Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CLEAN UP


  • Please log in to reply
10 replies to this topic

#1 senseless

senseless

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:04:42 PM

Posted 28 September 2011 - 09:27 PM

I inherited an elderly Compaq laptop, huge software issues, trouble downloading anything, and trouble running anything.

I did as best I could, to clean the machine.
Malwarebytes found multiple issues, and concluded successfully.
And then did Spybot, more stuff.

Then I tried running Combofix, but it will not run.
I know, I read the pinned stuff.

But, maybe the laptop is still messed up with malware.

I used DiXML program to copy the hard drive to an external before running Combofix.

The OS seems to be fine, despite my naive effort running Combofix without professional advisor on board.

Any help will be appreciated.

Edited by hamluis, 30 September 2011 - 09:04 AM.
Moved from XP to Am I Infected.


BC AdBot (Login to Remove)

 


#2 Eleet PCs

Eleet PCs

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York, NY
  • Local time:04:42 PM

Posted 29 September 2011 - 02:04 AM

It ultimately comes down to how much processing power and RAM you have for your computer.

Some programs and tweeks I can suggestion to try and speed things up a bit.

1) ccleaner - cleans out old/temp files. Overall clean up of your hard drive. Also checks your registry for any errors

2) Remove any unnecessary items from your start up when windows boots

3) Windows defragmenter

#3 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:42 AM

Posted 29 September 2011 - 02:20 AM

http://www.google.com.au/url?sa=t&rct=j&q=tfc%20cleaner&source=web&cd=1&ved=0CBoQFjAA&url=http%3A%2F%2Fwww.geekstogo.com%2Fforum%2Ffiles%2Ffile%2F187-tfc-temp-file-cleaner-by-oldtimer%2F&ei=TRqETqj_IaOZiAf3tbCjDw&usg=AFQjCNHyCea0OOW-mMXJv5b5vk9V9zWJlA
A link to TFC Cleaner - Safer than CCleaner if you are not sure how to set it up correctly -

Open Defrag from Accessories > System tools , run Analyse to see how much free space you have (15% Minimum to defrag) -
If you can, then click Defrag -

Go to Start > Control Panel > Add Remove and look for any unrequired programs and click to remove -

Post back after this and we will try to add more help :thumbup2:

Regards -

EDIT - "Overall clean up of your hard drive. Also checks your registry for any errors"
Any tool that claims to know your registry (Registry Cleaner) is generally garbage -

Edited by noknojon, 29 September 2011 - 02:24 AM.


#4 hamluis

hamluis

    Moderator


  • Moderator
  • 56,299 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:04:42 PM

Posted 29 September 2011 - 09:42 AM

I don't understand...you say that the O/S is fine...yet you assert the possibility of malware issues.

In any case...since it's a Compaq system, the best way of "cleaning it up" would probably be to employ the restore/recovery mechanism applicable to that particular system, IMO.

Louis

#5 Eyesee

Eyesee

    Bleepin Teck Shop


  • BC Advisor
  • 3,545 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:In the middle of Kansas
  • Local time:04:42 PM

Posted 29 September 2011 - 11:49 AM

That is exactly what I would do as well.
Since you inherited the system you have no idea what the previous owner did.

If the recovery partition is intact you can restore the system back to an "out of the box" state & then you know that it is clean. I believe it is F10 from the Compaq splash screen to start the recovery.

If this works, after the system is reinstalled, check to see if there is a way to make recovery dvd's in case you need them in the future.
In the beginning there was the command line.

#6 senseless

senseless
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:04:42 PM

Posted 29 September 2011 - 02:10 PM

Thanks for the suggestions.

I "inherited" the machine from a friend who had a bad crash, and is in rehab for awhile.
I thought I could do him a favor by cleaning up his woeful computer.
He got it from a friend years ago; it came from a work environment.
Compaq Evo 800c
Intel Pentium 4-M-2000 2000.0 MHz
Windows XP Pro
512 RAM
40G hard drive
There was crap installed that prevented him from opening programs, downloading, etc.
Firewall and antivirus were defeated.
Malwarebytes got rid of 40+ infections, but would only open after I renamed the exe file.
Spybot found a bunch more, including something called TDSS

It took 2 days to get windows updated.
Now running SP3.

I purged as much as I could, useless junk from Verizon, McAfee etc.
Worked through the startup list.
Ran CCleaner on the registry, etc, for what it's worth.
Ran the temp tool recommended by noknojon, thanks.
Defragged...took awhile.
Pulled the keyboard and blew out the fan dust.

Scanned online with eset.
Installed Avast and Zonelabs firewall.
Bought 1g of RAM off eBay, should be here tomorrow.

I copied the Hard drive to an external using DriveImageXML.

Then I tried running Combofix to see whatever else it might find.
But the program hangs at the scanning stage, where it says "This typically doesn't take more than 10 minutes..."
I let it "run" for 12 hours, but finally had to abort.

I was just trying to make sure the machine is clean.
There was so much junk that I am still not sure.
Why does Combofix hang?

It seems to be working fine though.
RAM might improve speed a little.

I am not sure this machine has a recovery partition.
How do I figure that out?

F10 gets me into the setup menu.
ESC gets me the system boot options, including "Recovery console"
F8 gets me other boot options, like safe mode.

If I choose Recovery console, I am then asked which windows installation would I like to login to?
Only option is C:\WINDOWS.
What happens if I do that?

Thanks again, I am trying to learn all I can!

#7 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Members
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:04:42 PM

Posted 29 September 2011 - 08:06 PM

It's easy to find out if there is a recovery partition.

Open up My Computer from the desktop or start menu.

It will be listed under Hard Disk Drives. It may be drive D (that is the drive letter on the Compaq I inherited from my mother).

Since the computer is an older model, it may not have the recovery partition. I did a quick search of the model number and found this:

Each unit is shipped with a series of CDs in a kit for quick OS recovery (erases hard disk and restores manufacturer installed image) and software recovery (installs only selected standard software)

http://h18000.www1.hp.com/products/quickspecs/11344_na/11344_na.html


Edited by Queen-Evie, 29 September 2011 - 08:09 PM.


#8 senseless

senseless
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:04:42 PM

Posted 29 September 2011 - 10:38 PM

Thank you Queen-Evie
This machine has no recovery partition.
And I have no discs for it.
But I did clone the drive to an external, in case I screw it up.

I am not sure the system is free from malware in general, although it is functioning 110% better than it was when I got it.

I just ran Spybot and it found these reg entries:

Win32.TDSS.reg: [SBI $49F79F46] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\uacd.sys\modules

Win32.TDSS.reg: [SBI $5B0C8C8E] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\uacd.sys\imagepath

Win32.TDSS.reg: [SBI $884BEB98] System Service (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\uacd.sys

Spybot (and malwarebytes) were already used to remove crap from this system.
Spybot already removed other TDSS entries, supposedly.

I will let Spybot remove these entries.

Where did this (new) crap come from?
Are these false positives?

Can you recommend another scan and log to post for further evaluation of this system?
I am trying to make it as healthy as possible, and without the option of a format/reinstall of the OS.
I know it's antiquated, but not everyone needs the latest hardware for email and such.

Thanks so much!

#9 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Members
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:04:42 PM

Posted 29 September 2011 - 10:56 PM

SuperAntiSpyware is an excellent program. I suggest you install, update, and then scan with this program. Consider running it in safe mode.

Malware comes in so many forms that multiple tools are needed.

SAS may find something the others have missed.

#10 senseless

senseless
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:04:42 PM

Posted 30 September 2011 - 08:36 AM

Queen-Evie
I ran the SAS overnight, not in safe mode.
It finished the scan, but the computer crashed and rebooted.

here is the log:



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/30/2011 at 01:35 AM

Application Version : 5.0.1128

Core Rules Database Version : 7740
Trace Rules Database Version: 5552

Scan type : Complete Scan
Total Scan Time : 01:11:13

Operating System Information
Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned : 477
Memory threats detected : 0
Registry items scanned : 36694
Registry threats detected : 46
File items scanned : 54072
File threats detected : 6

Rootkit.Agent/Gen
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys#start
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys#type
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys#imagepath
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys#group
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\modules
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\modules#UACd
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\modules#UACc
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\modules#uacbbr
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\modules#UACproc
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\modules#UACsr
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\modules#uaclog
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\modules#uacmask
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\modules#uacurls
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\modules#uacerrors
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\modules#uacserf
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\Enum
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\Enum#NextInstance
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\Enum#1
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\Enum#INITSTARTFAILED
HKLM\SOFTWARE\UAC
HKLM\SOFTWARE\UAC#build
HKLM\SOFTWARE\UAC#type
HKLM\SOFTWARE\UAC#affid
HKLM\SOFTWARE\UAC#subid
HKLM\SOFTWARE\UAC#EPROCESS_LEOffset
HKLM\SOFTWARE\UAC#EPROCESS_NameOffset
HKLM\SOFTWARE\UAC#uncc
HKLM\SOFTWARE\UAC#cmddelay
HKLM\SOFTWARE\UAC#ecaab67d-7d92-4ec1-ac32-3087345120a3
HKLM\SOFTWARE\UAC#val
HKLM\SOFTWARE\UAC#sval
HKLM\SOFTWARE\UAC#LastBSOD
HKLM\SOFTWARE\UAC#pval
HKLM\SOFTWARE\UAC\connections
HKLM\SOFTWARE\UAC\connections#905b3008
HKLM\SOFTWARE\UAC\connections#915b3008
HKLM\SOFTWARE\UAC\connections#7d72e91c
HKLM\SOFTWARE\UAC\connections#20d04c0a
HKLM\SOFTWARE\UAC\connections#fe8cd514
HKLM\SOFTWARE\UAC\connections#f2065612

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\10OPLJP7.txt [ /2o7.net ]
C:\Documents and Settings\Administrator\Cookies\126Y4J32.txt [ /www.googleadservices.com ]

Adware.Vundo/Variant
HKU\S-1-5-21-3000887322-1850456698-4159782051-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BFB5F154-9212-46F3-B547-AC6106030A54}
HKU\S-1-5-21-3000887322-1850456698-4159782051-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{BFB5F154-9212-46F3-B547-AC6106030A54}
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}

Rogue.Agent/Gen-Nullo[EXE]
C:\WINDOWS\GESOBOQY.EXE

Rogue.Agent/Gen-Nullo[DLL]
C:\WINDOWS\SYSTEM32\BERYTA.DLL
C:\WINDOWS\SYSTEM32\SALYJI.DLL

Rogue.Agent/Gen-Nullo[BIN]
C:\WINDOWS\SYSTEM32\VAFE.BIN

#11 senseless

senseless
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:04:42 PM

Posted 03 October 2011 - 10:26 PM

I think that I have done everything that I can for this machine, thanks for the suggestions.

It has not crashed in the last day or so.

After getting bad sector reports, I ran the IBM/HITACHI drive fitness test, which confirmed problem sectors.
I opted to erase/overwrite the drive.
Then restored from the xml that I made earlier, using UBCD4 disc etc.
The fix seems to have worked, bad sectors probably due to faulty data writes.

I removed a few more useless programs.

I appreciate any other suggestions for scanning, etc, that are offered.
Like I said, the system was pretty full of bad stuff when I got it.
How do I know that it is finally clean?

thanks again




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users