Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Wootbot.co Worm


  • This topic is locked This topic is locked
10 replies to this topic

#1 C J.

C J.

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 10 May 2006 - 11:48 PM

After getting a neighbors harddrive cloned and swapped, I encountered 122 viri/trojan/infectors on her system. it was so bad, her CPU was cranked at 100%. I shut of her System restore, and scanned in safe mode. All 122 items were quarantined. The three files I'm listing above the hijack log here - I cant find entries for but they keep reinstalling on reboot. They are:

Powerscan.exe
Sres32.exe
istsvc.exe

Minus the above three files this is the last hijack log I did.

Logfile of HijackThis v1.99.1
Scan saved at 9:46:13 PM, on 5/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Admilli Service\AdmilliServ.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\explorer.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\WebRebates4\webrebates.exe
C:\Program Files\WebRebates4\w11150.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTC07.EXE
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Documents and Settings\Lupe\Local Settings\Temp\Temporary Directory 7 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.clickhere4search.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ws1.appswebservice.com/index.php?tpid=10244&ttid=104
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.clickhere4search.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.clickhere4search.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.thegaslighter.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;;<local>
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [t1MXo] C:\WINDOWS\ialct.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Admilli Service] C:\Program Files\Admilli Service\AdmilliServ.exe
O4 - HKLM\..\Run: [TopSearch] C:\Program Files\TopSearch\TopSearch.exe
O4 - HKLM\..\Run: [qtin] C:\WINDOWS\qtin.exe
O4 - HKLM\..\Run: [180sa] c:\program files\180search assistant\180sa.exe
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKLM\..\Run: [webrebates] "C:\Program Files\WebRebates4\webrebates.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [window2] wintime.exe
O4 - HKCU\..\Run: [Microsoftkeysd] systemwin32s.exe
O4 - HKCU\..\Run: [Windows Compliant] mrgpiz.exe
O4 - HKCU\..\Run: [*windows update] wuacrlt.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: VTAgentReboot.exe
O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...64/mcinsctl.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SpywareCleanerService - Secure Computer, LLC - C:\Program Files\Spyware Cleaner\SCService.exe

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:05 AM

Posted 11 May 2006 - 07:22 AM

Hello,

It looks like you didn't scan with a decent antispyware scanner before, because it should get rid of most entries here without any problem.

First of all, you didn't unzip/extract hijackthis.. and it's still in the tempfolder.
So I strongly advise to unzip/extract hijackthis.zip.
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Create a permanent folder and move hijackthis.exe into it. The reason is because hijackthis creates backups and when it's in your temp-folder it can be accidentally deleted.
How do you make a permanent folder:

Click My Computer, then C:\ and then on Program Files.
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis".
Now you have C:\Program Files\HijackThis. Put your HijackThis.exe there.

Go to start > controlpanel > software > add/remove programs and uninstall next if present:

Webrebates
Admilli Service
Istbar /istsvc
180search assistant
Topsearch
Viewpoint Manager
Viewpoint
Viewpoint Media Player
Spyware Cleaner
<== this is a so called spyware remover with a bad reputation.

Reboot afterwards!!! Important.

Install a decent antispywarescanner:

Download Ad-aware version SE Personal 1.06 from one of these locations:

http://www.download.com/3000-2144-10045910.html
http://www.majorgeeks.com/download506.html

Install by double-clicking on the downloaded file.
If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version. Be sure to uninstall the previous version.

1. Launch Ad-Aware SE and run the WebUpdate feature. (Click on the Globe icon > Click connect > Click OK > Click Finish.)
2. Set up the Configurations as follows:
-- Click the Gear wheel at the top of the Ad-Aware window
-- Click General > Safety & Settings: Check (Green) all three.
-- Click Tweak > Cleaning Engine > UNcheck "Always try to unload modules before deletion".
3. Click "Proceed"
4. Click "Scan Now"
5. Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
6. Select "Search for low-risk threats"
7. Run the scanner using the Full Scan (Perform full system scan) mode.
8. When the scan has completed, select Next.
9. In the Scanning Results window, select the "Scan Summary" tab.
10. Check the box next to each "target family" you wish to remove.
11. Click next > Click OK.
12. Reboot your computer and post a new hijackthislog
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 C J.

C J.
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 11 May 2006 - 01:21 PM

Hello,

It looks like you didn't scan with a decent antispyware scanner before, because it should get rid of most entries here without any problem.

First of all, you didn't unzip/extract hijackthis.. and it's still in the tempfolder.
So I strongly advise to unzip/extract hijackthis.zip.
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Create a permanent folder and move hijackthis.exe into it. The reason is because hijackthis creates backups and when it's in your temp-folder it can be accidentally deleted.
How do you make a permanent folder:

Click My Computer, then C:\ and then on Program Files.
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis".
Now you have C:\Program Files\HijackThis. Put your HijackThis.exe there.

Go to start > controlpanel > software > add/remove programs and uninstall next if present:

Webrebates
Admilli Service
Istbar /istsvc
180search assistant
Topsearch
Viewpoint Manager
Viewpoint
Viewpoint Media Player
Spyware Cleaner
<== this is a so called spyware remover with a bad reputation.

Reboot afterwards!!! Important.

Install a decent antispywarescanner:

Download Ad-aware version SE Personal 1.06 from one of these locations:

http://www.download.com/3000-2144-10045910.html
http://www.majorgeeks.com/download506.html

Install by double-clicking on the downloaded file.
If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version. Be sure to uninstall the previous version.

1. Launch Ad-Aware SE and run the WebUpdate feature. (Click on the Globe icon > Click connect > Click OK > Click Finish.)
2. Set up the Configurations as follows:
-- Click the Gear wheel at the top of the Ad-Aware window
-- Click General > Safety & Settings: Check (Green) all three.
-- Click Tweak > Cleaning Engine > UNcheck "Always try to unload modules before deletion".
3. Click "Proceed"
4. Click "Scan Now"
5. Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
6. Select "Search for low-risk threats"
7. Run the scanner using the Full Scan (Perform full system scan) mode.
8. When the scan has completed, select Next.
9. In the Scanning Results window, select the "Scan Summary" tab.
10. Check the box next to each "target family" you wish to remove.
11. Click next > Click OK.
12. Reboot your computer and post a new hijackthislog


Thanks miekiemoes:

Will do. I plan to finish up this ladys computer tonight. I'll post a new log then. People should always have some kind of firewall enabled ( ICF or Zonealarm) and have a good antivirus with a current subscription. Theres no excuse for not having both and this lady didn't. I've been fixing other peoples malware nightmares for years and because this person didn't do enough at the outset to insure her chances of catching infectors would be reduced, is why I'm here posting now. I plan to add a couple of items to her PC as well once she's infection free.

AdawareSE ==> Definitely. I couldn't download this lastnight or install it from a CD because everyattempt resulted in a corrupt file message, until I'd scanned with her updated antivirus in safe mode and stopped several processes I could see. Spywareblaster and CCleaner will be going on tonight with SE ==> as afterthoughts.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:05 AM

Posted 11 May 2006 - 01:32 PM

Ok, I will read you later.

I also recommend you use this tool as well to get rid of the wootbot leftovers:
http://www.f-secure.com/v-descs/wootbot.shtml

Also read here concerning Wootbot and the damage it can cause:
http://www.trendmicro.com/vinfo/virusencyc...BOT%2EJ&VSect=T
So keep in mind, not all damage can be fixed. Also, it is really important here that all passwords should be changed.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 C J.

C J.
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 12 May 2006 - 12:39 AM

Ok, I will read you later.

I also recommend you use this tool as well to get rid of the wootbot leftovers:
http://www.f-secure.com/v-descs/wootbot.shtml

Also read here concerning Wootbot and the damage it can cause:
http://www.trendmicro.com/vinfo/virusencyc...BOT%2EJ&VSect=T
So keep in mind, not all damage can be fixed. Also, it is really important here that all passwords should be changed.


New Hijackthis Log


Logfile of HijackThis v1.99.1
Scan saved at 9:24:47 PM, on 5/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak
Software Updater.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\Lupe\Desktop\Hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
=
http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.thegaslighter.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = http=localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = 127.0.0.1;http://localhost;;<local>
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -
C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A}
- C:\Program Files\Yahoo!\common\YIeTagBm.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655}
- c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH
Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VirusScan Online]
"c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [t1MXo] C:\WINDOWS\ialct.exe
O4 - HKLM\..\Run: [VSOCheckTask]
"c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client
Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program
Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge]
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [qtin] C:\WINDOWS\qtin.exe
O4 - HKLM\..\Run: [180sa] c:\program files\180search
assistant\180sa.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [window2] wintime.exe
O4 - HKCU\..\Run: [Microsoftkeysd] systemwin32s.exe
O4 - HKCU\..\Run: [Windows Compliant] mrgpiz.exe
O4 - HKCU\..\Run: [*windows update] wuacrlt.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell
Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink
TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program
Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program
Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program
Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC
Self Support Tool\bin\matcli.exe
O4 - Global Startup: VTAgentReboot.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program
Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program
Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Services -
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -
C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class)
- C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating
System Class) -
http://download.mcafee.com/molbin/shared/m...64/mcinsctl.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) -
http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman
Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc -
c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner -
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc -
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) -
McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) -
McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SpywareCleanerService - Unknown owner - C:\Program
Files\Spyware Cleaner\SCService.exe (file missing)

Supplemental info:
System tested clean except for items that will have to be removed from this log. However, Microsoft Update had a critical update patch for IE waiting to be installed. Info provided from Update said the patch would check the SP2 installation prior to updating IE. It returned an error saying her installation was too unstable to proceed, and to uninstall and re-install sp2 to correct the problem. Bleeping Dell PCs :thumbsup:

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:05 AM

Posted 12 May 2006 - 01:27 AM

Hello,

The current formatting of your log makes it difficult to read, so in notepad:
On top, click Format >uncheck Word Wrap

I can't see anything malicious running in the current processes, however, you can never be sure here with this infection..

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O4 - HKLM\..\Run: [t1MXo] C:\WINDOWS\ialct.exe
O4 - HKLM\..\Run: [qtin] C:\WINDOWS\qtin.exe
O4 - HKLM\..\Run: [180sa] c:\program files\180search assistant\180sa.exe
O4 - HKCU\..\Run: [window2] wintime.exe
O4 - HKCU\..\Run: [Microsoftkeysd] systemwin32s.exe
O4 - HKCU\..\Run: [Windows Compliant] mrgpiz.exe
O4 - HKCU\..\Run: [*windows update] wuacrlt.exe
O23 - Service: SpywareCleanerService - Unknown owner - C:\Program Files\Spyware Cleaner\SCService.exe (file missing)


Check next entry if you receive a message everytime after reboot to insert a cd, next entry is not required anyway:

O4 - Global Startup: VTAgentReboot.exe

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Go to start > run and copy and paste next command in the field:

sc delete SpywareCleanerService Click ok.

Then look if next files still exist and delete them:

C:\Windows\System32\wuacrlt.exe (watch the spelling! Don't delete wuauclt.exe!)
C:\Windows\System32\mrgpiz.exe
C:\Windows\System32\systemwin32s.exe
C:\Windows\System32\wintime.exe
C:\WINDOWS\ialct.exe
C:\WINDOWS\qtin.exe
c:\program files\180search assistant <== folder

I still want you to run some additional scans, to make sure everything is gone. A good online scanner is Kaspersky. It doens't delete files, but it gives a report of what was found. It could be possible some false positives are present as well, that's why I need the log.
But before using the scan, I want you to perform next first, otherwise the log will be huge..

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Then use next online scan: Kaspersky Webscan
1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. When the download is complete it will say ready, click "Next"
6. Select a target to scan: Click on "My Computer"
7. When the scan is complete choose to save the results as "Save as Text"
8. Post the Kaspersky scan results in your next reply together with a new hijackthislog.

Extra addition... I also want an export of some registry keys, so perform next:

Open notepad and copy and paste next bold from the quotebox in it:

regedit /e peek1.txt "HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa"
regedit /e peek2.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole"
regedit /e peek3.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa"
regedit /e peek4.txt "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ole"
type peek1.txt >> look.txt
type peek2.txt >> look.txt
type peek3.txt >> look.txt
type peek4.txt >> look.txt
del peek*.txt
start notepad look.txt


Save this as look.bat , choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick look.bat and notepad will open.
Copy and paste the contents also in your next reply.

However, Microsoft Update had a critical update patch for IE waiting to be installed. Info provided from Update said the patch would check the SP2 installation prior to updating IE. It returned an error saying her installation was too unstable to proceed, and to uninstall and re-install sp2 to correct the problem. Bleeping Dell PCs


Yes, uninstalling and reinstalling SP2 should be better, because you installed SP2 while this system was infected... and this is the reason why it is unstable. This is what they also say at the Microsoft site concerning SP2, to not to install it when a system is infected. So let's deal with the rest here now and then reinstall SP2.

By the way, please enable system restore again - it's a bad idea to shut it off, because in case something goes wrong (also during the SP2 install), you have no restore points to go back to. So better an infected restore point than no restore point at all. When this system is clean again, we can delete all previous restore points and create a new, clean one. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 C J.

C J.
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 12 May 2006 - 11:27 AM

Hello,

The current formatting of your log makes it difficult to read, so in notepad:
On top, click Format >uncheck Word Wrap

I can't see anything malicious running in the current processes, however, you can never be sure here with this infection..

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O4 - HKLM\..\Run: [t1MXo] C:\WINDOWS\ialct.exe
O4 - HKLM\..\Run: [qtin] C:\WINDOWS\qtin.exe
O4 - HKLM\..\Run: [180sa] c:\program files\180search assistant\180sa.exe
O4 - HKCU\..\Run: [window2] wintime.exe
O4 - HKCU\..\Run: [Microsoftkeysd] systemwin32s.exe
O4 - HKCU\..\Run: [Windows Compliant] mrgpiz.exe
O4 - HKCU\..\Run: [*windows update] wuacrlt.exe
O23 - Service: SpywareCleanerService - Unknown owner - C:\Program Files\Spyware Cleaner\SCService.exe (file missing)


Check next entry if you receive a message everytime after reboot to insert a cd, next entry is not required anyway:

O4 - Global Startup: VTAgentReboot.exe

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Go to start > run and copy and paste next command in the field:

sc delete SpywareCleanerService Click ok.

Then look if next files still exist and delete them:

C:\Windows\System32\wuacrlt.exe (watch the spelling! Don't delete wuauclt.exe!)
C:\Windows\System32\mrgpiz.exe
C:\Windows\System32\systemwin32s.exe
C:\Windows\System32\wintime.exe
C:\WINDOWS\ialct.exe
C:\WINDOWS\qtin.exe
c:\program files\180search assistant <== folder

I still want you to run some additional scans, to make sure everything is gone. A good online scanner is Kaspersky. It doens't delete files, but it gives a report of what was found. It could be possible some false positives are present as well, that's why I need the log.
But before using the scan, I want you to perform next first, otherwise the log will be huge..

* Clean your Cache and Cookies in IE:

  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Then use next online scan: Kaspersky Webscan
1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. When the download is complete it will say ready, click "Next"
6. Select a target to scan: Click on "My Computer"
7. When the scan is complete choose to save the results as "Save as Text"
8. Post the Kaspersky scan results in your next reply together with a new hijackthislog.

Extra addition... I also want an export of some registry keys, so perform next:

Open notepad and copy and paste next bold from the quotebox in it:

regedit /e peek1.txt "HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa"
regedit /e peek2.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole"
regedit /e peek3.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa"
regedit /e peek4.txt "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ole"
type peek1.txt >> look.txt
type peek2.txt >> look.txt
type peek3.txt >> look.txt
type peek4.txt >> look.txt
del peek*.txt
start notepad look.txt


Save this as look.bat , choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick look.bat and notepad will open.
Copy and paste the contents also in your next reply.

However, Microsoft Update had a critical update patch for IE waiting to be installed. Info provided from Update said the patch would check the SP2 installation prior to updating IE. It returned an error saying her installation was too unstable to proceed, and to uninstall and re-install sp2 to correct the problem. Bleeping Dell PCs


Yes, uninstalling and reinstalling SP2 should be better, because you installed SP2 while this system was infected... and this is the reason why it is unstable. This is what they also say at the Microsoft site concerning SP2, to not to install it when a system is infected. So let's deal with the rest here now and then reinstall SP2.

By the way, please enable system restore again - it's a bad idea to shut it off, because in case something goes wrong (also during the SP2 install), you have no restore points to go back to. So better an infected restore point than no restore point at all. When this system is clean again, we can delete all previous restore points and create a new, clean one. :thumbsup:


Okay, miekie... I've just printed all of this information off. At this point, We've got two ways that I can go. Since SP2 has already been uninstalled, its left her system vulnerable to even more attacks if its connected to the internet (she has no firewall) I suppose I could download a temporary firewall such as Kerio, and disable her McAfee Antivirus, and then deal with the SP2 issue once its completely cleaned out... her SP1 installation isn't all too great either to be honest with you. I suspect Windows installer, and 1/2 of her drivers are missing... to include the intel chipset because SP2 was removed.

OR... I could start over from scratch.

I could wipe her new harddrive, and then reclone the old harddrive to the new one.

I'd Start in safe mode a few times, in fact, I ran her Mcafee from a bootable CD disk I have - only this time I could disable the Windows Update and the system restore services temporarilly, until I get it back to where we were going into the new instructions, less stuff to deal with until I get it cleaned out.

What do you think?

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:05 AM

Posted 12 May 2006 - 01:19 PM

Well, if I may be honest..

OR... I could start over from scratch.

I could wipe her new harddrive, and then reclone the old harddrive to the new one.


and

her SP1 installation isn't all too great either to be honest with you. I suspect Windows installer, and 1/2 of her drivers are missing... to include the intel chipset because SP2 was removed.


I guess that's indeed the best solution. As I already said, the malware present on this system damages A LOT! I gave you the link what it does - and it doesn't look good. And as I notice, damage is caused and there's no guarantee we can properly fix the damage this malware already caused. We can eliminate the malware, no problem, but then we have to restore everything again, and sometimes that's not always possible anymore.
Most people dealing with this worm in the past are still having problems with their system, just because they don't have their original XP cd to restore missing files, corrupted files etc..

Yes, start from scratch and immediately update to SP2 is the best. Make sure you install a desktop firewall first before making connection to the internet after reinstall, otherwise this system will get reinfected immediately again.
Once installed, immediately update to SP2.

We always try to clean up systems from malware as much as we can, but in some cases a format and reinstall is better - less time consuming and we can be sure here we start from clean again afterwards. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 C J.

C J.
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 12 May 2006 - 03:48 PM

Well, if I may be honest..

OR... I could start over from scratch.

I could wipe her new harddrive, and then reclone the old harddrive to the new one.


and

her SP1 installation isn't all too great either to be honest with you. I suspect Windows installer, and 1/2 of her drivers are missing... to include the intel chipset because SP2 was removed.


I guess that's indeed the best solution. As I already said, the malware present on this system damages A LOT! I gave you the link what it does - and it doesn't look good. And as I notice, damage is caused and there's no guarantee we can properly fix the damage this malware already caused. We can eliminate the malware, no problem, but then we have to restore everything again, and sometimes that's not always possible anymore.
Most people dealing with this worm in the past are still having problems with their system, just because they don't have their original XP cd to restore missing files, corrupted files etc..

Yes, start from scratch and immediately update to SP2 is the best. Make sure you install a desktop firewall first before making connection to the internet after reinstall, otherwise this system will get reinfected immediately again.
Once installed, immediately update to SP2.

We always try to clean up systems from malware as much as we can, but in some cases a format and reinstall is better - less time consuming and we can be sure here we start from clean again afterwards. :thumbsup:


I have an Even better Idea... If I have to, I'll do what I did on my own PC one time because I got tired of waiting for the SP2 Update CD to arrive. She still has her SP-1 Recovery CD... I could make her a bootable Slipstreamed SP2 recovery disk! I just have to find the procedures I used online to create mine.
At anyrate, Wiping and re-installing sounds like the best bet. I want to thank you for your help. I learned a hell of lot over the last couple of days.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:05 AM

Posted 12 May 2006 - 04:05 PM

Yes, a slipstreamed SP2 recovery disk is a great idea. :thumbsup:

You did all the work here, so now try to convince her of the danger of the internet, because we don't want her make the same mistake again. :flowers:
Look in my signature under prevention. There are some links there with videos you can show her. :huh:

And glad I could help. :huh:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:05 AM

Posted 13 May 2006 - 10:56 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users