Help Please! Stubborn Scumware won't die!

Hello,

I am fairly new at this and posting for the first time, so please be gentle. (lol )

I am trying to clean a friends computer that was loaded with scumware. I am trying to follow the recommendations in the article about basic spyware and virus removal. Here are the vital stats:

Windows XP Home
Intel P4 2.4 GHz
512 Meg Ram
System updated except for SP2
Norton Internet Security 2004 with Antivirus 2004 = updated
SpySweeper = updated
Ad-Aware Personal SE = Updated
SpyBot Search and Destroy = Updated
System Restore = off
Hidden/System files, known extensions are shown
Network Security & Workstation Netlogon Services = Not found

I have scanned numerous times with the programs listed above, and with several of the online scanners that I have seen mentioned on this site (Trend Micro House Call, RAV, Bit Defender, WindowsSecurity.com Trojan Scanner). These scans seem to have gotten rid of most of the parasites, but there are a few stubborn ones that I can't seem to get rid of. The problems I can't seem to get rid of are as follows:

Mediaticketsinstaller.ocx identified as Adware.cdt by Norton and as Adware.Mediatick.A by BitDefender

WinadX.dll=>(Upx) infected: Trojan.Downloader.Winupdt.A identified by BitDefender

TFTP204, TFTP3044, TFTP3352, TFTP3884 - All identified as Backdoor:IRC/Sdbot.dam#2 by RAV

SpyBot identified DSO Exploit, but, after researching this site, I understand that, as long as Windows is up to date, this is not a big deal.

There are also a couple of questionable files on the startup tab of msconfig that were not identified by the scans, but I think they are suspect. Hopefully you can tell me what these are and how to get rid of them if they are bad. They are:

fukerz.exe
wuammgr32.exe

I am prepared to run HijackThis if/when necessary, but I will await your request to do so, and will post the log at the appropriate time.

Sorry for the long post, but I wanted to provide as much information as possible. Thanks in advance for your assistance. You guys are great!

--dazed&confused--

 

What wonderfully perfect post!!! Thank you. It was a pleasure to read this.

 

Thanks for the speedy response! Again, I say you guys are great.

Thank you for the information about wuammgr32. I read the recovery method on the Sophos website, but I will wait to try it until you guys have a chance to review my HJT log and provide feedback/guidance. I am a little nervous about messing with the registry by hand (at least without the guidance of a seasoned pro).

Has anyone heard of the other file I mentioned (fukerz.exe)? I think it probably needs to go too, but I am not sure what it is, or how to get rid of it.

I also noticed in the HJT logfile that McAfee still seemed to have something loaded. It shouldn't because it has been uninstalled. Norton Internet Security replaced it.

Anyway, here is my HJT logfile. Take a look at it and see what you think. Thanks again for your help.

--dazed&confused--

 

Thanks chaslang. I followed your directions and HJT seems to have taken care of the three issues you noted. You are great! I have attached my current HJT log below for your verification.

I also ran all of the same antivirus/spyware detection programs again after following your directions, and they still noted a few issues. I thought I would get your opinion on them. The details of my scans are posted in the second attachment. I ran a search for the questionable files on the Registry and found four Keys that mentioned them, but I can't find the actual files anywhere on the system. I have listed the keys at the bottom of my scanner log file. Let me know what you think I should do with them (if anything).

Thanks again for your assistance. I don't know what I would have done without your help.

--dazed&confused--

 

Thanks again, chaslang. You have been a great help!

I searched in safe mode and double-checked my selection for "show Hidden/System files" and made sure to choose to show all extensions prior to search, but I still could not find the files. I tried searching both ways, with Advanced Search settings, and manually with Windows Explorer. Those files are nowhere to be found.

I can't figure out what is going on with this system. Even though I couldn't find them with a Search, Norton and BitDefender both still found MediaTicketsInstaller.ocx, and BitDefender still found WinadX.dll as well.

I deleted the Registry keys that contained those two files while I was in
safe mode, and restarted a couple of times, then went back into Regedit
to make sure they stayed deleted. I think the Keys are gone for good.
I haven't seen them come back. Does that mean that it is safe to assume that they are not running anymore?

Stinger did not find anything but RAV still found the four other files I
mentioned earlier. Here is the summary:

Scan started at 9/13/2004 10:27:26 PM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\WINDOWS\SYSTEM32\TFTP204 - Backdoor:IRC/SdBot.dam#2 -> Infected
C:\WINDOWS\SYSTEM32\TFTP3044 - Backdoor:IRC/SdBot.dam#2 -> Infected
C:\WINDOWS\SYSTEM32\TFTP3352 - Backdoor:IRC/SdBot.dam#2 -> Infected
C:\WINDOWS\SYSTEM32\TFTP3884 - Backdoor:IRC/SdBot.dam#2 -> Infected

Scanned
============================
Objects: 34014
Directories: 2435
Archives: 2810
Size(Kb): 1454754
Infected files: 4

Found
============================
Viruses found: 1
Suspicious files: 0
Disinfected files: 0
Mail files: 63

I figured it would still find them, because I haven't deleted them yet. I found them with my search, but I was hesitant to delete them because they are in the System32 folder with several other files similar to them and an .exe file that was described as "Trivial File Transfer Protocol App" by Microsoft. I wasn't sure what this program did, and I was afraid deleting the four files would render the program inoperative (not to mention causing errors with the system). Do you think it is safe to delete them?

As always, thank you very much for your help. I am open to any suggestions at this point. I am starting to think a format/re-load may be the only option for a clean computer at this point. Whatever these things are, they sure are stubborn.

Thanks again,

--dazed&confused--

 

chaslang,

Thank you! Thank you! Thank you! You are the greatest! You have helped me straighten this mess out. I am forever greatful.

I think all the scumware has finally been removed. The command line removal of those files worked great. I have run all the scans, and they came up clean. Hopefully this computer is done now (for a while anyway). I just hope my friend doesn't let it get like this again.

Thanks again for all the help.

--dazed&confused--

 

Yes. I have already given them "The Speech" about safe surfing, keeping programs updated, and scanning on a regular basis. I also printed out your previous reply and gave it to them so they would have your suggestions. Hopefully they will take your advice. If not, I may have to call on your expert advice again.

You have been a great help. Thanks again for all your help. I couldn't have done it without you.

--dazed&confused--