TechSpot

Been cleaning aunt's puter for 3 days - need HJT help to finish, please!

By SkrtNHeels
Oct 9, 2005
  1. I'm visiting my aunt in NY and she asked me to fix her computer... said it was running very slowly. She was overrun with spyware, trojans, etc. Here's what I've done so far:
    Updated and ran McAfee AntiVirus, SpyHunter, SpywareDoctor, Adaware, Spybot S&D, IESpyads, SpywareBlaster, CWShredder and CCleaner.

    There are still some questionable items in the HJT log but it is beyond my experience. Please help. I have to leave tomorrow and would really like to finish this up and give her firm instructions so this doesn't happen again.

    Thank you in advance.
     
  2. SkrtNHeels

    SkrtNHeels TS Rookie Topic Starter

    So sorry... just read the correct way to handle HJT - will post new thread

    So sorry... just read the correct way to handle HJT - will post new thread.
     
  3. Spike

    Spike TS Evangelist Posts: 2,168

    no need - just edit your original post in this thread - thanks for noticing :)
     
  4. SkrtNHeels

    SkrtNHeels TS Rookie Topic Starter

    Sorry, Spike, didn't see your reply until too late... still need hlp... new log attch

    I've continued to work on this computer and now all reports come back clean but I am still skeptical about a couple of entried in the HJT log. I've read the guides to analyzing it myself but am still uncertain. Please could someone advise me??

    Thank you so much,
    - Skrt
     
  5. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Boot in Safe Mode, see how here.
    Switch System restore OFF, see how here.
    In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.

    Next, open Windows Task Manager by pressing CTRL+ALT+DELETE.
    Click the Processes tab, select the Process (if there) and click End Process for:
    command.exe

    Next, click on Start/Run and type in (followed by press Enter):
    regsvr32 /u C:\WINDOWS\system32\nkbymca.dll
    regsvr32 /u C:\WINDOWS\system32\jscorsh.dll

    Next, click Start/Run and type services.msc and click OK. Look for the service:
    command.exe
    Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.

    Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
    ...................................................................................................
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: (no name) - {650D76C8-E62A-B0DD-2D4A-9BEBA946D7CE} - C:\WINDOWS\system32\nkbymca.dll
    O2 - BHO: (no name) - {9B047A6B-E593-CA15-4391-51D8336426F4} - (no file)
    O2 - BHO: (no name) - {C0C78FCD-784D-CE4D-15A8-4A3EF7B1BE38} - (no file)
    O2 - BHO: (no name) - {F123483B-808D-8520-D744-FE1D86411093} - C:\WINDOWS\system32\jscorsh.dll
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    Fix ALL O16 - DPF: entries
    O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VGhlcmVzYSBDbGFya2UA\command.exe
    O23 - Service: SpywareCleanerService - Unknown owner - C:\Program Files\Spyware Cleaner\SCService.exe (file missing)
    ...................................................................................................
    Now click on the Fix Checked button in HJT. Exit HJT.

    When done, from between the above dotted lines, delete the highlighted bold files.
    When a \directory-name\ is bold, delete everything in it, including that directory itself.
    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Rightclick IE on the desktop, select Properties, click on Delete Cookies, and Delete Files.
    Delete ALL files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
    XP only: Delete ALL files from C:\WINDOWS\Prefetch.
    Boot normal. When all OK, switch System Restore back on.
     
  6. SkrtNHeels

    SkrtNHeels TS Rookie Topic Starter

    Thanks for the response, RBS - I have more information!

    I will do as you say but wanted you to know that I seem to have a bigger problem than I thought. I thought since all my scans were clear that I was well on my way to cleaning this computer, however, I just ran an online scan and it deleted three more trojans and said my computer was still infected.

    Shall I still proceed as you described?

    Thanks, again!!

    - Skrt
     
  7. SkrtNHeels

    SkrtNHeels TS Rookie Topic Starter

    RBS, here is updated HJT log

    this is after I ran the online virus scan and made the fixes you instructed. Please advise from here. By the way, I have to leave tomorrow so I'm wondering at what point it makes sense to give this up, reformat the drive and reload windows. I will await word from you.

    Thanks, again.

    - Skrt
     
  8. SkrtNHeels

    SkrtNHeels TS Rookie Topic Starter

    Significant Improvement - Just need one final review, I hope...

    I deleted the trojan files uncovered by the online virus scan and then ran that scan again and it came up clean. Attached is the current HJT log. Does it look ok to you? Or do I still need to "fix" all the 016 items?

    Thank you so much for all your help.

    - Skrt
     
  9. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    That's the problem with timezones, I am on GMT (AND it's Sunday as well).

    Your last log looks fine, except for:

    O4 - Global Startup: Digital Line Detect.lnk = ?
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    Fix those O16 - DPF: entries!
    O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
    O23 - Service: SpywareCleanerService - Unknown owner - C:\Program Files\Spyware Cleaner\SCService.exe (file missing)
     
  10. SkrtNHeels

    SkrtNHeels TS Rookie Topic Starter

    Heading to New Jersey...

    Dropping the computer off at my Aunt's house on the way. I will take care of those last HJT fixes when I set it up there. I will post the log when I get to a wireless access place later this evening. If there are any other fixes to be made then I will do it via remote access.

    Thanks again for all your help.

    - Skrt
     
  11. SkrtNHeels

    SkrtNHeels TS Rookie Topic Starter

    Set up the computer at my aunt's house this evening and have a couple of questions...

    RBS, I did everything you told me to. While running HJT, it encountered an error #52 at one of the 09 lines but then continued on without incident.

    Then I reviewed all your notes to make sure I had done everything. I once again checked the temp folders in each user logon and found files I hadn't deleted. I couldn't delete one of them because it was "being used" so I swithed users and tried but could not access that folder. When switched back to try again to delete the file, I found it had morphed into something else. It was Perflib_Perfdata_420.dat and then was Perflib_Perfdata_680.dat. I did some research and saw a reference to the habe email virus. Is that true? If so, what is the next step?

    Lastly, I was under my aunt's logon and ran HJT and realized it was different than my cousin's logon. Do I need to run HJT for each logon in order to ensure that all fixes are done?

    I've delayed my trip by 24 hours so can go back to my aunt's one more time in the morning if you say it's necessary, so... I would appreciate your advice one more time.

    I got bumped off last time I tried to attach the logs so I will attach on a separate reply.

    Thank you, again, RBs...

    - Skrt
     
  12. SkrtNHeels

    SkrtNHeels TS Rookie Topic Starter

    Here is one log...

    Thanks, again.
     
  13. SkrtNHeels

    SkrtNHeels TS Rookie Topic Starter

    And here is the second...

    Anxiously awaiting your reply.

    - Skrt
     
  14. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Re: hijackthisjames11pm.txt

    Clean up the other log, that will take care of this one's problems as well.
     
  15. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    hijackthis11pm1010.txt

    Advise only:
    UNinstall Spyware Doctor, it is mediocre at best and wastes resources.
    You should also try to get rid of AOL, it is a veritable pain in the proverbial!

    Get these:
    CWshredder from www.intermute.com/spysubtract/cwshredder_download.html.
    CoolWWWSearch.SmartKiller from www.bleepingcomputer.com/files/spyware/delcwssk.zip.
    -- Some CWS-versions prevent anti-spyware apps from opening. In that case run SmartKiller first.

    Boot in Safe Mode, see how here.
    XP/ME only: Switch System restore OFF, see how here.
    In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.


    Now run CWShredder. If needed, run SmartKiller first.

    Next, open Windows Task Manager by pressing Ctrl+Alt+Delete.
    Click the Processes tab, select the Process (if there) and click End Process for:
    WarnCreativeBook.exe <<== if you know it, leave it!
    SpywareCleaner.Exe
    eetu.exe

    Next, click Start/Control Panel/Add/Remove Programs. If there, UNinstall anything to do with:
    C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe
    C:\DOCUME~1\THERES~1\APPLIC~1\STYLEA~1\WarnCreativeBook.exe <<== if you know it, leave it!

    Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
    ...................................................................................................
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shell.windows.com/fileassoc/0409/xml/redir.asp?Ext=pdf
    O4 - HKCU\..\Run: [heart owns] C:\DOCUME~1\THERES~1\APPLIC~1\STYLEA~1\WarnCreativeBook.exe <<== if you know it, leave it!
    O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
    O4 - HKCU\..\Run: [Aida] "C:\Program Files\rdso\eetu.exe" -vt mt
    O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
    ...................................................................................................
    Now click on the Fix Checked button in HJT. Exit HJT.

    When done, from between the above dotted lines, delete the highlighted bold files.
    When a \directory-name\ is bold, delete everything in it, including that directory itself.
    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Rightclick IE on the desktop, select Properties, click on Delete Cookies, and Delete Files.
    Delete ALL files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
    XP/ME only: Delete ALL files from C:\WINDOWS\Prefetch.
    Boot normal.
    XP/ME only: When all OK, switch System Restore back on.

    Hope you'll be able to go back home now!
     
  16. SkrtNHeels

    SkrtNHeels TS Rookie Topic Starter

    Will this take care of that file that I couldn't delete from Win Temp?

    Unfortunately, not going home until Thursday. Have business in New Jersey for the next two days. I will head to my aunt's house in a couple of hours and post the HJT log later this evening when I get to a wireless connection.

    Thanks again for allllllllllllllll your help!

    - Skrt
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...