Disinfecting Friend's Laptop

Hello! I'm a long-time lurker, but finally got around to registering, because I need to appeal to the Greater Geeks. I have a good friend who, I just found out, has been surfing on her laptop and desktop with almost no protection!:eek

I got her desktop booting again, did some cleaning, installed some security, and temporarily traded it for her laptop because she had clicked on a fake security popup and infected her computer with Cyber Security about a week and a half ago. She called me and said she got this pop up that said her computer was infected with 42 viruses, backdoors, trojans, and worms. "Don't click it!" I hollered. "Oh, I already did." *sigh* I removed that thanks to a detailed how-to on BleepingComputer (involved MalwareBytes).

I uninstalled McAfee (Viruscan I think... not the full security program). I ran Ad-Aware and Spybot S&D, ran CCleaner, and then defragmented with Defraggler because the computer was still slow.

I then worked through the whole Read & Run, including running things I had previously run. When I ran RootRepeal, it didn't appear to have done anything when I clicked "scan" (which made me think I had missed the button or that it hadn't engaged, since I am having some pointer problems on here), and so I confess I clicked "scan" again. It still didn't seem to do anything, but maybe that's the way it is?

The computer is still pretty slow to boot. It takes over 6 minutes to fully boot. It gets to the black Windows screen quickly, and then spends about a minute on it. Then the screen goes blank for about 45 seconds, during which it appears to shut off for a few moments. From the time the blue Windows screen comes up until the desktop wallpaper shows and the welcome sound plays is about 70 seconds. It takes about 3 more minutes to load everything else.

I want to be sure I have succeeded in cleaning this computer before I proceed with anything else, like working through the services list on Black Viper. That Cyber Security thing was no fun. I was about to pull out my hammer to get it off of here.

Okay, I'm long-winded. I'm attaching my logs as requested, and thank you in advance for any direction y'all can give me. I really appreciate you all, and have learned a lot on here!

By the way, MalwareBytes may show up as "kim". I had to rename it to remove Cyber Security, and I didn't name it back. Oh wait - I named it "mb" when I re-did the scan in the Read & Run.

 

And here's the MGtools log.

Thank you again!

Forgot to mention system info:
Acer Aspire, 1.60 GHz, 1 GB RAM, running Windows XP Home 2002 SP3

 

Welcome to MajorGeeks!

From the HJT log, this could be part of or all of your performance problems. You may consider uninstalling this if it isn't needed. I believe it is listed as 'Motorola USB Drivers' in Add/remove Programs.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines (if found) but DO NOT CLICK FIX Checked until you exit all browser sessions including the one you are reading in right now:

• O2 - BHO: (no name) - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - (no file)
• O2 - BHO: (no name) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file)
• O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - (no file)

After clicking Fix checked, exit HijackThis.


Do you know what this is?

 

Hi! And thank you!

I will uninstall the Alltel thing. She is actually changing ISPs right now, so it should be no problem. She has been connecting through Alltel with her Motorola cell phone, which she hooks up to the computer by USB. She shouldn't need that any more now, so I'll get rid of it.

I will run the MGTools thing. Do you need any new logs?

c:\Program Files\CS I am betting is the directory for that Cyber Security malware. I thought I had deleted that directory after wiping the rest of the program off, but maybe I didn't. Or maybe Cyber Security isn't dead yet. :banghead I will try deleting the folder (again?).

I'll get back to you tomorrow (later today, haha) probably. Just let me know if you need logs.

 

You can open the CS folder and let me know what's in it, if anything. Just don't open anything that's inside of the folder.

Once you get the Alltel software removed you should see an improvement in performance. Then let's run a full virus scan to be sure nothing was missed. Please follow the instructions for Using the BitDefender Online Scan and attach the log it creates.

 

Okay, I uninstalled ALLTEL Internet Accelerator (from All Programs>Alltel>Uninstall), Motorola USB Drivers (from Add/Remove), and Quicklink Mobile (Alltel Axcess). Then I rebooted.

I then deleted the Program Files>Alltel folder, and noticed there was still a McAfee folder with some stuff in it, and deleted that too. Then I saw a Limewire folder. It appears it isn't installed, it's just there. I'll talk to her to see if I can remove that. She has Limewire on her desktop, and I suspect that is the source of a lot of the infection she had on that computer. I'm leaning on her to get rid of it.

I accidentally ran MGTools, instead of opening the folder. I hope this didn't do anything it shouldn't have! I'm sorry! I was afraid to stop it, so I waited for it to finish. Then I ran C:\MGtools\analyse.exe. All three items were found, so I checked them and clicked "Fix checked".

The CS folder is empty. Shall I delete?

Bitdefender failed in its attempt to update the virus definitions before scanning. I'm going to reboot and try again. Meanwhile, I need to change desktops, so I'll post this message and post the Bitdefender log separately.

 

BitDefender was a challenge. I clicked for it to start, and it came up to update the program and virus definitions. It only got 44% through the definitions, and then failed. It gave me the option of scanning anyway without complete defs, but I thought it would be better to try again.

I rebooted for a clean slate, and tried again. I went to the BitDefender forums for help. I'm not the only one having this problem, and it goes back a while too. I deleted "bdscanonline control" in C:\windows\downloaded program files, to make it download a fresh copy. No good. Then I tried another suggestion, which was to download the definitions manually, and extract them to c:\windows\bdoscan8\plugins folder.

When I tried again, it updated the program, then stayed at 0% on the definitions. I thought it was going to fail again, and, after about 5 minutes of it doing nothing, I clicked "cancel". Surprisingly, it immediately began scanning. Hopefully it worked like it was supposed to.

I wasn't able to save it as .txt, only as .html, so I saved it like that, viewed source, and saved that as .txt. I'll attach both. Actually, I'll attach just the .txt, because it didn't let me upload the .html.

Whew! Weird, but I got it done!

 

The scan is clean.

Yes.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Sorry... splitting headache today, will try tomorrow and post back.

 

Got it all done! I kept SAS and MBAM as suggested, and am going through the Protect Yourself from Malware link. Most of it's covered already, though I need to enable SDhelper and such.

I saw she already had XP SP3 on the laptop, and that it was set for automatic updates, so I thought it should be pretty up-to-date, and maybe just need a couple of security updates. Boy, was I wrong!! It needed no less than 71 High Priority updates! http://www.freesmileys.org/smileys/smiley-shocked003.gif I think the most I've ever seen before is 14! I set it to check for updates at 1:00pm, instead of 8:00pm, figuring that was probably the problem - the computer simply wasn't on at 8.

About the disabling autoruns thing - didn't they come back and say nevermind, it isn't the problem we thought it was? Or were they just trying to keep everybody from panicking?

That article under #11 was just the thing I needed to get her off of Limewire!

UPDATE: I'm almost done with the Protect Yourself link. I went through the Services with help from BlackViper, and it still made no difference at all in startup! Still taking 6 minutes to boot! :banghead I've never had a computer do this to me. Normally, I clean the thing up, I improve the security, if necessary I go through the services, and it's back to running great!

In desperation, I googled "acer aspire slow", and found people talking about the hard drive being stuck in PIO mode. I looked, and, sure enough, it was. Suggestion 1 was to actually select PIO mode, reboot, then select DMA, and reboot. It didn't work, so I tried suggestion 2, which did. This involved uninstalling the Primary IDE Channel, which I didn't like doing, but the other alternative was editing the registry. A couple of reboots, and the hard drive is now running in UDMA Mode 5!

It booted in a minute and a half! YES!!!:hyper:cloud9:celebrate

I have to put it through some sleep/wake cycles to make sure it doesn't step back down to PIO.

evilfantasy, I can't thank you enough for helping me clean this computer up! http://www.freesmileys.org/smileys/smiley-gen053.gif I was really concerned that there could be things hiding on it that I didn't know how to find. I also didn't know which BHOs were okay and which weren't. My friend is getting a crash course in security, and sounds like she's going to be a lot more careful now.

 

Microsoft usually releases updates on "Patch Tuesday" but they do sometimes release critical out-of-band updates.

http://en.wikipedia.org/wiki/Patch_Tuesday
"Patch Tuesday is the second Tuesday of each month, the day on which Microsoft[1] Starting with Windows 98, Microsoft included a "Windows Update" system, that would check for patches to Windows and its components which Microsoft would release intermittently. With the release of Microsoft Update, this system also checks for updates to other Microsoft products, including Office, Visual Studio, SQL Server, and others.

Autoruns should have been taken care of in a recent Windows Update but it never hurts to use other precautions like the Panda USB and AutoRun Vaccine on your flash drives.

Insert your flash drive before we begin. Hold down the Shift key when inserting the flash drive until Windows detects it to bypass the autorun feature. This will keep the autorun.inf from executing automatically.

Download Panda USB and AutoRun Vaccine and save it to your desktop.

* Extract (unzip) the file to your desktop and a folder named USBVaccine will be created.
* Open that folder and double-click on USBVaccine.exe to start the program.
* Click Run
* Click the button to Vaccinate computer.
* Insert your USB flash drive.
* When the name of the drive appears in the dialog box, click the button to Vaccinate USB drive(s).
* Exit Panda USB and AutoRun Vaccine when done.

Note: Computer AutoRun Vaccination will prevent any AutoRun file from running, regardless of whether the removable device is infected or not. USB Vaccination disables the autorun file so it cannot be read, modified or replaced by malicious code. The Panda Resarch Blog advises that once USB drives have been vaccinated, they cannot be reversed except with a format. If you do this, be sure to back up your data files first or they will be lost during the formatting process.

When it comes to computers, free doesn't always mean good!

Sounds good. I would also recommend that you defrag the computer. There may be a lot of fragmented sections on the drive after all of the cleaning.

You can use the built in Windows defrag by clicking Start > Run and then type in dfrg.msc then click OK. Or use a faster FREE program. Defraggler is very effective and easy to use.

Note: Be sure to clean out temp files and restart the computer just before beginning a defrag.

Your welcome and I'm glad it all worked out.

Let us know if anything else comes up.

Safe surfing....