Followed all "Read first .." but scans apparently did not remove all problems

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by nancyb, Apr 30, 2006.

  1. nancyb

    nancyb Private E-2

    Very slow computer (some of the required scans took between 3-10 hours to complete.): WinXP SP1, Pentium 4 2.66GHz, 1.50 GB RAM, 60 GB HD and 160 GB External Drive.

    Purchased SpySweeper 30 days ago but it didn't install properly and I cannot uninstall, reinstall or update definitions. No help/response so far from spysweeper support although request was just on 4/28/06.

    Have used MailWasher since 2003 but after last update to v5.2 system auto reboots when downloading email. Tried to uninstall v5.2 but receive following error:
    "The uninstall log file C;Program Files\Mailwasher Pro\unins000.dat is in a format not recognized by this version of the uninstaller. Cannot uninstall."

    Installed MailWasher v5.0 over v5.2 and all seemed to work until a few days ago when auto rebooting started again when dowloading email. Posted problem at castlecops and was directed to run various scans and to try hijackthis. (v5.2 was installed after SpySweeper install failure.) Re-installed v5.0 once again and mail is now downloading properly with no auto reboots.

    Ended up here. :) Excellent instructions, BTW!

    I've run all the scans in order from the "read me first sitcky" and attached scan reports. One of the scans evidently did not remove all problems because the files were deleted, updated, updated and then not deleted again (not sure if I am understanding this correctly though).

    Thank you for help analyzing this and fixing problems!
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to cleanup manually any of the items in your Outlook Express folders that Bitdefender found but could not fix. Go thru your email and delete the indicated messages.

    You need to allow CounterSpy to fix what it finds. Re-run it and this time fix the problems instead of selecting Ignore.

    You should then uninstall CounterSpy since you have MS Antispyware installed. Once you get SpySweeper working, you should then uninstall MS Antispyware too.

    You still seem to have some McAfee software installed but you are running AVG7. Goto Add/Remove programs and uninstall McAfee. Let me know if you have problems doing this. It may be a failed uninstall. If so, we will have to remove it manually.

    Why do you have the below URLs in your Trusted Zone? Did you have problems accessing them unless they were put there? This should not be necessary.
    O15 - Trusted Zone: housecall.antivirus.com
    O15 - Trusted Zone: http://www.bernardine.com
    O15 - Trusted Zone: http://*.bernardine.com
    O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
    O15 - Trusted Zone: http://www.symantec.com
    O15 - Trusted Zone: http://Download.Windowsupdate.com
    O15 - Trusted Zone: http://*.windowsupdate.com
     
    Last edited: May 1, 2006
  3. nancyb

    nancyb Private E-2

    Thank you, chaslang.

    The trusted zones were put there a very long time ago when I did have trouble accessing those sites. I haven't used IE, except for Windows updates, in several years and forgot they were still set. I've removed all those sites from the trusted zone.

    McAfee has been on this system since Dell installed it. I used Add/Remove as soon as the computer arrived, had some problems removing it and thought it was finally gone. Yes, please, if you can help me get it manually uninstalled I would be very grateful!

    I ran Counter spy again and allowed it to fix problems, then uninstalled.

    I have gotten rid of all the infected files in the C: OutlookExpress backup type folders and the G: external drive Outlook Express backup type folders and *thought* I had deleted the infected files in Outlook Express.

    I ran Bitdefender again to see if I had found all the infected files but went to bed when it said estimated time left was 23+ hours. After it actually ran for 8+ hours (default settings, in Safe Mode) either I was dumped from the net or the site timed out. It appeared that the scan was complete except for just a few files - out of around 185,600+ files. In the "More Details" window it said there were still 2 Identified viruses, 3 Infected files and 6 Suspect files. After 30+ minutes with no movement in number of files scanned, I clicked the "Stop Scanning" but the Save link was grayed out so I could not save the log.

    Tried scrolling down though the Detected Problems window but there were just too many. Next I tried selecting just the folders that BitDefender previously found infections in and ran them selectively. All the backup type folders on C: and G: were clean - no problems found.

    :confused:

    I can't figure out what to select in BitDefender to find this kind of infected file in C:\Documents and Settings\nancy\Application Data\Identities\{8F1A6740-540C-11D4-9A6C-8CD4A03E625B}\Microsoft\Outlook Express\Sent Items.dbx=>(message 51) and the other similar files that don't have a date or Subject.

    I hope that running the folders selectively was ok, at this point, and I won't need to run the 8 hour+ scan again until I've found and deleted all the Outlook Express files.
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Is it just message number 51 in your Sent Items folder of Outlook Express?


    Do you have the below patch from Microsoft installed?
    http://www.microsoft.com/downloads/details.aspx?familyid=0C1B4C96-57AE-499E-B89B-215B7BB4D8E9&displaylang=en

    Make sure you do have it installed and then uninstall the wmfhotfix.dll patch you installed from Ilfak.


    Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to McAfee SecurityCenter Update Manager ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

    Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

    mcupdmgr.exe

    If you receive any error messages just ignore them and continue.

    Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.


    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
    O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    After clicking Fix, exit HJT.:
    Now delete the C:\Program Files\McAfee.com folder if it exists.

    Now reboot in normal mode and post a new HJT log.

    Make sure you tell me how things are working now.
     
  5. nancyb

    nancyb Private E-2

    No, there were at least two other emails but I couldn't find them in the "Detected Problems" window since I couldn't save the log. One, or two, was infected with JS.Kak.Z1. I deleted the email by the number given in BitDefender, but it evidently attached itself to another email, in the same folder, when it "updated" during a BitDefender scan. I decided to backup OE again to a new folder and use BitDefender to just scan that folder. Finally ended up deleting the entire folder in OE (not really that important anyway) after three trys to delete the worm. OE now appears to be clean so I'll run another full system BD scan tonight and hope it makes it all the way through.

    MS patch was already installed, so I uninstalled wmfhotfix.dll.

    Ran HJT and "fixed" the entries. There wasn't a McAffee folder. Whee, McAffee is finally gone. Thank you! :)

    New HJT log attached.
     

    Attached Files:

  6. nancyb

    nancyb Private E-2

    Oops, forgot to answer about system performance.

    Seems much faster and CPU usage in Task Mgr is staying around 0-4% when nothing is being executed. Used to average around 10-50% before.
     
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Is Spy Sweeper working okay now? If so, it would speed things up even more if you uninstall Ewido. I assume it is a trial version anyway??? Ewido was not in your first log. When/why did you install it?


    If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
  8. nancyb

    nancyb Private E-2

    Spy Sweeper working ok now. I installed Ewido after my first post when I was waiting for an answer. Found it when going through "How to Protect yourself from malware!" post. I've uninstalled Ewido.

    Ran BD again last night and it completed allowing me to save log. aaarrrgh! there are still some viruses. BD log attached.

    The first virus in the log JS.Kak.A is in what I think is an old unused identity in OE. There are 11 identities in C:\Documents and Settings\nancy\Application Data\Identities\. From OE Tools>Options>Maintenance, the Store Folder that shows in the box is NOT the one with a virus. I don't know what is in any of the other 10 but they must be very old since I have used only one identity in OE for several years.

    Searched around in MS Support for OE Identities and posted in an Outlook Express group asking if these can just be deleted without harm to OE or the default identity. Waiting for response.

    The other viruses in the log are in an old Mozilla (before FireFox) installation, which I uninstalled, and a very, very old Netscape (v4.79) that I also uninstalled. I think these have been on my system since 1999 or 2000 and transferred to the last two new computers - aaarrrgh.

    Most of the suggestions in the "How to Protect..." post I have done since around 2001 when I learned more than I knew in 1999 :eek:

    I haven't installed the Sun Java yet because my last two installs failed (MailWasher and first SpySweeper install). I will do that as soon as system is clean and new restore point set. And ... will also change to a better mail client than OE and upgrade to SP2.

    Thanks chaslang for your help and patience! I'll post back when all viruses and Exploit.Iframe.Vulnerability are gone.
     

    Attached Files:

  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes you do need to cleanup (delete) any old email accounts yourself and then delete any other infected messages in valid accounts yourself.

    Until you have installed all of your Windows updates you will still be susceptible to many different problems. There have been many security whole patched. All of your software (including OE) needs to be updated.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds