Been cleaning aunt's puter for 3 days - need HJT help to finish, please!

Status
Not open for further replies.

SkrtNHeels

Posts: 11   +0
I'm visiting my aunt in NY and she asked me to fix her computer... said it was running very slowly. She was overrun with spyware, trojans, etc. Here's what I've done so far:
Updated and ran McAfee AntiVirus, SpyHunter, SpywareDoctor, Adaware, Spybot S&D, IESpyads, SpywareBlaster, CWShredder and CCleaner.

There are still some questionable items in the HJT log but it is beyond my experience. Please help. I have to leave tomorrow and would really like to finish this up and give her firm instructions so this doesn't happen again.

Thank you in advance.
 
So sorry... just read the correct way to handle HJT - will post new thread

So sorry... just read the correct way to handle HJT - will post new thread.
 
Sorry, Spike, didn't see your reply until too late... still need hlp... new log attch

I've continued to work on this computer and now all reports come back clean but I am still skeptical about a couple of entried in the HJT log. I've read the guides to analyzing it myself but am still uncertain. Please could someone advise me??

Thank you so much,
- Skrt
 
Boot in Safe Mode, see how here.
Switch System restore OFF, see how here.
In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.

Next, open Windows Task Manager by pressing CTRL+ALT+DELETE.
Click the Processes tab, select the Process (if there) and click End Process for:
command.exe

Next, click on Start/Run and type in (followed by press Enter):
regsvr32 /u C:\WINDOWS\system32\nkbymca.dll
regsvr32 /u C:\WINDOWS\system32\jscorsh.dll

Next, click Start/Run and type services.msc and click OK. Look for the service:
command.exe
Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.

Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
...................................................................................................
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {650D76C8-E62A-B0DD-2D4A-9BEBA946D7CE} - C:\WINDOWS\system32\nkbymca.dll
O2 - BHO: (no name) - {9B047A6B-E593-CA15-4391-51D8336426F4} - (no file)
O2 - BHO: (no name) - {C0C78FCD-784D-CE4D-15A8-4A3EF7B1BE38} - (no file)
O2 - BHO: (no name) - {F123483B-808D-8520-D744-FE1D86411093} - C:\WINDOWS\system32\jscorsh.dll
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
Fix ALL O16 - DPF: entries
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VGhlcmVzYSBDbGFya2UA\command.exe
O23 - Service: SpywareCleanerService - Unknown owner - C:\Program Files\Spyware Cleaner\SCService.exe (file missing)
...................................................................................................
Now click on the Fix Checked button in HJT. Exit HJT.

When done, from between the above dotted lines, delete the highlighted bold files.
When a \directory-name\ is bold, delete everything in it, including that directory itself.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Rightclick IE on the desktop, select Properties, click on Delete Cookies, and Delete Files.
Delete ALL files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
XP only: Delete ALL files from C:\WINDOWS\Prefetch.
Boot normal. When all OK, switch System Restore back on.
 
Thanks for the response, RBS - I have more information!

I will do as you say but wanted you to know that I seem to have a bigger problem than I thought. I thought since all my scans were clear that I was well on my way to cleaning this computer, however, I just ran an online scan and it deleted three more trojans and said my computer was still infected.

Shall I still proceed as you described?

Thanks, again!!

- Skrt
 
RBS, here is updated HJT log

this is after I ran the online virus scan and made the fixes you instructed. Please advise from here. By the way, I have to leave tomorrow so I'm wondering at what point it makes sense to give this up, reformat the drive and reload windows. I will await word from you.

Thanks, again.

- Skrt
 
Significant Improvement - Just need one final review, I hope...

I deleted the trojan files uncovered by the online virus scan and then ran that scan again and it came up clean. Attached is the current HJT log. Does it look ok to you? Or do I still need to "fix" all the 016 items?

Thank you so much for all your help.

- Skrt
 
That's the problem with timezones, I am on GMT (AND it's Sunday as well).

Your last log looks fine, except for:

O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
Fix those O16 - DPF: entries!
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: SpywareCleanerService - Unknown owner - C:\Program Files\Spyware Cleaner\SCService.exe (file missing)
 
Heading to New Jersey...

Dropping the computer off at my Aunt's house on the way. I will take care of those last HJT fixes when I set it up there. I will post the log when I get to a wireless access place later this evening. If there are any other fixes to be made then I will do it via remote access.

Thanks again for all your help.

- Skrt
 
Set up the computer at my aunt's house this evening and have a couple of questions...

RBS, I did everything you told me to. While running HJT, it encountered an error #52 at one of the 09 lines but then continued on without incident.

Then I reviewed all your notes to make sure I had done everything. I once again checked the temp folders in each user logon and found files I hadn't deleted. I couldn't delete one of them because it was "being used" so I swithed users and tried but could not access that folder. When switched back to try again to delete the file, I found it had morphed into something else. It was Perflib_Perfdata_420.dat and then was Perflib_Perfdata_680.dat. I did some research and saw a reference to the habe email virus. Is that true? If so, what is the next step?

Lastly, I was under my aunt's logon and ran HJT and realized it was different than my cousin's logon. Do I need to run HJT for each logon in order to ensure that all fixes are done?

I've delayed my trip by 24 hours so can go back to my aunt's one more time in the morning if you say it's necessary, so... I would appreciate your advice one more time.

I got bumped off last time I tried to attach the logs so I will attach on a separate reply.

Thank you, again, RBs...

- Skrt
 
hijackthis11pm1010.txt

Advise only:
UNinstall Spyware Doctor, it is mediocre at best and wastes resources.
You should also try to get rid of AOL, it is a veritable pain in the proverbial!

Get these:
CWshredder from www.intermute.com/spysubtract/cwshredder_download.html.
CoolWWWSearch.SmartKiller from www.bleepingcomputer.com/files/spyware/delcwssk.zip.
-- Some CWS-versions prevent anti-spyware apps from opening. In that case run SmartKiller first.

Boot in Safe Mode, see how here.
XP/ME only: Switch System restore OFF, see how here.
In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.


Now run CWShredder. If needed, run SmartKiller first.

Next, open Windows Task Manager by pressing Ctrl+Alt+Delete.
Click the Processes tab, select the Process (if there) and click End Process for:
WarnCreativeBook.exe <<== if you know it, leave it!
SpywareCleaner.Exe
eetu.exe

Next, click Start/Control Panel/Add/Remove Programs. If there, UNinstall anything to do with:
C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe
C:\DOCUME~1\THERES~1\APPLIC~1\STYLEA~1\WarnCreativeBook.exe <<== if you know it, leave it!

Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
...................................................................................................
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shell.windows.com/fileassoc/0409/xml/redir.asp?Ext=pdf
O4 - HKCU\..\Run: [heart owns] C:\DOCUME~1\THERES~1\APPLIC~1\STYLEA~1\WarnCreativeBook.exe <<== if you know it, leave it!
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - HKCU\..\Run: [Aida] "C:\Program Files\rdso\eetu.exe" -vt mt
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
...................................................................................................
Now click on the Fix Checked button in HJT. Exit HJT.

When done, from between the above dotted lines, delete the highlighted bold files.
When a \directory-name\ is bold, delete everything in it, including that directory itself.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Rightclick IE on the desktop, select Properties, click on Delete Cookies, and Delete Files.
Delete ALL files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
XP/ME only: Delete ALL files from C:\WINDOWS\Prefetch.
Boot normal.
XP/ME only: When all OK, switch System Restore back on.

Hope you'll be able to go back home now!
 
Will this take care of that file that I couldn't delete from Win Temp?

Unfortunately, not going home until Thursday. Have business in New Jersey for the next two days. I will head to my aunt's house in a couple of hours and post the HJT log later this evening when I get to a wireless connection.

Thanks again for allllllllllllllll your help!

- Skrt
 
Status
Not open for further replies.
Back