to help remedy the huge malware and virus problems we face on the internet all the time.
Your newest fan...Lynn Hrnciar

# 22 Dec 2014, 21:54

Roger Karlsson writes

0 thumbs

@Gerrit: Thank you for the feedback!

@Lynn: Happy to hear you like the FreeFixer program. Please let your friends know about my software, I'd really appreciate that. Hope you got that malware off your computer.

# 8 Jan 2015, 23:37

Cedric Small; writes

0 thumbs

I am still getting bothered by the clamscam.exe notwithstanding my purchase of the Freefixer software why is this???

# 6 Feb 2015, 19:35

Roger Karlsson writes

0 thumbs

@Cedric: I've responded to your email regarding clamscan.exe. Please check your inbox.

# 7 Feb 2015, 7:08

Chuck Winter writes

0 thumbs

I have problems with "bycontext.com" and "warmportrait.com" sites popping up, as well a with "efix.com" (Firefox 37.01). Are there "standard" items I should look for with FreeFixer? I'm first-time-user and rather a novice with PC-maintenance...

# 6 Apr 2015, 4:30

Roger Karlsson writes

0 thumbs

@Chuck: Sorry for the delay. I've seen those pop-ups appear while trying some adwares on my lab machine. They hooked in as an add-on in the browser, so that's a good place to start checking out. In what browser do you see these pop-ups?

# 27 Jun 2015, 10:21

Daniel Schalk writes

0 thumbs

@ Chuck Winter
Hallo Chuck! I recently also have the problem with "warmportrait.com". Do you remember what was the problem and how you solved it?
Thanks in Advance

Daniel

# 27 Feb 2016, 5:33

Leave a reply