Possible remnant spyware

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by oquela, Feb 9, 2005.

  1. oquela

    oquela Private E-2

    Hello all,
    I'm new here & quite frankly I didn't know where this post should go because it fits everywhere/nowhere, so please forgive me if it's in the wrong spot.

    I volunteered to fix a friend's computer from what he called "viruses." I found, along with 7 viruses affecting numerous files, over 1200 spyware/adware processes, a trojan horse, a few hijacked browser processes, etc.

    After 2 weeks of work, I finally was able to update his xp home to sp2 (I had it on disc from a previous install.) that's were the problems start up again. I can't seem to get additional (there are about 18 of them) windows updates that come AFTER sp2. the first time, I almost did, but after I got the required files, I opted for 3 of the "optional" updates, and then it was over from that point (and nothing installed)
    I get different error messages, then the browser gives me the "cannot display" messages for EVERYTHING, until I reboot. I've also found an "avenue A .inc" cookie that Spybot S&D says is bad each time the browser stops.

    This has been the case whether I've been wireless, ethernet-connected, or dial-up! It cant be a proxy problem (whatever that is)
    I've gone through all the Microsoft fixes (which havent done anything.) I have a strange feeling that the real help to this problem will come with those updates.
    I've also run Adaware (with vx2 & without) Spybot, and Hijack this (although I still haven't quite got this prog. all down yet), and Norton AV
    Any suggestions would be extremely welcome.
     
  2. PhilliePhan

    PhilliePhan Guest

    Hi Oquela,

    Generally, it is a good idea to start with the Cleanup Tutorial HERE:

    READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan and Virus Removal

    There are only a few of us Volunteers who regularly offer advice in this forum. Running through the above Tutorial will remove a lot of stuff that would otherwise clog a HijackThis Log and save us valuable time.

    Please let us know the steps that you are able to complete and the ones that give you problems. Note that you need to be in Safe Mode with System Restore OFF (if you have it) and have the Viewing of Hidden Files ENABLED as per the instructions in the link. Make sure to do the Online Scans.

    Post back and let us know how you fared. Also, send us a HijackThis Log. Please be sure to follow the instructions below:

    Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!
    Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

    Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

    Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

    I’ve been tied up with work these days, but somebody will try to take a look when they get a chance.

    Best luck :)
    PP
     
  3. oquela

    oquela Private E-2

    PhilliePhan,
    OK, I went through step by step the Spyware tutorial you pointed me to. After all that, I restarted and STILL had the original problem of the browser working only a couple of minutes.

    attached is the HJT file log that was taken after the above. If you or anyone can help(I know you must be extremely busy) I'd sure appreciate it.

    thanks!
    oquela

    PS: Adaware found 3 dataminers (1 IE cache entry, and 2 "files")
    Stinger found a W32/sdbot.worm.gen.t virus
    trend micro online found 5 trojans
    symantec online found 11 things (mostly adaware)
    but the problem's still there. Thanks again!
     

    Attached Files:

    • 10.txt
      File size:
      6.1 KB
      Views:
      4
  4. oquela

    oquela Private E-2

    This post is also for anyone who can help. Sorry but I cant find the "edit thread" button anywhere :rolleyes:
     
  5. TheOldThug

    TheOldThug First Sergeant

    Oquela

    I am going to suggest what to do.

    ****DO NOT DO THIS UNTIL PHILLIE APPROVES IT****

    Please print out these instructions so that you can operate with ALL Browser Windows CLOSED.
    Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

    NOW:
    Please look in Task Manager (ctrl-alt-del)and try to END the following running processes, if found:

    winsql32.exe

    Now scan with HijackThis and Check the Boxes for the following:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = windowsupdate.microsoft.com;v4.windowsupdate.microsoft.com;download.windowsupdate.com
    O4 - HKLM\..\Run: [Windows Sql Service For Windows 32 Bit] winsql32.exe
    O4 - HKLM\..\RunServices: [Windows Sql Service For Windows 32 Bit] winsql32.exe
    O4 - HKLM\..\RunOnce: [Windows Sql Service For Windows 32 Bit] winsql32.exe
    O4 - HKCU\..\Run: [Windows Sql Service For Windows 32 Bit] winsql32.exe
    O4 - HKCU\..\RunOnce: [Windows Sql Service For Windows 32 Bit] winsql32.exe
    O15 - Trusted Zone: http://Download.Windowsupdate.com

    Again, make sure All Browser Windows are Closed when you Click FIX.

    NOW:
    Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following file if they should remain:

    C:\WINDOWS\system32\winsql32.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

    NEXT:
    Run CCleaner and Spybot S&D and have Spybot fix what it finds.

    THEN:
    Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
    Temporary Files
    Temporary Internet Files
    Recycle Bin


    And Click OK.

    Reboot to Normal Windows and Scan with HijackThis and attach that log.
    Let me know how your computer is running now and if you had trouble with the above instructions.

    Good luck :)
     
  6. oquela

    oquela Private E-2

    Thanks for the quick response, OldThug,
    I couldn't wait for Phillie so I went ahead with your rec's.

    I just rebooted in "normal" windows mode after the fixes....do I jump on the internet to test it out to see if I can do Windows Update (i think i'm getting re-infected in the first minute or so)or just run a Hijack this before going on the net???

    I don't want to re-damage anything I've fixed. I don't mean to be paranoid, but I've put in about 25 hrs (honest) in trying to fix this damn thing.

    thanks again!
    oquela
     
  7. oquela

    oquela Private E-2

    OldThug,
    You're a genius! it worked. It allowed me to access the "windows update" (funny, it was only a .net update of 10mb, and didn't include the beta malware remover & other windoze stuff, but oh well)

    hasn't shut down the browser, and it's been a whole 10 min. :) (little things are BIG when you're desperately losing your mind)

    I'll give it a day and if it goes bad, I'll update w/ before and after HJT logs of the updates.

    thanks again and good night!
    oquela
     
  8. TheOldThug

    TheOldThug First Sergeant

    Your Welcome

    Glad you got it all fixed. You should check this out now:

    How to Protect yourself from malware!

    The PROs on here are recommending NOT using the Microsoft beta spywarre just yet. It is causing some problems and has false positives.
     
  9. TheOldThug

    TheOldThug First Sergeant

    You should post a new HJT log so we can see it and make sure it looks clean.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds