The latest and greatest in Malware Removals



I have started referring to malware more and more lately because the term virus doesn’t exactly describe the pests I see on peoples machines and the terms spyware or adware aren’t doing justice to some of these pests either. (There are many pieces of what I would consider malware that do undesired things that protest vehemently (and technically correct) that they are not spyware.) So, the last week I’ve had my hands full with a machine on the bench that had a bug in it that was like a multi-headed hydra. It’s kind of like Night of the Living dead or one of those Friday the 13th movies… every time you think you’ve got the baddies licked they keep coming back. Hang on this could be a long post….

To start out with, this system was the motivation for the new pages here for both antivirus removal tools due to a crippled McAfee installation and the Malware, Virus and Spyware removal toolkit. This is something I had wanted to compile in one page for some time, but this system required just about every tool in the arsenal to make sure it was clean.

At the end of the day, gool.exe was one of the bugs, it’s an internet worm that goes back a few years… but there were also interesting screensavers, c:windowssystem32blphccbpj0e95t.scr, c:windowssystem32ebabdbfc.dll all probably random generated filenames, but there was also memsweep2, virtuomonde, xx.exe that ran as a service called sysinternals something called vnrblock another called sakora.exe or sakora and getpack21 or getpack. Some of these may have been legit programs, but this is what had missing links to startup after all the cleanups.

So, let me start at the beginning. I had been given this machine to work on at one of the businesses I visit. It was a home machine. Unfortunately it didn’t have the original Windows XP cd. It’s a Dell (under-memory at around 256MB) with XP SP2 (now SP3). If it had come with the install cd it would have certainly saved time to WIPE EVERYTHING and start from scratch because this system has sucked time like you wouldn’t believe.

First off I noticed that the web browser window closes when attempting to visit an antivirus site and download antivirus. So, I copy things over on a memory stick. The first virtual paratrooper installed is Malware Bytes Anti-malware, which begins to work it’s magic creating a virtual beachhead on the infested computer. What follows were it’s initial results:


Malwarebytes' Anti-Malware 1.28

Database version: 1234

Windows 5.1.2600 Service Pack 2

10/7/2008 12:30:58 AM

mbam_findings.txt

Scan type: Full Scan (C:|D:|)

Objects scanned: 144494

Time elapsed: 2 hour(s), 5 minute(s), 15 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 8

Registry Keys Infected: 92

Registry Values Infected: 11

Registry Data Items Infected: 3

Folders Infected: 37

Files Infected: 190

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:Program FilesWindows NThokenobal4444.dll (Trojan.Downloader) -> No action taken.

C:Program FilesWindows NThokenobal83122.dll (Trojan.Downloader) -> No action taken.

C:Program FilesWebtoolswebtools.dll (Trojan.BHO) -> No action taken.

C:Program FilesCommon Fileslavuh.dll (Trojan.BHO) -> No action taken.

C:Program FilesQdrDriveQdrDrive20.dll (Trojan.Downloader) -> No action taken.

C:Program FilesMjcoreMjcore.dll (Trojan.BHO) -> No action taken.

C:WINDOWSsystem32cunta.dll (Trojan.BHO) -> No action taken.

C:Program FilesBChangerbchanger.dll (Trojan.Agent) -> No action taken.

Registry Keys Infected:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{98663e21-9cce-4cf6-863c-911a9523a66f} (Trojan.Vundo.H) -> No action taken.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifykhfdbxv (Trojan.Vundo.H) -> No action taken.

HKEY_CLASSES_ROOTCLSID{98663e21-9cce-4cf6-863c-911a9523a66f} (Trojan.Vundo.H) -> No action taken.

HKEY_CLASSES_ROOTCLSID{5fe161fb-22c5-48f8-b89e-673d66b2031b} (Trojan.Downloader) -> No action taken.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{5fe161fb-22c5-48f8-b89e-673d66b2031b} (Trojan.Downloader) -> No action taken.

HKEY_CLASSES_ROOTCLSID{67030f93-79ca-44be-9ffa-39838bce0f9a} (Trojan.Downloader) -> No action taken.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{67030f93-79ca-44be-9ffa-39838bce0f9a} (Trojan.Downloader) -> No action taken.

HKEY_CLASSES_ROOTTypeLib{63334394-3da3-4b29-a041-03535909d361} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOTInterface{2e4a04a1-a24d-45ae-aca4-949778400813} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOTCLSID{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.BHO) -> No action taken.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOTCLSID{37453522-a04e-45c8-74ab-5e382a0b7686} (Trojan.BHO) -> No action taken.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{37453522-a04e-45c8-74ab-5e382a0b7686} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOTTypeLib{f7fced71-ac73-4131-8836-a13c0fb0385b} (Trojan.Downloader) -> No action taken.

HKEY_CLASSES_ROOTCLSID{180175c0-913e-451c-9419-2d5500368d43} (Trojan.Downloader) -> No action taken.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExplorer Bars{180175c0-913e-451c-9419-2d5500368d43} (Trojan.Downloader) -> No action taken.

HKEY_CLASSES_ROOTCLSID{8eeb2711-9d21-4f9c-99a1-b7fc5a8ca56a} (Trojan.Downloader) -> No action taken.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{8eeb2711-9d21-4f9c-99a1-b7fc5a8ca56a} (Trojan.Downloader) -> No action taken.

HKEY_CLASSES_ROOTTypeLib{e0f01490-dcf3-4357-95aa-169a8c2b2190} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOTInterface{17e44256-51e0-4d46-a0c8-44e80ab4ba5b} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOTCLSID{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> No action taken.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOTbho_myjavacore.mjcore (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOTbho_myjavacore.mjcore.1 (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOTmywebsearch.pseudotransparentplugin (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOTmywebsearch.pseudotransparentplugin.1 (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOTtestcpv6.bho (Trojan.Agent) -> No action taken.

HKEY_CLASSES_ROOTtestcpv6.bho.1 (Trojan.Agent) -> No action taken.

HKEY_CLASSES_ROOTtvengine.bho (Spyware.Hotbar) -> No action taken.

HKEY_CLASSES_ROOTtvengine.bho.1 (Spyware.Hotbar) -> No action taken.

HKEY_CLASSES_ROOTInterface{21eeb010-57f3-11dd-b116-dad055d89593} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOTInterface{28621188-61c7-4829-a54b-3b73d055e982} (Rogue.MalwareCrush) -> No action taken.

HKEY_CLASSES_ROOTInterface{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOTInterface{3544568d-d586-4746-84b9-84c7706ad597} (Rogue.MalwareCrush) -> No action taken.

HKEY_CLASSES_ROOTInterface{4f2a5211-53b6-4c07-9a6d-959bf989528f} (Rogue.MalwareCrush) -> No action taken.

HKEY_CLASSES_ROOTInterface{535841d3-f4e1-4d3a-b506-cbc7f4e14913} (Rogue.MalwareCrush) -> No action taken.

HKEY_CLASSES_ROOTInterface{58035c9e-9a00-42fe-8f38-b380704f8eba} (Rogue.MalwareCrush) -> No action taken.

HKEY_CLASSES_ROOTInterface{5c6d3658-833b-4e33-8bf4-77c4173770cf} (Rogue.MalwareCrush) -> No action taken.

HKEY_CLASSES_ROOTInterface{6d1595ce-b92a-47c5-9cc3-ae11e5a9aafa} (Rogue.MalwareCrush) -> No action taken.

HKEY_CLASSES_ROOTInterface{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOTInterface{83481be4-117a-4bb4-87b1-2b14528b64a7} (Rogue.MalwareCrush) -> No action taken.

HKEY_CLASSES_ROOTInterface{878bf64d-da3b-417c-a957-19662d5331c3} (Rogue.MalwareCrush) -> No action taken.

HKEY_CLASSES_ROOTInterface{8a5b98b5-6cc9-49d4-967c-bb6aaa04e7e4} (Rogue.MalwareCrush) -> No action taken.

HKEY_CLASSES_ROOTInterface{8c55cf0f-fd4a-4b03-9365-906b0bfa86cc} (Rogue.MalwareCrush) -> No action taken.

HKEY_CLASSES_ROOTInterface{b216377d-994c-4555-b44f-35f64d586833} (Rogue.MalwareCrush) -> No action taken.

HKEY_CLASSES_ROOTInterface{c2105722-4ecc-48e8-866a-bf166ca967c4} (Rogue.MalwareCrush) -> No action taken.

HKEY_CLASSES_ROOTInterface{c4585709-b01d-4ee5-9274-3e34ea56e4b8} (Rogue.MalwareCrush) -> No action taken.

HKEY_CLASSES_ROOTInterface{cccc68a6-7114-423a-b9a5-7110eb925edd} (Rogue.MalwareCrush) -> No action taken.

HKEY_CLASSES_ROOTInterface{e04407f5-f6b9-495d-a767-4d860e42dbe2} (Rogue.MalwareCrush) -> No action taken.

HKEY_CLASSES_ROOTCLSID{4b18dd50-c996-44fc-ac52-0fecff82ed58} (Spyware.Hotbar) -> No action taken.

HKEY_CLASSES_ROOTCLSID{E4D71E45-94E1-A19A-A939-B7D2A756F719} (Rogue.MalwareCrush) -> No action taken.

HKEY_CLASSES_ROOTCLSID{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOTCLSID{84da4fdf-a1cf-4195-8688-3e961f505983} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOTCLSID{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOTTypelib{a184258a-57e9-11dd-b273-f06255d89593} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOTCLSID{933ed98e-57e9-11dd-bf82-a36255d89593} (Trojan.BHO) -> No action taken.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{933ed98e-57e9-11dd-bf82-a36255d89593} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOTTypelib{9fe6e4aa-800c-46a6-943d-dd83d90c25f0} (Adware.Hotbar) -> No action taken.

HKEY_CLASSES_ROOTTypelib{5a4c66fb-4b04-478c-b855-fca385797db7} (Rogue.MalwareCrush) -> No action taken.

HKEY_CLASSES_ROOTAppID{80ef304a-b1c4-425c-8535-95ab6f1eefb8} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOTAppID{ff46f4ab-a85f-487e-b399-3f191ac0fe23} (Trojan.BHO) -> No action taken.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerSearchScopes{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{141fdc3c-15fb-11dd-b723-9ef855d89593} (Spyware.OnlineGames) -> No action taken.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{4b18dd50-c996-44fc-ac52-0fecff82ed58} (Spyware.Hotbar) -> No action taken.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExtPreApproved{90b5a95a-afd5-4d11-b9bd-a69d53d22226} (Adware.Hotbar) -> No action taken.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExtPreApproved{8109fd3d-d891-4f80-8339-50a4913ace6f} (Adware.Zango) -> No action taken.

HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionUninstallspeedrunner (Adware.SurfAccuracy) -> No action taken.

HKEY_CLASSES_ROOTTypeLib{9552f3b2-4183-4473-a347-96f82af15f26} (Trojan.Agent) -> No action taken.

HKEY_CLASSES_ROOTCLSID{3670a914-63c2-4e67-8c9b-370ae1922143} (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{3670a914-63c2-4e67-8c9b-370ae1922143} (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallbchanger (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallicheck (Trojan.Agent) -> No action taken.

HKEY_CLASSES_ROOTAppIDBHO_MyJavaCore.DLL (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOTAppIDtestCPV6.DLL (Trojan.BHO) -> No action taken.

HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionUninstallWebtools (Malware.Trace) -> No action taken.

HKEY_CURRENT_USERSOFTWARESpeedRunner (Adware.SurfAccuracy) -> No action taken.

HKEY_CURRENT_USERSOFTWAREQdrDrive (Adware.ISM) -> No action taken.

HKEY_LOCAL_MACHINESOFTWARExpre (Trojan.Downloader) -> No action taken.

HKEY_CLASSES_ROOTWR (Malware.Trace) -> No action taken.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftSoftware Notifier (Rogue.Multiple) -> No action taken.

HKEY_CLASSES_ROOTcun.ta (Trojan.FakeAlert) -> No action taken.

HKEY_CLASSES_ROOTcun.ta.1 (Trojan.FakeAlert) -> No action taken.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallOuterinfo (Adware.PurityScan) -> No action taken.

HKEY_CURRENT_USERSOFTWAREWebBuying (Adware.WebBuying) -> No action taken.

HKEY_LOCAL_MACHINESOFTWAREMyWebSearch (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftMultimediaWMPlayerSchemesf3pss (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINESOFTWAREFun Web Products (Adware.MyWebSearch) -> No action taken.

HKEY_CURRENT_USERSOFTWAREMyWebSearch (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINESOFTWAREFocusInteractive (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINESYSTEMControlSet001Servicessysrest.sys (Rootkit.Agent) -> No action taken.

HKEY_LOCAL_MACHINESYSTEMControlSet003Servicessysrest.sys (Rootkit.Agent) -> No action taken.

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicessysrest.sys (Rootkit.Agent) -> No action taken.

Registry Values Infected:

HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRunspeedrunner (Adware.SpeedRunner) -> No action taken.

HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRunsfkg6wip (Trojan.Vundo) -> No action taken.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunrunner1 (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunsysrest32.exe (Trojan.Agent) -> No action taken.

HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionADP (Rogue.Multiple) -> No action taken.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunlphccbpj0e95t (Trojan.FakeAlert) -> No action taken.

HKEY_CURRENT_USERSOFTWAREMicrosoftInternet ExplorerMenuExt&Search (Adware.Hotbar) -> No action taken.

HKEY_CURRENT_USERControl PanelDesktopwallpaper (Hijack.Wallpaper) -> No action taken.

HKEY_CURRENT_USERControl PanelDesktoporiginalwallpaper (Hijack.Wallpaper) -> No action taken.

HKEY_CURRENT_USERControl PanelDesktopconvertedwallpaper (Hijack.Wallpaper) -> No action taken.

HKEY_CURRENT_USERControl PanelDesktopscrnsave.exe (Hijack.Wallpaper) -> No action taken.

Registry Data Items Infected:

HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemNoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemNoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerForceActiveDesktopOn (Hijack.Desktop) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:

C:Program FilesMalwareCrush (Rogue.MalwareCrush) -> No action taken.

C:Program FilesInetGet2 (Trojan.Downloader) -> No action taken.

C:Program FilesMalwareAlarm (Rogue.Malware.Alarm) -> No action taken.

C:Program FilesHotbar (Adware.Hotbar) -> No action taken.

C:WINDOWSsystem32iDlo01 (Trojan.Downloader) -> No action taken.

C:Program FilesMyWebSearch (Adware.MyWebSearch) -> No action taken.

C:Program FilesMyWebSearchbar (Adware.MyWebSearch) -> No action taken.

C:Program FilesMyWebSearchbarHistory (Adware.MyWebSearch) -> No action taken.

C:Program FilesMyWebSearchbarSettings (Adware.MyWebSearch) -> No action taken.

C:Program FilesFunWebProducts (Adware.MyWebSearch) -> No action taken.

C:Program FilesFunWebProductsPopSwatr (Adware.MyWebSearch) -> No action taken.

C:Program FilesFunWebProductsPopSwatrHistory (Adware.MyWebSearch) -> No action taken.

C:Program FilesFunWebProductsScreenSaver (Adware.MyWebSearch) -> No action taken.

C:Program FilesFunWebProductsScreenSaverImages (Adware.MyWebSearch) -> No action taken.

C:Program FilesFunWebProductsShared (Adware.MyWebSearch) -> No action taken.

C:Program FilesStarware349 (Adware.Starware) -> No action taken.

C:Program FilesStarware349bin (Adware.Starware) -> No action taken.

C:Program FilesStarware349icons (Adware.Starware) -> No action taken.

C:Documents and SettingsAll UsersApplication DataStarware349 (Adware.Starware) -> No action taken.

C:Documents and SettingsAll UsersApplication DataStarware349buttons (Adware.Starware) -> No action taken.

C:Documents and SettingsAll UsersApplication DataStarware349contexts (Adware.Starware) -> No action taken.

C:Program FilesTemporary (Trojan.Agent) -> No action taken.

C:WINDOWSsystem32nGpxx01 (Trojan.Downloader) -> No action taken.

C:Program FilesQdrDrive (Adware.AdBand) -> No action taken.

C:Program FilesNoDNS (Trojan.Agent) -> No action taken.

C:Program Filesnvcoi (Trojan.Stars) -> No action taken.

C:Program FilesWebtools (Trojan.Agent) -> No action taken.

C:Program FilesVnrBlock (Trojan.Agent) -> No action taken.

C:Program FilesBChanger (Trojan.Agent) -> No action taken.

C:Program FilesSakora (Trojan.Agent) -> No action taken.

C:Program FilesGetPack (Trojan.Agent) -> No action taken.

C:Program FilesiCheck (Trojan.Agent) -> No action taken.

C:Program FilesMjcore (Trojan.BHO) -> No action taken.

C:Documents and SettingsUSER2Application DataWinTouch (Adware.WinPop) -> No action taken.

C:Documents and SettingsUSER2Application Dataspeedrunner (Adware.SurfAccuracy) -> No action taken.

C:Documents and SettingsUSER3Application Dataspeedrunner (Adware.SurfAccuracy) -> No action taken.

C:Documents and SettingsUSERApplication Dataspeedrunner (Adware.SurfAccuracy) -> No action taken.

Files Infected:

C:WINDOWSsystem32khfdbxv.dll (Trojan.Vundo.H) -> No action taken.

C:Program FilesWindows NThokenobal4444.dll (Trojan.Downloader) -> No action taken.

C:Program FilesWindows NThokenobal83122.dll (Trojan.Downloader) -> No action taken.

C:Program FilesWebtoolswebtools.dll (Trojan.BHO) -> No action taken.

C:Program FilesCommon Fileslavuh.dll (Trojan.BHO) -> No action taken.

C:Program FilesQdrDriveQdrDrive20.dll (Trojan.Downloader) -> No action taken.

C:Program FilesMjcoreMjcore.dll (Trojan.BHO) -> No action taken.

C:Documents and SettingsUSERApplication DataSpeedRunnerSpeedRunner.exe (Adware.SpeedRunner) -> No action taken.

C:Documents and SettingsUSERApplication DataMicrosoftWindowssvlpjgg.exe (Trojan.Vundo) -> No action taken.

C:WINDOWSfaceback.exe (Trojan.Agent) -> No action taken.

C:WINDOWSsystem32cunta.dll (Trojan.BHO) -> No action taken.

C:Program FilesMalwareCrushMalwareCrush.exe (Rogue.MalwareCrush) -> No action taken.

C:Documents and SettingsUSERApplication DataSpeedRunnerSRUninstall.exe (Adware.SurfAccuracy) -> No action taken.

C:Documents and SettingsUSERLocal SettingsTempSystemDoctor2006FreeInstall.exe (Rogue.Installer) -> No action taken.

C:Documents and SettingsUSERLocal SettingsTempGLK53.tmp (Rogue.EvidenceEliminator) -> No action taken.

C:Documents and SettingsUSERLocal SettingsTempxrun.exe (Trojan.Downloader) -> No action taken.

C:Documents and SettingsUSER3Application DataMicrosoftWindowsvyoujc.exe (Trojan.Vundo) -> No action taken.

C:Documents and SettingsUSER3Application DataSpeedRunnerSpeedRunner.exe (Adware.SpeedRunner) -> No action taken.

C:Documents and SettingsUSER3Application DataSpeedRunnerSRUninstall.exe (Adware.SurfAccuracy) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTemp!update.exe (Adware.PurityScan) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTempsdexe.exe (Adware.PurityScan) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTempNDR580.tmp (Adware.PurityScan) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTempyazzsnet.exe (Adware.PurityScan) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTempgettpa420.exe (Adware.Agent) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTempgettpa421.exe (Adware.ClickSpring) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTempsnapsnet.exe (Trojan.Downloader) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTempRarSFX0webhdll.dll (Adware.Webhancer) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTempRarSFX0whAgent.exe (Adware.Webhancer) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTempRarSFX0whiehlpr.dll (Adware.Webhancer) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTempRarSFX0whInstaller.exe (Adware.Webhancer) -> No action taken.

C:Documents and SettingsUSER2Application DataMicrosoftWindowssimcklju.exe (Trojan.Agent) -> No action taken.

C:Documents and SettingsUSER2Application DataMicrosoftWindowstsbpk.exe (Trojan.Vundo) -> No action taken.

C:Documents and SettingsUSER2Application DataSpeedRunnerSpeedRunner.exe (Adware.SpeedRunner) -> No action taken.

C:Documents and SettingsUSER2Application DataSpeedRunnerSRUninstall.exe (Adware.SurfAccuracy) -> No action taken.

C:Documents and SettingsUSER2Application DataWinTouchWinTouch.exe (Trojan.Downloader) -> No action taken.

C:Documents and SettingsUSER2Application DataWinTouchWTUninstaller.exe (Trojan.Downloader) -> No action taken.

C:Documents and SettingsUSER2Local SettingsTemporary Internet FilesContent.IE5J1XK5WM2sruninstaller.prod.v12000.11jan2008.exe[1].1ac39aea6b22cdb4e6ed0c75f1d83467 (Adware.SurfAccuracy) -> No action taken.

C:Program FilesCommon FilesYazzle1560OinAdmin.exe (Adware.ClickSpring) -> No action taken.

C:Program FilesCommon FilesYazzle1560OinUninstaller.exe (Adware.ClickSpring) -> No action taken.

C:Program FilesNoDNSNoDNS.exe (Trojan.Agent) -> No action taken.

C:Program Filesnvcoinvcoi.exe (Trojan.Agent) -> No action taken.

C:Program FilesQdrDriveqdrloader.exe (Trojan.Downloader) -> No action taken.

C:Program FilesSakoraSakora.exe (Trojan.Agent) -> No action taken.

C:Program FilesTemporaryInsiDERInst.exe (Trojan.Downloader) -> No action taken.

C:Program FilesVnrBlockVnrBlock20.exe (Trojan.Downloader) -> No action taken.

C:Program FilesGetPackGetPack20.exe (Trojan.Agent) -> No action taken.

C:Program FilesGetPackGetPack21.exe (Adware.SpeedMonitor) -> No action taken.

C:Program FilesiCheckiCheck.exe (Adware.ISM) -> No action taken.

C:Program FilesWindows Media Playerkemyq777444.dll (Adware.TTC) -> No action taken.

C:WINDOWSPOTA777444.exe (Adware.TTC) -> No action taken.

C:WINDOWStk58.exe (Trojan.BHO) -> No action taken.

C:WINDOWSTTC-4444.exe (Trojan.Downloader) -> No action taken.

C:WINDOWSb154.exe (Trojan.Matcash) -> No action taken.

C:WINDOWSmrofinu572.exe.tmp (Trojan.Downloader) -> No action taken.

C:WINDOWSmrofinu_upx.exe (Trojan.Downloader) -> No action taken.

C:WINDOWSb103.exe (Trojan.Downloader) -> No action taken.

C:WINDOWSb104.exe (Trojan.Downloader) -> No action taken.

C:WINDOWSb116.exe (Trojan.Downloader) -> No action taken.

C:WINDOWSb138.exe (Trojan.Agent) -> No action taken.

C:WINDOWSb153.exe (Trojan.Agent) -> No action taken.

C:WINDOWSb157.exe (Trojan.Dropper) -> No action taken.

C:WINDOWSsystem32F.tmp (Trojan.FakeAlert) -> No action taken.

C:WINDOWSsystem3211.tmp (Trojan.FakeAlert) -> No action taken.

C:WINDOWSsystem3212.tmp (Trojan.FakeAlert) -> No action taken.

C:WINDOWSsystem3213.tmp (Trojan.FakeAlert) -> No action taken.

C:WINDOWSsystem3214.tmp (Trojan.FakeAlert) -> No action taken.

C:WINDOWSsystem321D.tmp (Trojan.FakeAlert) -> No action taken.

C:WINDOWSsystem322C.tmp (Trojan.FakeAlert) -> No action taken.

C:WINDOWSsystem32ssqnmkk.dll (Trojan.Vundo) -> No action taken.

C:WINDOWSsystem32D.tmp (Trojan.FakeAlert) -> No action taken.

C:WINDOWSsystem32blphccbpj0e95t.scr (Trojan.FakeAlert) -> No action taken.

C:WINDOWSsystem32ets1ovstadcom2.exe (Trojan.Downloader) -> No action taken.

C:WINDOWSsystem32nGpxx01nGpxx011065.exe (Trojan.Downloader) -> No action taken.

C:WINDOWSsystem32nip4hoftidndll3.exe (Trojan.Downloader) -> No action taken.

C:WINDOWSsystem32wnis6enamd83122.exe (Trojan.Downloader) -> No action taken.

C:WINDOWSsystem32iDlo01iDlo011065.exe (Trojan.Downloader) -> No action taken.

C:Program FilesMalwareAlarmMalwareAlarm.lic (Rogue.Malware.Alarm) -> No action taken.

C:Program FilesMalwareAlarmUninstall.exe (Rogue.Malware.Alarm) -> No action taken.

C:Program FilesMyWebSearchbarHistorysearch2 (Adware.MyWebSearch) -> No action taken.

C:Program FilesMyWebSearchbarSettingsprevcfg2.htm (Adware.MyWebSearch) -> No action taken.

C:Program FilesMyWebSearchbarSettingssetting2.htm (Adware.MyWebSearch) -> No action taken.

C:Program FilesMyWebSearchbarSettingssettings.dat (Adware.MyWebSearch) -> No action taken.

C:Program FilesMyWebSearchbarSettingss_pid.dat (Adware.MyWebSearch) -> No action taken.

C:Program FilesFunWebProductsPopSwatrHistoryallowed (Adware.MyWebSearch) -> No action taken.

C:Program FilesFunWebProductsPopSwatrHistorynotallow (Adware.MyWebSearch) -> No action taken.

C:Program FilesFunWebProductsScreenSaverImages039B754.urr (Adware.MyWebSearch) -> No action taken.

C:Program FilesFunWebProductsShared03C5DCB.dat (Adware.MyWebSearch) -> No action taken.

C:Program FilesStarware349brand.bmp (Adware.Starware) -> No action taken.

C:Program FilesStarware349Setup.exe (Adware.Starware) -> No action taken.

C:Program FilesStarware349Starware349Config.xml (Adware.Starware) -> No action taken.

C:Program FilesStarware349iconsstar_16.ico (Adware.Starware) -> No action taken.

C:Documents and SettingsAll UsersApplication DataStarware349buttonsebaykeyword.bmp (Adware.Starware) -> No action taken.

C:Documents and SettingsAll UsersApplication DataStarware349buttonsebaykeyword.png (Adware.Starware) -> No action taken.

C:Documents and SettingsAll UsersApplication DataStarware349buttonsebaysearch.bmp (Adware.Starware) -> No action taken.

C:Documents and SettingsAll UsersApplication DataStarware349buttonsebaysearch.png (Adware.Starware) -> No action taken.

C:Documents and SettingsAll UsersApplication DataStarware349buttonsFindIt.bmp (Adware.Starware) -> No action taken.

C:Documents and SettingsAll UsersApplication DataStarware349buttonsFindItHot.bmp (Adware.Starware) -> No action taken.

C:Documents and SettingsAll UsersApplication DataStarware349buttonsfindithotxp.png (Adware.Starware) -> No action taken.

C:Documents and SettingsAll UsersApplication DataStarware349buttonsfinditxp.png (Adware.Starware) -> No action taken.

C:Documents and SettingsAll UsersApplication DataStarware349buttonsHighlight.bmp (Adware.Starware) -> No action taken.

C:Documents and SettingsAll UsersApplication DataStarware349buttonsHighlightHot.bmp (Adware.Starware) -> No action taken.

C:Documents and SettingsAll UsersApplication DataStarware349buttonshighlighthotxp.png (Adware.Starware) -> No action taken.

C:Documents and SettingsAll UsersApplication DataStarware349buttonshighlightxp.png (Adware.Starware) -> No action taken.

C:Documents and SettingsAll UsersApplication DataStarware349buttonshoroscopes.bmp (Adware.Starware) -> No action taken.

C:Documents and SettingsAll UsersApplication DataStarware349buttonslogo.bmp (Adware.Starware) -> No action taken.

C:Documents and SettingsAll UsersApplication DataStarware349buttonslogoxp.bmp (Adware.Starware) -> No action taken.

C:Documents and SettingsAll UsersApplication DataStarware349buttonsReference.bmp (Adware.Starware) -> No action taken.

C:Documents and SettingsAll UsersApplication DataStarware349buttonsReferenceHot.bmp (Adware.Starware) -> No action taken.

C:Documents and SettingsAll UsersApplication DataStarware349buttonsreferencehotxp.png (Adware.Starware) -> No action taken.

C:Documents and SettingsAll UsersApplication DataStarware349buttonsreferencexp.png (Adware.Starware) -> No action taken.

C:Documents and SettingsAll UsersApplication DataStarware349buttonsWeather.bmp (Adware.Starware) -> No action taken.

C:Documents and SettingsAll UsersApplication DataStarware349buttonsweatherhotxp.png (Adware.Starware) -> No action taken.

C:Documents and SettingsAll UsersApplication DataStarware349buttonsweatherxp.png (Adware.Starware) -> No action taken.

C:Documents and SettingsAll UsersApplication DataStarware349contextserror.xml (Adware.Starware) -> No action taken.

C:Documents and SettingsAll UsersApplication DataStarware349contextsrelated.xml (Adware.Starware) -> No action taken.

C:Documents and SettingsAll UsersApplication DataStarware349contextstravel.xml (Adware.Starware) -> No action taken.

C:Program FilesNoDNSUnInstall.exe (Trojan.Agent) -> No action taken.

C:Program Filesnvcoimst.stt (Trojan.Stars) -> No action taken.

C:Program FilesVnrBlockVnrBlock21.exe (Trojan.Agent) -> No action taken.

C:Program FilesVnrBlockxenvertupd.exe (Trojan.Agent) -> No action taken.

C:Program FilesVnrBlockxtarga.gz (Trojan.Agent) -> No action taken.

C:Program FilesBChangerbchanger.dll (Trojan.Agent) -> No action taken.

C:Program FilesBChangerdata.dat (Trojan.Agent) -> No action taken.

C:Program FilesBChangerUninstall.exe (Trojan.Agent) -> No action taken.

C:Program FilesGetPackdictame.gz (Trojan.Agent) -> No action taken.

C:Program FilesGetPacktrgtame.gz (Trojan.Agent) -> No action taken.

C:Program FilesiCheckUninstall.exe (Trojan.Agent) -> No action taken.

C:Documents and SettingsUSER2Application DataWinTouchwintouch.cfg (Adware.WinPop) -> No action taken.

C:Documents and SettingsUSER2Application Dataspeedrunnerconfig.cfg (Adware.SurfAccuracy) -> No action taken.

C:Documents and SettingsUSER3Application Dataspeedrunnerconfig.cfg (Adware.SurfAccuracy) -> No action taken.

C:Documents and SettingsUSERApplication Dataspeedrunnerconfig.cfg (Adware.SurfAccuracy) -> No action taken.

C:WINDOWSsystem32pac.txt (Malware.Trace) -> No action taken.

C:WINDOWSsystem32deb3tewdrives22.exe (Trojan.Downloader) -> No action taken.

C:WINDOWSsystem32qomkjif.dll (Trojan.Vundo) -> No action taken.

C:WINDOWSsystem32awtutuv.dll (Trojan.Vundo) -> No action taken.

C:WINDOWSsystem32lphccbpj0e95t.exe (Trojan.FakeAlert) -> No action taken.

C:WINDOWSsystem32phccbpj0e95t.bmp (Trojan.FakeAlert) -> No action taken.

C:WINDOWSb160.exe (Trojan.Downloader) -> No action taken.

C:WINDOWSb161.exe (Trojan.Downloader) -> No action taken.

C:WINDOWSsystem32sysrest.sys (Rootkit.Agent) -> No action taken.

C:Documents and SettingsUSER3DesktopInternet Security Suite.url (Rogue.Link) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTemporary Internet Filesfpinst.exe (Trojan.Agent) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTemp.tt15.tmp (Trojan.Agent) -> No action taken.

C:Documents and SettingsUSER2Local SettingsTemp.ttD.tmp (Trojan.Downloader) -> No action taken.

C:Documents and SettingsUSER2Local SettingsTemp.ttE.tmp (Trojan.Downloader) -> No action taken.

C:Documents and SettingsUSER2Local SettingsTemp.ttF.tmp (Trojan.Downloader) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTemp.tt9.tmp (Trojan.Downloader) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTemp.ttA.tmp (Trojan.Downloader) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTemp.ttB.tmp (Trojan.Downloader) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTemp.ttC.tmp (Trojan.Downloader) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTemp.ttD.tmp (Trojan.Downloader) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTemp.ttE.tmp (Trojan.Downloader) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTemp.ttF.tmp (Trojan.Downloader) -> No action taken.

C:Documents and SettingsUSER2Local SettingsTemp.tt10.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:Documents and SettingsUSER2Local SettingsTemp.tt11.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTemp.tt10.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTemp.tt11.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTemp.tt12.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTemp.tt13.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTemp.tt14.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTemp.tt15.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTemp.tt16.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTemp.tt17.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTemp.tt18.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTemp.tt19.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTemp.tt1A.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTemp.tt1C.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTemp.tt1E.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTemp.tt21.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTemp.tt24.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTemp.tt29.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTemp.tt2A.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTemp.tt2B.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTemp.tt2C.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTemp.tt2E.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTemp.tt35.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTemp.tt36.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTemp.tt37.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTemp.tt39.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTemp.tt80.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:Documents and SettingsUSER2Local SettingsTemp.ttD.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:Documents and SettingsUSER2Local SettingsTemp.ttE.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:Documents and SettingsUSER2Local SettingsTemp.ttF.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTemp.tt9.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTemp.ttA.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTemp.ttB.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTemp.ttC.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTemp.ttD.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTemp.ttE.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:Documents and SettingsUSER3Local SettingsTemp.ttF.tmp.vbs (Trojan.FakeAlert) -> No action taken.

In spite of the no action taken report, I did have it clean out everything it found. Next up was Grisoft’s AVG version 8. Since this is a home system I installed the free edition on there and let it run a scan. At this point I was thinking that things were probably taking a turn for the better, but when I saw the system again it appeared to be in a reboot cycle. I assumed it must have finished the antivirus scan and perhaps needed to restart from an update. Then I saw a windows blue screen and another reboot. ANOTHER windows blue screen and reboot.

I started suspecting that the malware cleaners had crippled the windows install…. here were some of the messages:

A problem has been detected and windows has been shutdown to prevent damage to your computer IRQ_NOT_LESS_OR_EQUAL pxhelp20.sys
another referred to dlartl_n.sys

Strangely another message said the same, but in the faulting module area it said sysinternals_great_site stop 0×00000100 tcpip.sys restarting, then Bad_Pool_Header
stop 0×00000019
dag.sys address bf0007bb
then Page_Fault_in_nonpaged_area, audstub.sys f9939t53e and f9939000 were addresses, kbdclass.sys was mentioned in another with address of f9c4e9f9 and base of f964e000 datestamp of 36b01bd3.

Another was imapi.sys with address of f94c84d2 and base of f94c6000 and datestamp of 36b035ds another claimed KMODE_Exception_not_handled and referred to kbdclass.sys with stop 0x000001e antoher referred to rasl2tp.sys stop 9×99999959 other stops were 0×00000000 0xf9517bb6 and yet another module mentioned was usbd.sys and Panic_Stack_Switch.

At this point I wasn’t sure what was going on, but thought I’d try to catch it and boot into safe mode. Only…. when I touched a key we went to the welcome screen of XP. ALL of that above was a screensaver. Who knows how many randomized blue screens they’ve put into it, but it looked pretty authentic mimicking the boot process and the autoreboot on windows crash. Pretty devious. (The systinternals_great_site gave a big hint that not all was as it seemed.)

So…. at this point I haven’t yet seen the AVG results (it was still scanning), but from malware bytes antimalware we’ve identified and cleaned out vundo.h webtools bho qdrdrive qdrdrive20.dll lavenh.dll micore.dll speedrunner faceback.exe myjavacore bho mywebsearch hotbar cunta.dll rogue malwarecrush.exe zango surfaccuracy onlinegame purityscan and evidence eliminator and in spite of this we’re still seeing strange behavior.

The first AVG scan uncovered several Adware Generic3.JVP bugs, Adware Generic3.LPS, Adware Generic.RLK and Adware Generic3.LLF in a folder called bs bs17.exe was one of the bugs, dl.exe and euladlg.dll were others.

The viruses found included Malwarecrush.exe (in 1838140.exe) a getfile.php coec.exe, b116.exe b157.exe b103.exe b116.exe b104.exe – it identified what it found as follows: Trojan horse downloader.fraudload.n trojan horse clicker.poc js/downloader.agent trojan horse agent.jkr trojan horse downloader.generic3.szp trojan horse downloader.agent.acrg trojan horse generic6.qzr trojan horse generic_c.iky trojan horse agent.jkr trojan horse generic_c.iky trojan horse spysheriff.e trojan horse sheur.arxw

and they were all removed. I also cleaned out the system restore folder by disabling system restore at this point. Now I went for spybot search and destroy as (as I thought at the time) my final pass.

Spybot found (and cleaned out) the following (many of which were just cookies): adrevolver, bfast, bluestreak, burstmedia, casalemedia, directtrack, doubleclick, fastclick, goclick, hitbox, hitslink, ksl, linksynergy, matchcraft, mediaplex, microsoft.windows.activedesktop, myway.mywebsearch, right media, searchingbooth.com, statcounter, systemdoctor2006, tradedoubler, webbuyingassistant, webrends live, wildtangent, win32.agent.es wintouch and zedo.

After this I ran another AVG scan which came up clean. I declared victory and shut it down. But the next morning I thought I better boot up and take another look JUST in case. I booted up and ran the web browser. On closing there was a small window that popped up and disappeared. I ran AVG again and it found traces of spysheriff again which it cleaned out.

So, I decided to start trying the online scanners. Trendmicro was the first. It found traces of memsweeper2 which it cleaned up. The second housecall scan came up clean. I ran another AVG scan and all seemed clean. I left it for the better part of a day. Malware Bytes came clean, spybot came clean.

The next day when I updated and ran AVG there was a SLEW of new baddies…

Virus downloader.fraudload rootkit-agent.af backdoor.agent.ugj downloader.agent.abwh (lot’s of .tmp files in c:windowssystem32 with this…) After this pass I returned to trendmicros housecall and it once again found memsweeper2 AGAIN. It cleaned it and the second run didn’t turn up anything. Around this time I found a few suspicious startup items that I cleared out (including an xx.exe that was labelled sysinternals (???))

One of the other online scans (f-secure) turned up a file named gool.exe that was tagged as malware which nothing else had apparently tagged. BTW this was also running at startup.

After this, I visited the Kaspersky scanner and found several items that had been dumped in the housecall quarantine. So I still wasn’t convinced I downloaded autoruns from sysinternals and superantispyware free edition (which I hadn’t used before.)

SuperAntiSpyware finally got things cleaned out. Here’s the list of things that IT found before I was convinced we had got everything:

It cleaned up a few stray registry entries from vundo, others from gool (found yet another resurrection of gool in system restore which I flushed again.) and there were several other traces of things in temporary internet files.

At this point the last symptoms seemed to have gone away. There weren’t any other windows popping up for a split second with internet explorer, no other suspicious processes cropping up in task manager. I could actually shut down without an error message and the system seems all clear. I’ve now checked the system a couple more times with the above tools and all seems clean. I went back one last time to audit things with sysinternals autoruns and used some of the missing items listed there to compile the list at the start of this article.

Along the way I installed ultravnc on the system to assist in cleaning it up (*which superantispyware made note of and offered to remove – it tagged it as winVNC.)

So there’s the story of the latest greatest infested system on the bench. This one has probably taken the longest to get back into working shape just because of it’s lack of memory. (Scans were taking several hours at a time.) As it is it definitely would have been simpler to reinstall and update the system, but there wasn’t an install disk with the machine. I did update to Internet Explorer 7 and Windows XP SP3 along the way as well to bring it up to current on the windows update front.

Related Posts

Blog Traffic Exchange Related Posts
  • How to Remove Live Enterprise Suite | Live Enterprise Suite Removal Guide Live Enterprise Suite is yet another rogue security application. This is a successor to the frustrating Internet Antivirus Pro and Ghost Antivirus rogues. Like many of these security rogues they are pushed through malware and aggressive advertising. This may be a website that when visited a screen pops up that......
  • Disinfecting a PC… part 7 Ok, another reboot after the BHO cleaning. Things are a good deal more responsive now, less disc swapping going on. (I suspect that those three missing BHO entries may have been causing the slow down, but I don't know.) Installing wintop so that processes can be monitored. Also, getting spybot......
  • Link to Program on Mapped Network Drive not Working - Windows Cannot Access the Specified Path or File Windows XP Home connecting to a file share in a Domain controlled by Windows 2000.... Not quite your recipe for headache free things "just working" I guess, but this is what I've run into. This workstation had a mapped drive connected to a folder on the server which opened in......
Blog Traffic Exchange Related Websites
  • Fishing Report: July 29, 2011 Lake fishing has been good for bass, catfish and some trout Anderson: Good bass catches in this lake. Expect to find good bites in deep water using jigging. If looking in mud lines, go for a medium depth using spinnerbaits and crankbaits. Expect that you will catch the occasional trout......
  • What Is The Best Free Registry Cleaner Do you have the Best Free Registry Cleaner? Are you bored with your computer's continuous error messages and difficulties? You're probably considering to replace it with a modern one or repair it to get rid of nettlesome troubles rendered by your system. Only by acquiring the Best Free Registry Cleaner,......
  • Free Registry Cleaner- Free Download Safely Scan And Repair Registry Problems A good registry cleaner can help fix several common computer ailments. If you're experiencing problems such as frequent error message, slow bootups, crashes and freezes, and overall sluggish performance, you probably have errors in the Windows registry. These errors can cause Windows to "trip" over itself when looking for files......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site