Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Difficulty Getting On Internet


  • Please log in to reply
11 replies to this topic

#1 curlylox

curlylox

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 04 November 2007 - 08:27 PM

I'm trying to fix my Grandson's computer. He is in college and does all those things one should't do .
,Instant message,chat rooms ,downloading from questionable sources,so every once in awhile.....
He has a Dell Dimension 2400,OSWindows XP,SP2 about 3 years old. He has been having popups and slowdowns and is often unable to get on to the internet.(sbcglobal DSL)
I ran AVG Free Antivirus,AVG Anti Rootkit, Spybot Search and destroy,Ad Aware,SuperAnti Spuware,then downloaded and installed Spyware Blaster and Spyware Guard.It still doesn't feel "right " , though it seems to be virus free,and no rootkits turned up. Any suggestions? I would love to be a hero to my grandson.
Sincerely,

Curleylox

BC AdBot (Login to Remove)

 


m

#2 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:07:31 PM

Posted 04 November 2007 - 08:39 PM

Most of that series of dell that I have seen, IMHO do not have enough ram! let us know how much ram that it has, also, try another scan just to be sure, with Dr Web Cure It.

Edited by oldf@rt, 04 November 2007 - 08:40 PM.

The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#3 curlylox

curlylox
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 05 November 2007 - 12:07 PM

Thank you Old F@rt. I downloaded and ran Dr.Web Cure it. It did find some things ,that I "cured" but ther were about 5 items at the end of the scan ,that were "C;//Windows/System32."Cureit didn't delete them and said something about Hacktools. Should I run it again and delete these?
Sincerely,

Curleylox

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,574 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:31 PM

Posted 05 November 2007 - 12:57 PM

Can you describe what type of pop ups he is getting, what they say, where on the screen do they show, etc?

Also see Its not always malware: How to fix the top 10 Internet Explorer issues.

Could you post the DrWeb.csv report? You can use Notepad to open it. Without more information (specific name of the file, its location) its difficult to tell what your dealing with.

Certain embedded files that are part of legitimate programs or specialized fix tools such as process.exe, restart.exe, SmiUpdate.exe, and reboot.exe, may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted tool", not-a-virus, or even "Spyware-Adware".

Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. Potentially unwanted or "Hacking tool" does not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 curlylox

curlylox
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 05 November 2007 - 02:23 PM

Thank you quietman7, I didn't see the pop-ups,when I started working on it ,he couldn't get on the internet ,so I just started the scans. When I finally got back on line ,they were gone.
Here are the scan results from Dr Web Cureit, I can send the whole scan if you want it.:

Objects scanned: 881
Infected objects found: 0
Objects with modifications found: 0
Suspicious objects found: 0
Adware programs found: 0
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 0
Hacktool programs found: 0
Cured: 0
Deleted: 0
Renamed: 0
Moved: 0
Ignored: 0
Scan speed: 2741 Kb/s
Scan time: 00:01:27
-----------------------------------------------------------------------------

[Scan path] C:\
>C:\$VAULT$.AVG\45649688.FIL - decompression error
>C:\$VAULT$.AVG\59445140.FIL - decompression error
>C:\$VAULT$.AVG\59446031.FIL - decompression error
>>C:\$VAULT$.AVG\59446109.FIL is an adware program Adware.Duncan
>>C:\$VAULT$.AVG\59446187.FIL is an adware program Adware.Duncan
>>C:\$VAULT$.AVG\59446250.FIL is an adware program Adware.Duncan
C:\Program Files\AIM\Sysfiles\WxBug.EXE is an adware program Adware.Aws
C:\Program Files\Common Files\Motive\InstallHelper.exe probably infected with MULDROP.Trojan
C:\SDFix\apps\Process.exe is a hacktool program Tool.Prockill
>>C:\VundoFix Backups\ajrrfbws.dll.bad infected with BackDoor.Iterator - deleted
>>C:\VundoFix Backups\bgmrfdxe.dll.bad infected with BackDoor.Iterator - deleted
>>C:\VundoFix Backups\bqdahdht.dll.bad infected with BackDoor.Iterator - deleted
>>C:\VundoFix Backups\Copy of ajrrfbws.dll.bad infected with BackDoor.Iterator - deleted
>>C:\VundoFix Backups\csdbhqkp.dll.bad infected with BackDoor.Iterator - deleted
>>C:\VundoFix Backups\fchyjucl.dll.bad infected with BackDoor.Iterator - deleted
>>C:\VundoFix Backups\khfgdcc.dll.bad infected with Trojan.Virtumod - deleted
>>C:\VundoFix Backups\lwxbruge.dll.bad infected with BackDoor.Iterator - deleted
>>C:\VundoFix Backups\prtojyof.dll.bad infected with BackDoor.Iterator - deleted
>>C:\VundoFix Backups\pvhlucfj.dll.bad infected with BackDoor.Iterator - deleted
>>C:\VundoFix Backups\qkqccfkl.dll.bad infected with BackDoor.Iterator - deleted
C:\VundoFix Backups\siafyehd.exe.bad is an adware program Adware.TopSearch
>>C:\VundoFix Backups\tidchang.dll.bad infected with BackDoor.Iterator - deleted
>>C:\VundoFix Backups\vtjfmivl.dll.bad infected with BackDoor.Iterator - deleted
>>C:\VundoFix Backups\vtkbndpv.dll.bad infected with BackDoor.Iterator - deleted
>>C:\VundoFix Backups\wxqamlso.dll.bad infected with BackDoor.Iterator - deleted
>C:\WINDOWS\cms32.exe infected with Win32.HLLW.MyBot.based - deleted
C:\WINDOWS\SYSTEM32\GTDownDE_87.ocx is an adware program Adware.Gdown
>C:\WINDOWS\SYSTEM32\mjinjgko.dll is an adware program Adware.Crew
>C:\WINDOWS\SYSTEM32\naljseob.dll is an adware program Adware.Crew
C:\WINDOWS\SYSTEM32\process.exe is a hacktool program Tool.Prockill
C:\WINDOWS\SYSTEM32\restart.exe is a hacktool program Tool.ShutDown.11

-----------------------------------------------------------------------------
Scan statistics
-----------------------------------------------------------------------------
Objects scanned: 159658
Infected objects found: 16
Objects with modifications found: 0
Suspicious objects found: 1
Adware programs found: 8
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 0
Hacktool programs found: 3
Cured: 0
Deleted: 16
Renamed: 0
Moved: 0
Ignored: 0
Scan speed: 228 Kb/s
Scan time: 01:07:42
-----------------------------------------------------------------------------

=============================================================================
Total session statistics
=============================================================================
Objects scanned: 160539
Infected objects found: 16
Objects with modifications found: 0
Suspicious objects found: 1
Adware programs found: 8
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 0
Hacktool programs found: 3
Cured: 0
Deleted: 16
Renamed: 0
Moved: 0
Ignored: 0
Scan speed: 281 Kb/s
Scan time: 01:09:09
=============================================================================

I appreciate this ,thank you,

curleylox

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,574 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:31 PM

Posted 05 November 2007 - 02:44 PM

There was a decompression error with some items found in AVG's vault. Compressed files can cause problems when a scanner tries to unpack them. This is a common issue with these types of files. The other files in the vault were malware. When a program quarantines a file or moves it into a virus vault (chest), that file is safely held there (and no longer a threat) until you take action to delete it. One reason for doing this is to prevent deletion of an essential file that may have been flagged as a "False Positive". If that is the case, then you can restore the file. Doing this also allows you to view and investigate the files while keeping them from harming your computer. Quarantine is just an added safety measure. When the file in the vault is known to be bad, you can delete it at any time so they will not be flagged again by another scanning tool.

Someone used SDFix which is a legit specialized fix tool used against backdoor Trojans that was detected as a hacktool. Same goes for the embedded files, process.exe and restart.exe. The tool is frequently updated so you can delete the entire folder. If its needed again, its best to download the most current version.

Someone also used VundoFix to remove vundo related malware files. They are placed in a backup folder and were detected by your scan. You can delete the entire folder so they will not be detected again.

Lets do a little more clean up. Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under "General and Startup", make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 curlylox

curlylox
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 05 November 2007 - 05:08 PM

Here is the log from SUPERAntiSpyware.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/05/2007 at 03:16 PM

Application Version : 3.9.1008

Core Rules Database Version : 3337
Trace Rules Database Version: 1338

Scan type : Complete Scan
Total Scan Time : 00:49:40

Memory items scanned : 168
Memory threats detected : 0
Registry items scanned : 6347
Registry threats detected : 1
File items scanned : 37398
File threats detected : 1

Adware.WebNexus
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#Win Server Updt [ C:\WINDOWS\wupdt.exe ]

Adware.UCMore
C:\WINDOWS\..\UCmore - The Search Accelerator

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,574 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:31 PM

Posted 05 November 2007 - 07:27 PM

How is the computer running now?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 curlylox

curlylox
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 05 November 2007 - 07:40 PM

Seems good . It is staying on the internet with no freezes,and is nice and snappy.

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,574 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:31 PM

Posted 05 November 2007 - 08:09 PM

Good job.

Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recent Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 curlylox

curlylox
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 05 November 2007 - 08:43 PM

Thank you so much for all the help . Now if I can just talk Grandson into staying out of low places ,with their viruses and trojans. I'm going to steer him toward all those great tutorials on this site.

curlylox

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,574 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:31 PM

Posted 05 November 2007 - 09:27 PM

Your welcome.

To protect himself against malware and reduce the potential for re-infection, have your grandson read:
"Simple and easy ways to keep your computer safe".
"How did I get infected?, With steps so it does not happen again!".
"The Ten Most Dangerous Things Users Do Online".
"The 10 Biggest Security Risks".
"Hardening Windows Security - Part 1" and "Hardening Windows Security - Part 2".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users