Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

(deleted)

Started by grendel99 , Sep 04 2005 10:58 AM

  • This topic is locked This topic is locked

#1
grendel99
Posted 04 September 2005 - 10:58 AM

grendel99

    New Member

  • Member
  • Pip
  • 3 posts
Please disregard this request. As I said, it is for a machine that does not belong to me, and the owner of the machine wishes it returned since I've gotten rid most of the issues with it - it seems they are desperate to back up some of the data on it that they feared was lost when the machine started acting up.

I know they still have some issues here, but as of this moment, it seems to be running pretty well. Perhaps she will want to have it cleaned completely after she's retrieved her documents. If so, I'll do new scans and start a new thread.

Keep up the good work GtGers...

-Bill

*****

OK, I'm trying to clean up a laptop for a friend (actually, the daughter of a friend, but no need to get all technical about that)...

It's a Dell Inspiron 1000 with XP Home installed, and it looks like SP2 has already been installed.

When I got the machine from her, it was clearly infected by MANY viruses and spyware issues. Her desktop kept refreshing and reporting problems with Active Desktop and it just wouldn't stop - AD error messages, icons flashing and refreshing nonstop, etc.

So I did the trendmicro online scan and found a bunch of issues, I installed Ad-Aware and deep-scanned with default settings and found a bunch more. In fact, I ran both of those scans several times and each time it found a few more, but I could also tell that things were improving significantly.

As of now, most of the issues seem to be gone. The system boots up fine (no flashing desktop). There are a few remaining issues - namely a yellow exclamation point (System Alert) that appears in the taskbar occasionally with a message - sometimes it's a general message about spyware, sometimes it's a message saying that spyware (or a specific strand of spyware like "the latest internet worm") has been detected... I've received Critical System Error popups that I think are related, too. Double clicking on the exclamation point pulls up an IE browser advertising for some spyware/virus "removal" program or other.

Obviously, I'd like to get rid of the last little bit of spyware before getting the laptop back to its owner, although I suspect that it won't take long for her to have issues with this machine again, given some of the software they have installed on this machine. Oh, well.

In searching for more info on the System Alert business, I came across this site. What luck! So I read through the things you were supposed to do before posting a HJT log, and here's what I did:

- Installed and ran CleanUp! and restarted windows as requested at the completion of the process.

- Configured Ad-Aware SE as specified in the GtG forum and scanned. There were 5 New Critical Objects and 32 Negligible Objects, I selected all for deletion and forgot to save the log first. So I rescanned, and this time 2 Negligible objects were found. I saved the log and then removed the negligible objects.

- Ran CWShredder. It found and removed CWS.SmartSearch.

- Installed Search & Destroy and updates. Did Check for Problems - 262 problems found. Fixed selected problems, it said some could not be removed and suggest I run on reboot. I did, and it found another 45. Fixed selected problems, but again, not everything could be removed. What remains is 40 problems related to Smitfraud-C.

- Before all of the above, I'd done the trendmicro housecall thing a couple of times. The first couple of times, it found lots of things, the last couple, not much.

- Installed ewido demo, updated and scanned. Removed 15 infections.

This system has McAfee Security Center installed, so I am not installing any additional antivirus programs at this time, although I think her virus definitions are outdated and that she no longer has updates for McAfee. I told her about AVG (I use it myself), and she asked a computer repair guy about it (I'm only doing this as a friend and do not do computer repair for pay), and he said he didn't like AVG. His recommendation was for antivirus software from Panda, which he'd be more than happy to install on her system for $70 ($50 for the software and $20 for installation). I told her that I thought AVG was thought to be quality software as far as I knew and that while Panda may be very fine, I suspect that part of the motive behind his recommendation was tied to the $70, but I am a skeptic. :tazz:

So, anyway, here are the ewido and HJT logs...

ewido

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:27:51 PM, 9/4/2005
+ Report-Checksum: BCC6DD3C

+ Scan result:

HKU\S-1-5-21-1314181311-2351726761-851918075-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -> Spyware.WinFavorites : Cleaned with backup
HKU\S-1-5-21-1314181311-2351726761-851918075-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C886256C-7A63-4213-AD2F-02AD3735DF06} -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Hope Parsons.HOPE\Cookies\hope parsons@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Hope Parsons.HOPE\Cookies\hope parsons@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Hope Parsons.HOPE\Cookies\hope parsons@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Hope Parsons.HOPE\Cookies\hope [email protected][1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Hope Parsons.HOPE\Cookies\hope parsons@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Hope Parsons.HOPE\Cookies\hope parsons@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Hope Parsons.HOPE\Cookies\hope [email protected][2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Hope Parsons.HOPE\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0F.dat/files\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000248.dll -> Spyware.WildTangent : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000272.dll -> Spyware.WildTangent : Cleaned with backup
C:\WINDOWS\SYSTEM32\LogFiles\DA7021900.so -> TrojanDownloader.Small.baz : Cleaned with backup
C:\WINDOWS\SYSTEM32\msole32.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\ole32vbs.exe -> Trojan.Favadd.aj : Cleaned with backup


::Report End

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 12:35:32 PM, on 9/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\MP3Downloading\bindata.exe
C:\Program Files\America Online 9.0a\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\SYSTEM32\sistray.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimt.../aimtoolbar.jsp
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" /disabled
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\MP3Downloading\bindata.exe" -tray
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe




I would greatly appreciate any assistance!

Thanks!

-Bill

Edited by grendel99, 05 September 2005 - 02:43 PM.

  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP