Jump to content


Photo

Remove Spyware Doctor and Traces of McAfee


This topic has been archived. This means that you cannot reply to this topic.
12 replies to this topic

#1 noknojon

noknojon

    Lunar Novice

  • Member
  • 45 posts

Posted 12 August 2009 - 06:25 PM

I have been trying to fully remove Spyware Doctor and some remaining traces of a McAfee program (most likely a free sample) for some time now -
These 2 programs show up in Hijack This scans (try each time I scan to remove but no result when I tick to remove them) and the Spyware Doctor will not remove from Windows Explorer -
None of these are paid d/loads so they can only be freeware samples or free d/loads from earlier times -
They are not listed in Add/Remove in control panel so I cannot remove there -

Is there a remover for McAfee like there is for Norton ??

I only use Avira as a daily scanner with MBAM and SUPERantispyware as the other main removers -

#2 James_A

James_A

    Lunar Regular

  • contributor Contributor
  • 604 posts

Posted 13 August 2009 - 01:27 AM

Is there a remover for McAfee like there is for Norton ??

Yes, there's a tool called MCPR.exe (MCPR=McAfee Consumer Products Removal)

Running the McAfee Consumer Product Removal tool (MCPR.exe) removes all 2005, 2006, 2007, 2008, and 2009 versions of McAfee consumer products


Full details of what is removable and the download link for the tool are given on this page by McAfee support: http://service.mcafe...spx?id=TS100507
Scroll down to "Step 2 - Download and run MCPR.exe"

.

#3 noknojon

noknojon

    Lunar Novice

  • Member
  • 45 posts

Posted 13 August 2009 - 03:46 AM

Thank you James -
I just did another Hijack This scan after D/loading the MCPR tool and no McAfee on the screen at last - Good one -
I knew about Norton as I had a problem with that earlier, now I have this also -

Just need to get that Spyware Doctor off now and I an cleaned of these programs -
Regards John - :P

#4 greenknight

greenknight

    Lunar Executive

  • Global Moderator
  • 1,072 posts

Posted 13 August 2009 - 09:09 AM

Hijack This has a "Delete a file on reboot" function; maybe that would do it. Press Config > Misc tools to get to it.
Your proposition may be good
But let's have one thing understood --
Whatever it is, I'm against it!
And even when you've changed it or condensed it,
I'm against it.
- Sung by Groucho Marx in Horse Feathers (1932). Always a popular political philosophy.

#5 noknojon

noknojon

    Lunar Novice

  • Member
  • 45 posts

Posted 14 August 2009 - 03:29 AM

Thanks greenknight .. but
I tried that , and unless I got it totally wrong it was not successful -
It still exists in program files with 2 folders and no files - This may mean I have partially removed it but some still remains -
I just keep getting the message "cannot delete pctsAuxs.exe"

Will keep trying - Thanks for your help - Regards John -

#6 greenknight

greenknight

    Lunar Executive

  • Global Moderator
  • 1,072 posts

Posted 14 August 2009 - 06:48 AM

I suppose you tried to delete it in Safe Mode already, too.

If you have MBAM, it contains a tool called FileASSASSIN that might remove it - press the "other tools" button in MBAM to bring it up.

Then there's Unlocker, a very small utility for dealing with problems like this: http://ccollomb.free.fr/unlocker/

Good luck - I know how frustrating this kind of thing can be.
Your proposition may be good
But let's have one thing understood --
Whatever it is, I'm against it!
And even when you've changed it or condensed it,
I'm against it.
- Sung by Groucho Marx in Horse Feathers (1932). Always a popular political philosophy.

#7 James_A

James_A

    Lunar Regular

  • contributor Contributor
  • 604 posts

Posted 14 August 2009 - 07:58 AM

Is pctsAuxs listed in the 023 section of your HJT log (it might also be listed as sdAuxService) ?

If so, its running as a service and you won't be able to delete it, even as an Administrator.

First you have to stop the service, then change its start type to disabled (it's probably on automatic at present).

Could you post the HJT log? Or at least the relevant part?

If you need detailed instructions on stopping and disabling services, let us know and someone can talk you through it.

.

#8 noknojon

noknojon

    Lunar Novice

  • Member
  • 45 posts

Posted 14 August 2009 - 09:19 PM

Thank you greenknight I tried in safe mode, but I think James is onto it -
It is listed in 023 with 2 listings -
The first as you said is(sdAuxService) - The second is (sdCoreService)unknown owner ------>file missing - Each with basically the same wording -
None of these 2 items can be deleted as you said due to the fact that they are running or trying to run - I do not have it listed in Mike Lin startup panel - It only shows up in program files in Windows Explorer -
I only have Yahoo Messenger or email at my listed name - The other is just an email with my ISP -
Regards John

#9 noknojon

noknojon

    Lunar Novice

  • Member
  • 45 posts

Posted 14 August 2009 - 10:37 PM

Well..... I must have removed part of it - I used file Assassin from MBAM but I now get a similar readout with both entries -
They both say ------> "file missing" at the end of the lines in HJT -
Also HJT logs now come up with all 70 odd items ticked ?? - I unchecked all but the two I was chasing and still no further results -
The other unlocker (from greenknight) did not seem to access the files or folders like MBAM Assassin did -
It appears I now have two empty ?? folders that will not go away -
Regards John -

#10 James_A

James_A

    Lunar Regular

  • contributor Contributor
  • 604 posts

Posted 15 August 2009 - 01:58 AM

Your two answers have confirmed what I said. Both items are running as services and, even as Administrator, you cannot directly delete them. File deletion tools won't work, because you need to delete Registry entries, not files.

In fact, for the most part you cannot even see services. If you open the processes tab of Windows Task Manager, services are not directly listed. Instead you will see multiple instances of a program called "svchost.exe". Here's a screenshot (using a program called Process Explorer) of what just one instance of svchost.exe might be actually running:
Attached File  ProcExp Screenshot.png   31.34KB   6 downloads
In this screenshot, just one instance of svchost.exe is running 25 services. When third parties add services to Windows they might appear in Windows Task Manager, but you still can't kill them from there.

The two problem services you have are:
(1) the PC Tools Security Service: sdCoreService, provided by a file called: pctsSvc.exe
(2) the PC Tools Auxiliary Service: sdAuxService, provided by a file called: pctsAuxs.exe

To remove these, right-click My Computer, select Manage. This will open a window called Computer Management.

Warning: Clicking the wrong items in this program can cause severe problems, including Windows failing to boot, so do not click anything except as listed below.

In the left-hand window pane, click the [+] next to Services and Applications (to open up this part of the tree) and then click on Services which will appear as the next line. A list of 50 to 100 items will appear in the right-hand pane. You will probably need to make the window larger to be able to read anything

Scroll through the list looking for PC Tools Security Service/sdCoreService. When you find it, right-click on it and select Properties. In the new dialog box, first check that you have the right item, then look for the lines Startup Type and Service Status (in the middle). Click the Stop button to get Service Status: Stopped then open the list next to Startup Type and select Disabled. Click OK to close the dialog.

Do the same for PC Tools Auxiliary Service/sdAuxService.

Close the Computer Management window.

After a reboot, your HJT log should (I hope) be clean.

(Note to other experts: This has not actually deleted the entries in CurrentContolSet, but they are now benign.)

.

#11 noknojon

noknojon

    Lunar Novice

  • Member
  • 45 posts

Posted 15 August 2009 - 05:47 AM

Thank you all for your help with this - (James A and greenknight) -
After following your very effective (and brief - Ha Ha) instructions we finally appeared to have stopped the process -
As you mentioned they may not be fully deleted, but they no longer are operating in the system -
This leaves one feeling that we have been at least 99.9% successful with removal (as was the original idea) -
I usually remove these things with the tools supplied at D/load time - But these 2 items were 'rogues' without removal tools -
Again thank you for your time and advice - Regards John -

#12 James_A

James_A

    Lunar Regular

  • contributor Contributor
  • 604 posts

Posted 15 August 2009 - 11:37 AM

... we have been at least 99.9% successful with removal ...

;) ;)

#13 noknojon

noknojon

    Lunar Novice

  • Member
  • 45 posts

Posted 16 August 2009 - 05:09 PM

Well James .... You know what I mean -
As you said (not actually deleted ... but they are now benign) -
The process has been stopped and I hope nobody else plays with any settings to reactivate it - ;)
Thanks anyway mate - ;)