Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Reinstallers?


  • Please log in to reply

#1
Maineiac

Maineiac

    New Member

  • Member
  • Pip
  • 8 posts
I've been going around and around with a computer that I brought home from my part-time employer's office. It got "early retirement" because it was so crapped up with barfware that it was unusable.
I've run Ad-Aware, Spybot S&D, Norton AV and HJT! on it several times now. It's showing some improvement, and I haven't seen M$ Internet Exploder randomly open up for awhile, but I want to make sure. (IE doesn't ask ZoneAlarm if it can access the 'Net, it just spits out a couple of popups while I'm using Firefox. I installed Firefox on that machine to have something safe to get all the anti-crapware utilities and updates with.)

Now HJT! keeps finding 3 suspicious BHOs, and I can't seem to kill them off. I'm on my own (clean and much faster) computer, so I can't post the HJT! log from the other one, but the problems are {00000000-0000-0000-0000-000000000221}, {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94}, (ClearSearch/SideSearch, etc.) and {0199DF25-9820-4bd5-9FEE-5A765AB4371E} AKA "IncrediFind."
I keep seeing a file called [AMCW4] AMCW4.EXE showing up in HKLM\..\Run. It's in the Windows Temp folder. Right-clicking for Properties=>Version shows no info, where most files list the company name, etc. I'm suspicious of it, but can't find any info via Google.
Another one that doesn't quite look right to me is called [qn5T36V] DSE_CI32.EXE, also in HKLM\..\Run. While the Windows "Find" will say that AMCW4 is in the Temp folder, it can't seem to locate DSE_CI32.
Also suspicious to me is [bCu3RWZnV] FINBLE3.EXE, another HJT! O4, and another HKLM\..\Run. Windows doesn't "Find" that one, either.
It makes me wonder if one or more of those might be reinstalling the barfware. Google doesn't return anything on any of those filenames, and there are only two hits on the {0199DF25-etc} number. I found some removal instructions by Googling on "IncrediFind," but none of the numbers match up. I've tried "IncFind" and "Incfin" as Windows files/folders, but no joy. I've trashed them several times with HJT! in Safe mode, but when I restart, they're baaaaaaack.
Any guidance would be appreciated.

--
Doug
  • 0

Advertisements


#2
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Hi Maineieac: Welcome to Geeks to Go.

You also may try:

Please run a free online virus scan here (tick the "Auto Clean" checkbox):
http://housecall.antivirus.com/

And a free trojan scan here:
http://www.moosoft.com/

Please delete your temporary files. Double Click My Computer (WinXP: Navigate to Start --->My Computer)
You will see an icon representing your harddrive (most likely C: Drive) Right Click on the hard drive icon and click Properties at the
bottom of the fly out window. One the very first tab (General) you will see a button labeled "Disk Cleanup"...click that button.
Make sure the following are checked:
Downloaded Program Files
Temporary Internet Files and
Recycle Bin



Copy and paste your HJThis log into an e-mail and e-mail it to your clean computer or save it on a floppy and post it in the Hijack This forum so we can see what is going on with your machine.

Edited by coachwife6, 04 October 2004 - 04:21 AM.

  • 0

#3
Maineiac

Maineiac

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

Hi Maineieac: Welcome to Geeks to Go.

Thanks, and thanks for the reply.

{snip}

Please delete your temporary files.{snip}
One the very first tab (General) you will see a button labeled "Disk Cleanup"...click that button.
Make sure the following are checked:
Downloaded Program Files
Temporary Internet Files and
Recycle Bin

"Been there, done that." <_<
I'm starting to suspect that the Temporary Internet Files\Content\IE folder doesn't get emptied during all that, because I can still see it's stuffed full after a Cleanup. I may have to weed that one out manually. (Some of those files are about as "temporary" as a burrdock.)

Copy and paste your HJThis log into an e-mail and e-mail it to your clean computer or save it on a floppy and post it in the Hijack This forum so we can see what is going on with your machine.

I'll try those links you suggested, then post a log. (My own computer has cable, I have to drag out an extension cord to a phone jack for the company's machine.)

Back to the battle!
  • 0

#4
Maineiac

Maineiac

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I was unable to get the download of MooSoft's "The Cleaner." The link on CNet doesn't seem to work. But on the GeeksToGo home page, the little blurb for "Get rid of IncrediFind" caught my eye. I'm running SpyBouncer on that machine now. Of 93,382 Registry items scanned, it says 145 are infected. It's also found 20 infected cookies, and is still working on the files. It said five of those are infected, last time I looked.

I'll see what SpyBouncer can exorcise, then reboot and run HJT! once more. The malware seemed to return after a startup, so if it doesn't show up this time, life will be good.
  • 0

#5
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Try getting The Cleaner from www.majorgeeks.com
  • 0

#6
Maineiac

Maineiac

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

Try getting The Cleaner from www.majorgeeks.com

Thanks, I finally did get it from the SnapFiles mirror. Ran it (took a little over an hour) and found no trojans.

I think I'm going to have to look at the list that SpyBouncer came up with, go into each and every Registry entry and dump them, then uncheck the item so I can keep track of what's been done. SB found a total of 173 items that it says are infected, everything from 180Solutions to Xupiter, but won't clean them because it's an unregistered copy. Some of it is stuff that HJT! pointed out earlier, but some of it never reared its head before. I wouldn't be surprised if Alexa, Bonzi Buddy, and all the other garbage really is there.

When I return that machine to the office, I oughta bill them for this project, unless they might hire me for a new position that's supposed to be coming up. I guess it might create more job opportunities for me if they think I know how to fix this stuff. <_<

Thanks again for looking over my posts.
  • 0

#7
Maineiac

Maineiac

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Update: I just ran Ad-Aware again, and it identified AMCW4.EXE as "Statblaster" (CSI Match). I had it fix the one it found, and ran HJT! again. HJT! said there was one more, so I had it fix that one.

Now that I have a better idea that some of the stuff in that \Run folder is probably malware, I'll put a whuppin' on a few more objects. If I have to do regedit with a flamethrower, I will. <_<
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP