Recommended for Virus and spyware removal?

Hey all,

My father-in-law was complaining that his 2.5g intel PC was running slow.
I automatically thought it was spyware or a virus. He used to have McAFee but he didn't renew it after the 30 days.
So I DL'd AVG, as soon as I DL'd it it detected Trojan horse and some backdoor virus?
I ran it and it found several viruses and corrupted files. AVG fixed several corrupted files and viruses. It still has 16 corrupted files. I disabled the System Restore to see if it could fix the rest but it didn't. So I DL'd the McAFee Avert Stinger and another scanner/ repair program. I also DL'd trusty AdAware, ran it and it found tons of spyware, includint that tagent thing.
Neither did any good. Can anyone reccomend any better ones that are free?
Are the ones that cost like $29/39 garuanteed?

I remember the names of the ones that AVG detected and couldn't fix/remove were something like androa, bspy, and one other. Sorry I can't remember.

Thanks for any help!

 

Run it all again in safe boot mode. They may have been active at the timeof the scan. I used to have AVG and had to remove some things manually .

 

AVG is great on account that it is free and is better than a lot of AV software that costs money, you should also download Spybot S&D, CWShredder, SpywareBlaster, Spyware Guard update them all and download Spysweeper, A good online scanner is PestPatrol online scanner, however it doesn't remove it but it does give the location of pest in a file or in the Registry. http://www.pestscan.com/Scan.asp

 

OK, so when it boots up, what do I press to go into safe mode?
I'll run all the programs again.

 

Yeah I figured I was going to have to DL all those programs, just didn't have the time to do it tonight. I think he already has Pest Patrol on there, but it never found anything.
Well maybe it found them just didn't remove them.

I know AVG found some and removed/fixed more than 70% of them.
What does it do different when in safe mode?

 

XP, I'm sure it's pro and not home edition.
Also, I made all the files show (disabled hidden files) and also disabed the system restore. I read that some files would be able to be fixed if there where hidden in the backup restore file system.

 

I had him run that Panda scanner and he said it found 16 and fixed 16.
It seems too easy, but I had him run the AVG again to make sure it's fixed, since AVG is the on that caught/detected all of them. We'll see what happens.

If not I'll do as you guys recommended and run all of the above in safe mode.
I'll let you guys know what happens tomorrow.

Thanks!!

 

edit: He ran AVG and it still found 14. We'll try the rest in safe mode tomorrow.

Oh do any of those programs/viruses sound familiar to you guys?

 

When Windows boots up in safe mode, It only runs the drivers and Windows OS programs absolutely necessary for you to use your computer. Third party software wont be ran at start-up, including viruses, trojans, and spyware. You need to do this because Windows will not delete a program or file that is in use.

 

One more thing...
Just looking to the future if all else fails.

You all said the Pest Patrol will tell me where the corrupted files are?
It should tell me the path and I should be able to recognize the program it's attached to, then remove the program and install a fresh one?
If these files are apart of the OS, like in system32 folders or something, will it fix them in safe mode? If it doesn't how do you fix corrupted OS files and folders?

Thanks,

 

First post... " remember the names of the ones that AVG detected and couldn't fix/remove were something like androa, bspy, and one other. Sorry I can't remember."

They're not full/exact names, I was just wondering if they sounded familiar.

 

Also, when I boot up in safe mode, are these tools/scanners going to be available?
Or will I have to reinstall them in safe mode?

What is the best way to determine which files are corrupted if I can't fix any with the scanners? The pest patrol or the HiJackThis log?

Thanks,

 

Ok, so all of the scanners will work in safe mode but the online ones I know.

Well AVG says corrupted files found, but it didn't list the names of any. I'll check the options tab for a list of names. When I run McAFee Avert it doesn't find anything.
Sorry if I keep saying "corrupted files" I'll clear that up tonight when I read exactly what it says. Sorry for the confusion.

Yes I disabled the system restore when we ran the Panda online scanner, then the AVG right after it. I'll let you guys know how it goes after we try everything in safe mode.
Will any of these scanners try to delete any critical folders/files needed for the OS?

Thanks,

 

Would it affect the OS from working or even booting?
It's a Dell PC and I don't know if he has support from them, but if I screw up his OS won't that void his warranty? lol

 

HijackThis results

Logfile of HijackThis v1.98.0
Scan saved at 8:39:36 PM, on 7/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVGANT~1\avgserv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\EarthLink 5.0\updatemgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\PROGRA~1\AVGANT~1\avgcc32.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\PestPatrol\PestPatrol.exe
C:\Program Files\Test Scanners\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\Test Scanners\SpywareGuard\dlprotect.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {665ACD90-4541-4836-9FE4-062386BB8F0 - (no file)
O2 - BHO: (no name) - {665ACD90-4541-4836-9FE4-062386BB8F05} - (no file)
O2 - BHO: BRedObj Class - {7371F073-AC0F-4b80-BB2F-96A488CEFB32} - c:\Program Files\Xmod\xm320.dll
O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913a9e - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateMgr.exe] "C:\Program Files\EarthLink 5.0\updatemgr.exe" /NOCM
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tapaxwn] C:\WINDOWS\tapaxwn.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PeerGuardian] C:\Program Files\KMD Lite\peerguardian.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [Jreg] "c:\Program Files\Common Files\Java\Jreg2b.exe"
O4 - HKLM\..\Run: [haf] C:\WINDOWS\haf.exe
O4 - HKLM\..\Run: [Grokster] C:\PROGRA~1\Grokster\Grokster.exe /SYSTRAY
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\AVGANT~1\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\Program Files\PestPatrol\ppclean.exe" clean ts:20040713201247359 suite 2 2
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\RunOnce: [t] "c:\Program Files\Common Files\Java\xclean.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Startup: install.lnk = ?
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://inotes.academy.com/iNotes.cab
O16 - DPF: {8A8F3D75-6564-4599-A7DC-313B43A89E1D} (AdInstaller Control) - http://www.kazaa.net.cn/digital/AdInstaller.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} - http://fdl.msn.com/zone/datafiles/heartbeat.cab

 

AVG results:

Results of Complete Test, date and time 7/13/2004 20:42:51 :
Testing C:\ serial 442C-929B
C:\HIBERFIL.SYS Cannot open; not checked!
C:\Documents and Settings\LocalService\NTUSER.DAT Cannot open; not checked!
C:\Documents and Settings\LocalService\ntuser.dat.LOG Cannot open; not checked!
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
C:\Documents and Settings\NetworkService\NTUSER.DAT Cannot open; not checked!
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Cannot open; not checked!
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
C:\Documents and Settings\WOODY\NTUSER.DAT Cannot open; not checked!
C:\Documents and Settings\WOODY\ntuser.dat.LOG Cannot open; not checked!
C:\Documents and Settings\WOODY\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
C:\Documents and Settings\WOODY\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
C:\Program Files\PestPatrol\Quarantine\20040501093912880.zip:\WINDOWS\system32\Gr02.dll Trojan horse Downloader.Bho.A
C:\Program Files\PestPatrol\Quarantine\20040501093912880.zip:\Program.Fil\rvp\bpc.exe Trojan horse Downloader.Rvp.D
C:\Program Files\PestPatrol\Quarantine\20040501093912880.zip:\WINDOWS\biprep.exe Trojan horse PSW.Bispy.B
C:\Program Files\PestPatrol\Quarantine\20040501093912880.zip:\WINDOWS\system32\ia.dll Trojan horse Downloader.Wintrim.AD
C:\Program Files\PestPatrol\Quarantine\20040501093912880.zip:\WINDOWS\system32\egdial.dll Trojan horse Dialer
C:\Program Files\PestPatrol\Quarantine\20040501093912880.zip:\WINDOWS\system32\netpal.dll Trojan horse Downloader.Bho.B
C:\Program Files\PestPatrol\Quarantine\20040514202529218.zip:\Document.s\Woody\local.tti\temp\bi.dll Trojan horse PSW.Bispy.A
C:\Program Files\PestPatrol\Quarantine\20040514202529218.zip:\WINDOWS\bi.dll Trojan horse PSW.Bispy.A
C:\Program Files\PestPatrol\Quarantine\20040514202529218.zip:\WINDOWS\biprep.exe Trojan horse PSW.Bispy.B
C:\Program Files\PestPatrol\Quarantine\20040517060447437.zip:\Document.s\Woody\local.tti\temp\bi.dll Trojan horse PSW.Bispy.A
C:\Program Files\PestPatrol\Quarantine\20040517060447437.zip:\WINDOWS\bi.dll Trojan horse PSW.Bispy.A
C:\Program Files\PestPatrol\Quarantine\20040517060447437.zip:\WINDOWS\biprep.exe Trojan horse PSW.Bispy.B
C:\Program Files\PestPatrol\Quarantine\20040604165500671.zip:\WINDOWS\ARUpdate.exe Trojan horse Downloader.Adroar.A
C:\Program Files\PestPatrol\Quarantine\20040610101934109.zip:\WINDOWS\ARUpdate.exe Trojan horse Downloader.Adroar.A
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Cannot open; not checked!

Test finished, duration 00:07:21.1 s
20669 objects tested, 14 found infected

 

How do you remove stuff from start up?
I did start>run>msconfig>startup tab and it showed a bunch of crap on the list.
I tried to disable some and they just re-enabled themselves?
Also I could run AVG in safe mode?

 

LOL, Well the funny thing is when I scanned last night, I finally found the AVG vault where it holds the results. I looked at th 14 it's been finding and noticed they were in Pest Patrol's Quaranatine folder. So I said it's not that bad then.

So If I go to Pest Patrol Quaranatine folder and have it remove/delete the files in the Quarantine folder it won't affect the OS?

 

Well when the PC starts up he has like a million little icons on his task bar on the right end by the clock.
I wanted to disable AIM, Real Player, Quicktime, and one or two more.
Also what is Peer Guardian? I noticed he had a Wild Tangent folder?
One more thing, he has earthlink and he installed some of there software including their tool bar on IE. Personally it looks like my RR w/Google toolbar blocks popups better than his earthlink. Any truth to that? I was going to uninstall the earthlink stuff and put Google, I just didn't know if it would affect his Outlook mailbox or his IE favorites.

Thanks for everything, especially your time!!

 

Cool I'll try that.
I already uninstalled TV Media, if he needs it I'll reinstall it. But I'll check again and delete the directory as requested.
I remember seeing that My Websearch on his Earthlink Tool bar, is it a part of Earthlink?
When I looked at the add and remove, I saw an earthlink software bundle, no toolbar.
I'll look closer tonight. Oh and AOL, I know if I uninstall it, his kid will reinstall it. Is there a lite version? I saw one here on Major Geeks that removes the spywares and junk from AOL?

Thanks,