Need help cleaning leftover remnants

[radar625]

I've completed the 8 steps. I'm not getting the option to attach files so I may need to log out and back in. If so, I'll attach the logs in the next post to this thread. Stay Tuned... In the meantime here is some background info and what I need help with.

Background
---------------
I'm helping to clean my sisters computer. Had lots of viruses and malware on it. Their son installed BitDefender on it but hadn't cleaned everything so it kept reporting problems and BitDefender was interfering with MS Office 2000 (Outlook specifically).

Current Status
------------------
PC is running well. The interference with Outlook 2000 disappeared after I deinstalled BitDefender

ClamWin Antivirus reports clean
Malwarebytes reports 2 registry key remnants that can't be deleted (always get Access Denied)
SuperAntiSpyware reports clean
CombFix and HijaakThis report BrowserHelperObject that can't be deleted either but the errant file it points to has been removed

Issues/Problems still pending
------------------------------------
1. ComboFix log and Windows Security Center still reports BitDefender as the Firewall and Antivirus "on record". I noticed CombiFix log reports this file: c:\windows\SYSTEM32\DRIVERS\bdfndisf.sys (BitDefender Firewall NDIS filter).
BitDefender did not apparently deinstall completely. How do I restore these to Windows XP defaults (Xp firewall, no antivirus detected)?

2. How do I get rid of these last remaining registry remnants that I can't seem to delete?

3. Do you see anything else in the logs that needs attention or further removal efforts?

Thanks in advance for your help!

see attached.

for some reason the button to "manage attachments" did not appear from the "infected computer" so I had to send the files to another computer and attachment them from there.

That may be another remnant problem so if there is any ideas on what to do to fix that, that would be great!

Thanks again!

 

[kimsland]

I'm not that happy with Clam Antivirus, the on-access real-time scanner has much to be desired, unless it has changed significantly, you must force a manual scan to actually find and remove Viruses.

Try Free Antivirus like Avast or Avira instead (preference to Avira)

Well done with the logs though, very thorough :grinthumb

The following should be removed through running HJT scan (ticking and fixing the entries, whilst your Internet browser is closed)

O2 - BHO: (no name) - {E87CC7B2-A3CB-41FF-A52F-5C000694B634} - C:\WINDOWS\system32\GLMF3.dll (file missing)

The following shortcut startups are not required to start with Windows, and can be safely removed

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "G:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe

Clear & Reset System Restore's Cache
Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 and then press Enter
* Tick on the checkbox - Turn off System Restore on all drives
* Click Apply
Turn it back 'On' by unticking the same checkbox & click Apply, and then OK

Restart, and post back with results

 

[radar625]

New HijaakThis log following Kimsland instructions

Attempted removal of BHO - didn't work (yes, browser was closed - checked task manager too)

Removed other startups as recommended

Cleared & reset system restore cache

New HijaakThis log attached. Not sure if you wanted other logs, too.

I'll check out Avast & Avira a bit later...thanks for the suggestions.

 

[kimsland]

message to you

Please do this
(Some members say they have already tried this in a reply; but later I find it has not been done!)
The following not only resets all Internet Explorer's settings, but also removes all temp files, all extensions are disabled (toolbars, browser extensions, and Browser Helper Objects), and activeX controls are restored.


How to use Reset Internet Explorer Settings (RIES

To use RIES in Internet Explorer 7, follow these steps:

1. Click the Tools menu, and then click Internet Options.
2. On the Advanced tab, click Reset.
3. In the Reset Internet Explorer Settings dialog box, click Reset.
4. When Internet Explorer 7 finishes restoring the default settings, click Close, and then click OK two times.
5. Close Internet Explorer 7. The changes take effect the next time that you open Internet Explorer 7.

Note for users who cannot start Internet Explorer 7 for some reason, use RIES from Internet Options in Control Panel.

(Ideally an Avira install and scan would be good )

 

[radar625]

HJT following RIES and Avira scan

Attached is the Avira scan log and HJT log following:

RIES per instructions

Avira Scan

HJT Scan w/ BHO tick & fix

Final HJT Scan - saved log

 

[kimsland]

Looks good

Run HJT scan again, and remove this non-threatening issue:

O2 - BHO: (no name) - {E87CC7B2-A3CB-41FF-A52F-5C000694B634} - C:\WINDOWS\system32\GLMF3.dll (file missing)

How is it presently running?

 

[radar625]

BHO issue still not deleted

Ran HJT again - scan, tick & fix and BHO still not deleted.

Registry entry gives you an Access Denied if you try to delete it. It won't let you change permissions either.

Computer is running fine but the issues I was concerned about are still there.

Per my original POST Windows Security Center thinks BitDefender is in charge of the Firewall and Antivirus but BitDefender was deinstalled - I want to restore this to Windows defaults (Windows Firewall and no antivirus program detected).

BHO is still there.

MalwareBytes reported two problems in the registry, which, like the BHO issue can't be deleted.

The rest of the system is pretty clean now and running well. Would just like to get rid of the few nagging issues.

Any other ideas we can try????

 

[radar625]

Not 100% fixed but good enough

After installing Avira Windows Security Center detects Avira as the Antivirus program and Firewall has defaulted back to Windows Firewall.

The rest of the issues probably can't be eliminated without getting past the permissions issue. Since these are non-threatening at this time I guess I'll leave them alone.

With regards to the one issue about the Manage Attachments button not showing up... I am running Firefox 2.0 and did have Javascript enabled so I'm not sure why the buttons aren't showing up. It works fine on my other computer running Firefox 2.0. I tried disabling JavaScript and the <NoScript> option showed up (ie links instead of buttons) so it appears JavaScript enable/disable is working.

I tried reinstalling Firefox and that didn't help either. I also tried IE7 and the button didn't show up using that browser either. So the issue doesn't appear to be the browser itself but somewhere else.

I went to other sites that use JavaScript and they work fine... I'm stumped but if nobody has any suggestions then let's close out this thread.

Thanks for your help!

 

[kimsland]

I have one more option
I use this file normally, it removes your current Hosts file (allowed and dissallowed sites) and replaces it with an excellent one

Here's a big page of info on it: http://www.mvps.org/winhelp2002/hosts.htm
Here's the file you actually download and unzip: http://www.mvps.org/winhelp2002/hosts.zip
Once extracted, double click on "mvps.bat" then restart