Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple User Accounts And Computer Infection Question


  • Please log in to reply
9 replies to this topic

#1 he's dead jim

he's dead jim

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:11:28 PM

Posted 18 March 2014 - 08:51 AM

hello all. I just have a quick question and this looked like the right place to post it.

 

i just finished disinfecting a computer running windows vista home premium.

 

do i have to run the removal / cleanup programs on each individual account in vista or is running it from administrator good enough?

 

thanks.



BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:03:28 AM

Posted 18 March 2014 - 11:58 AM

Hi,

 

What programs are you running? Generally you want to run them in the infected accounts, but some programs can clean multiple accounts at once.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 he's dead jim

he's dead jim
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:11:28 PM

Posted 29 March 2014 - 10:54 AM

sorry for taking so long to reply but my internet provider was a bit screwy.

 

i ran rkill  -  tdsskiller  -  spybot  -  malwarebytes  -  adwcleaner  -  jrt  -  hijack this.

 

hijack this comes up with a bunch of services with missing files.

 

i would like to take care of those as well as give the system a final once over before giving it back to my cousin.

 

there does not seem to be any signs of infection, but the system is still running pretty slow.

 

thanks.



#4 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:03:28 AM

Posted 29 March 2014 - 11:15 AM

Hi,
 
Those missing services in HijackThis are not actually missing. HijackThis cannot see those services on a 64-bit operating system so reports them as missing, but they are there.
 
If you have quite a bit of time you could run ESET online scanner:

I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

 

Otherwise, see here for slowness.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#5 he's dead jim

he's dead jim
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:11:28 PM

Posted 03 April 2014 - 08:24 AM

C:\Windows.old\Documents and Settings\Anthony\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\3bdabd6b-7064c7f2    Java/Exploit.CVE-2012-1723.KR trojan    
C:\Windows.old\Documents and Settings\Anthony\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\1831d33c-27b2e645    multiple threats    
C:\Windows.old\Documents and Settings\Mom\AppData\LocalLow\SweetTunes\hk64tbSwe0.dll    Win64/Toolbar.Conduit.B potentially unwanted application    
C:\Windows.old\Documents and Settings\Mom\AppData\LocalLow\SweetTunes\hk64tbSwee.dll    Win64/Toolbar.Conduit.A potentially unwanted application    
C:\Windows.old\Documents and Settings\Mom\AppData\LocalLow\SweetTunes\hktbSwe0.dll    Win32/Toolbar.Conduit.X potentially unwanted application    
C:\Windows.old\Documents and Settings\Mom\AppData\LocalLow\SweetTunes\hktbSwee.dll    Win32/Toolbar.Conduit.W potentially unwanted application    
C:\Windows.old\Documents and Settings\Mom\AppData\LocalLow\SweetTunes\ldrtbSwe0.dll    a variant of Win32/Toolbar.Conduit.P potentially unwanted application    
C:\Windows.old\Documents and Settings\Mom\AppData\LocalLow\SweetTunes\ldrtbSwee.dll    a variant of Win32/Toolbar.Conduit.P potentially unwanted application    
C:\Windows.old\Documents and Settings\Mom\AppData\LocalLow\SweetTunes\tbSwe0.dll    a variant of Win32/Toolbar.Conduit.X potentially unwanted application    
C:\Windows.old\Documents and Settings\Mom\AppData\LocalLow\SweetTunes\tbSwe1.dll    a variant of Win32/Toolbar.Conduit.Y potentially unwanted application    
C:\Windows.old\Documents and Settings\Mom\AppData\LocalLow\SweetTunes\tbSwee.dll    a variant of Win32/Toolbar.Conduit.X potentially unwanted application    
C:\Windows.old\Documents and Settings\Mom\AppData\LocalLow\SweetTunes\plugins\{5E1360DC-8FA8-40df-A8CD-FC3831B3634B}\3.6.12\bin\PriceGongIE.dll    a variant of Win32/PriceGong.A potentially unwanted application    
C:\Windows.old\Documents and Settings\Mom\Downloads\ccsetup410.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    
C:\Windows.old\Documents and Settings\Public\Downloads\JojosFashionShow-dm[1].exe    a variant of Win32/Adware.Trymedia.A potentially unwanted application    
C:\Windows.old\Documents and Settings\Public\Downloads\MurderSheWrote-dm[1].exe    a variant of Win32/Adware.Trymedia.A potentially unwanted application    
C:\Windows.old\Documents and Settings\Public\Downloads\MurderSheWrote-dm[2].exe    a variant of Win32/Adware.Trymedia.A potentially unwanted application    
C:\Windows.old.000\Documents and Settings\Anthony\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\3bdabd6b-7064c7f2    Java/Exploit.CVE-2012-1723.KR trojan    
C:\Windows.old.000\Documents and Settings\Anthony\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\1831d33c-27b2e645    multiple threats    
C:\Windows.old.000\Documents and Settings\Mom\AppData\LocalLow\SweetTunes\hk64tbSwe0.dll    Win64/Toolbar.Conduit.B potentially unwanted application    
C:\Windows.old.000\Documents and Settings\Mom\AppData\LocalLow\SweetTunes\hk64tbSwee.dll    Win64/Toolbar.Conduit.A potentially unwanted application    
C:\Windows.old.000\Documents and Settings\Mom\AppData\LocalLow\SweetTunes\hktbSwe0.dll    Win32/Toolbar.Conduit.X potentially unwanted application    
C:\Windows.old.000\Documents and Settings\Mom\AppData\LocalLow\SweetTunes\hktbSwee.dll    Win32/Toolbar.Conduit.W potentially unwanted application    
C:\Windows.old.000\Documents and Settings\Mom\AppData\LocalLow\SweetTunes\ldrtbSwe0.dll    a variant of Win32/Toolbar.Conduit.P potentially unwanted application    
C:\Windows.old.000\Documents and Settings\Mom\AppData\LocalLow\SweetTunes\ldrtbSwee.dll    a variant of Win32/Toolbar.Conduit.P potentially unwanted application    
C:\Windows.old.000\Documents and Settings\Mom\AppData\LocalLow\SweetTunes\tbSwe0.dll    a variant of Win32/Toolbar.Conduit.X potentially unwanted application    
C:\Windows.old.000\Documents and Settings\Mom\AppData\LocalLow\SweetTunes\tbSwe1.dll    a variant of Win32/Toolbar.Conduit.Y potentially unwanted application    
C:\Windows.old.000\Documents and Settings\Mom\AppData\LocalLow\SweetTunes\tbSwee.dll    a variant of Win32/Toolbar.Conduit.X potentially unwanted application    
C:\Windows.old.000\Documents and Settings\Mom\AppData\LocalLow\SweetTunes\plugins\{5E1360DC-8FA8-40df-A8CD-FC3831B3634B}\3.6.12\bin\PriceGongIE.dll    a variant of Win32/PriceGong.A potentially unwanted application    
C:\Windows.old.000\Documents and Settings\Mom\Downloads\ccsetup410.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    
C:\Windows.old.000\Documents and Settings\Public\Downloads\JojosFashionShow-dm[1].exe    a variant of Win32/Adware.Trymedia.A potentially unwanted application    
C:\Windows.old.000\Documents and Settings\Public\Downloads\MurderSheWrote-dm[1].exe    a variant of Win32/Adware.Trymedia.A potentially unwanted application    
C:\Windows.old.000\Documents and Settings\Public\Downloads\MurderSheWrote-dm[2].exe    a variant of Win32/Adware.Trymedia.A potentially unwanted application    
C:\AdwCleaner\Quarantine\C\Users\Mom\AppData\Local\Google\Chrome\User Data\Default\Extensions\blklojfklgnogjaijkibhfjepakiocng\10.19.2.5_0\plugins\TBVerifier.dll.vir    Win32/Toolbar.Conduit.AC potentially unwanted application    deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\Mom\AppData\Roaming\UpdaterEX\UpdateProc\UpdateTask.exe.vir    a variant of Win32/DealPly.O potentially unwanted application    deleted - quarantined
C:\Users\Anthony\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\3bdabd6b-7064c7f2    Java/Exploit.CVE-2012-1723.KR trojan    cleaned by deleting - quarantined
C:\Users\Anthony\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\1831d33c-27b2e645    multiple threats    cleaned by deleting - quarantined
C:\Users\Mom\AppData\LocalLow\SweetTunes\hk64tbSwe0.dll    Win64/Toolbar.Conduit.B potentially unwanted application    deleted - quarantined
C:\Users\Mom\AppData\LocalLow\SweetTunes\hk64tbSwee.dll    Win64/Toolbar.Conduit.A potentially unwanted application    deleted - quarantined
C:\Users\Mom\AppData\LocalLow\SweetTunes\hktbSwe0.dll    Win32/Toolbar.Conduit.X potentially unwanted application    deleted - quarantined
C:\Users\Mom\AppData\LocalLow\SweetTunes\hktbSwee.dll    Win32/Toolbar.Conduit.W potentially unwanted application    deleted - quarantined
C:\Users\Mom\AppData\LocalLow\SweetTunes\ldrtbSwe0.dll    a variant of Win32/Toolbar.Conduit.P potentially unwanted application    deleted - quarantined
C:\Users\Mom\AppData\LocalLow\SweetTunes\ldrtbSwee.dll    a variant of Win32/Toolbar.Conduit.P potentially unwanted application    deleted - quarantined
C:\Users\Mom\AppData\LocalLow\SweetTunes\tbSwe0.dll    a variant of Win32/Toolbar.Conduit.X potentially unwanted application    deleted - quarantined
C:\Users\Mom\AppData\LocalLow\SweetTunes\tbSwe1.dll    a variant of Win32/Toolbar.Conduit.Y potentially unwanted application    deleted - quarantined
C:\Users\Mom\AppData\LocalLow\SweetTunes\tbSwee.dll    a variant of Win32/Toolbar.Conduit.X potentially unwanted application    deleted - quarantined
C:\Users\Mom\AppData\LocalLow\SweetTunes\plugins\{5E1360DC-8FA8-40df-A8CD-FC3831B3634B}\3.6.12\bin\PriceGongIE.dll    a variant of Win32/PriceGong.A potentially unwanted application    deleted - quarantined
C:\Users\Mom\Downloads\ccsetup410.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    deleted - quarantined
C:\Users\Public\Downloads\JojosFashionShow-dm[1].exe    a variant of Win32/Adware.Trymedia.A potentially unwanted application    deleted - quarantined
C:\Users\Public\Downloads\MurderSheWrote-dm[1].exe    a variant of Win32/Adware.Trymedia.A potentially unwanted application    deleted - quarantined
C:\Users\Public\Downloads\MurderSheWrote-dm[2].exe    a variant of Win32/Adware.Trymedia.A potentially unwanted application    deleted - quarantined
 



#6 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:03:28 AM

Posted 03 April 2014 - 09:41 AM

Hi,

 

That's good, cleaned up some leftover adware. How is the computer running?

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#7 he's dead jim

he's dead jim
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:11:28 PM

Posted 03 April 2014 - 10:47 AM

it's running better but still slow on browsers and internet in general.

 

also the updates take forever but that's always been a problem with microsoft.

 

i'm gonna adjust the services and give it a good test and post back tomorrow if everything is ok or not.

 

thanks for everything so far.



#8 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:03:28 AM

Posted 04 April 2014 - 06:47 AM

Hi,

 

Sure, test it out and then tell me how it is. You're welcome.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#9 he's dead jim

he's dead jim
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:11:28 PM

Posted 04 April 2014 - 12:38 PM

so far so good. i turned off a bunch of unneeded services. geeze, so many services, way more than xp.

 

browsing is still pretty slow, but it may be due to firefox.

 

i have a few errors in the event log to work on and i will probably log back in on sunday with the results.

 

thanks for your patience.



#10 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:03:28 AM

Posted 04 April 2014 - 01:30 PM

Hi,

 

Make sure you have the latest version of Firefox if you do not. Disable plugins and extensions which you do not use, make sure they are up to date as well.

 

Firefox's official page on slowness, might be worth a read.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users