Logs from XP Home

Friends' computer:
AMD 2.0 Ghz
1gb RAM
XP Home SP3
Norton SystemWorks 2006
Firefox 1.5.0.12
IE 7
Normally on dial up - currently at my home borrowing our broadband.

This may not be all the notes - I was saving them but had an oops! so this is what I can remember.

All scans run in the same Admin account in Normal mode unless otherwise noted or instructed.

Sometime during the guide, Windows updated via the broadband.

Uninstalled via Add/Remove:
My Web Search
Shopper Reports

Updated Java from 5. something (10 I think)

I had a bit of trouble with msconfig - it didn't always seem to stick as whatever it had been set to. (On one boot when I was preparing, msconfig restarted with items being controlled from starting and I had to set it back to Normal Startup.) Also, the Aim entries in Startup seem to have gone and I don't think I removed them. The startup on this computer in this admin account was frightening slow - 10-15 minutes. Before starting on the Read Me, I disabled a few but comments on any others that can be removed are welcome.

Norton Quarantine was easily emptied but the protected recycle bin caused me a bit of trouble. I had to restart in safe mode and use the command prompt. The folder nprotect wouldn't delete. I looked for hidden files, found a lot and deleted them. I then searched for system files, found a lot of those and deleted them. There were no files left after that and I was able to delete the nprotect folder. I then rebooted back into normal mode.

Ccleaner was run in all accounts, including the hidden administrator accessible via safe mode.

SAS gave no trouble.

Spybot - version 1.4 was installed. I installed 1.6 into the same program folder, disabling the TeaTimer during install. After a restart further down the guide, the TeaTimer had re-enabled - this was not my doing. Otherwise, no problems.

I tried twice to run Malwarebytes in normal mode. Both times it found 11 items and crashed while trying to remove them. I booted into safe mode, approx. 130 items were found and successfully removed and a log created. I then rebooted to normal mode.

ComboFix - I installed the Windows Recovery Console as per instructions for Home SP2 with no CD. When ComboFix started scanning, it asked did I want to install the console, so I agreed and it concluded that it already had been.

MG Tools ran fine.

Prior to me running through the guide with this, Outlook Express wasn't sending - there are 3 entries for the same mail account in the same identity. I won't be checking if that is fixed for a few days. At this stage I have no reason to believe it's related to the malware issues.

As a protection while the computer logs are checked, I am putting WOT on FF and would like to update to version 3 and add NoScript as soon as you give the word.

When you try to run something as an administrator from a user account, two choices are given, one called 'user' and one of the administrator accounts, not this one. This is supposed to be the main administrator account but is not accepted for Run as... if you type in the details.

Apart from Ccleaner, everything was run in this administrator account - does it matter if a user account is used? Does it matter to run the programs in each user account or just one?

 

MGTools zip added.

 

Thanks, Chaslang. I'm not sure how soon you close threads for lack of response, so I thought I'd leave a message to say I haven't had chance to get back to this and am about to go away so may not get back to it until 2-3 weeks from now.

 

We don't close threads unless requested by the user. I would recommend running the previous step by chaslang as soon as possible because the longer the infection remains the more it could spread causing a more time consuming fix.

 

First, some general comments that may be relevant ( a few with questions) and then responses to the instructions:

Well, it took a lot longer than expected to get back to this, due to the family who own the computer hitting a rough couple of months with illness. Meantime, they have tried to avoid using the computer much and keep it off the internet, although it hasn't been completely possible. They've relied on Norton and a bit of online scanning (such as Housecall) to try to keep things from getting any worse. At one point, Norton reported it had found a trojan but I'm guessing it was referring to ComboFix, which I found in quarantine. Norton has also quarantined an MP3 file, saying that it was infected with a Trojan and has replaced the original with a cleaned version - don't know if that was necessary since that file has been on the computer for over a year. One of the scans also found a file in Temp that it advised was a virus and which was manually deleted by the family. It was in Temp\V14KFHa05720.

The account being used to clean up and the one which is used to go on the internet was an Administrator account which has been demoted to a user account. Sometimes though, in going through these instructions, I had to promote it back to admin to do the job. Run as... didn't always work. A new administrator account has been created to cover adminstrative tasks and that account won't go on the internet. The new account is BossUser.

Although I know that the request is to not install new software during this time, I did update Firefox from a version 1 to version 3.0.7 (the latest version when installed) and added NoScript and AdBlock Plus, updated WOT (all these in Firefox) and installed Sandboxie. This was because I didn't anticipate having the time and opportunity to continue cleaning and reporting back, (which I did end up able to do on the following day) and was trying to help keep the computer protected - they are on dialup so they don't have the advantage of the hardware firewall of a broadband user. I'm hoping that by letting you know exactly what was done, it will make it easier for you.

I found and removed three .part files; one was in a .limewire folder, which I also deleted. Limewire was being used a long time ago, when the user didn't realise that what was being downloaded wasn't free (too young and the parents didn't know of/about Limewire) and that Limewire users often "catch" viruses. I imagine the folder was left over from then.

Windows Desktop Search was running on this computer and after reading that it can slow down your computer, we removed it. The slowness of this computer was unbelievable!! I think the computer is running faster now.

The dialup box keeps popping up, at times even when we have the computer connected via our broadband modem. I don't know what is causing this. LiveUpdate is set to check every 4 hours and seems to cope quite well with the idea of using whatever connection is available. I think Firefox and Internet Explorer are also coping with either connection.

Comments with questions:

This computer was taking a ridiculously long time to load up (at least 10 minutes although the first time I tried to run the Read Me was more like 20 minutes and I couldn't do anything during that time AT ALL!) so at some point (just a few days ago) I disabled some startup items with Ccleaner (I think it was just before installing the Firefox/Sandboxie things) intending to re-enable them before following the instructions but I'm afraid I forgot to re-enable them. I'm confident none are spyware, just programs that REALLY don't need to load at startup, such as some printer and photo software. However, all except for:

were renabled somewhere along the line during the fixes but not by me. I assume you'd like that one re-enabled, too? (At some point I’m going to get rid of everything from Startup that isn’t necessary – bootup takes forever!)

I tried to use msconfig to force access to Safe Mode a few days ago (can't remember why I wanted Safe Mode) but found all the boot options are unavailable (greyed out), even when the account is an administrator account. (It's the same for all the administrator accounts on the computer.) Not being sure what Timeout was for, and thinking maybe it was how long the computer paused before loading Windows, I tried changing that. After using Safe Mode, I told the computer to use Normal boot options again (at least, I think I did although I'm now wondering if I made the mistake of just changing the Timeout value back) and on one restart, got a message that Selective Startup was being used. I offer this information in case it's relevant to what is going on - I may have made a mistake about setting it back to Normal Startup. Surely the Boot Options shouldn't be unavailable and especially to the administrators?!

There is an icon in the System Tray that claims that their version of Office 2007 isn't genuine. Since I helped them with buying it over the internet, I know for sure it's genuine and if you try to use the Activate button, it says it’s activated. I was wondering if a registry entry may have gone astray that caused this or a virus issue. Would a reinstall solve that problem?

Windows Media Player Network Sharing Service regularly causes a prompt in Zone Alarm - I am assuming it's turned on somewhere but can't figure out how to turn it off. I assume it isn't masquerading virus activity? (Update - I think I found that - time will tell.)

The owners think they may have had a flash drive become infected from the computer. Can you advise on the likelihood, based on the logs so far, and whether it may be possible to deal with the flash drive by using Mac OS 9 or X and scanning the drive at somewhere like Trend? We have access to both OS's and I'm assuming the Mac won't be compromised?

Now to the instructions and results:

-- Desktop cleaned up. This was done after running Ccleaner and before running GetLogs.bat. I would have preferred (and doubtlessly you would too) for it to be done before running anything but it was just how things worked out. So apologies if that has made it harder.

-- Because ComboFix had 'disappeared' from the desktop and it hadn't occurred to me at that stage that Norton was the culprit, I had to use another version for the fixes you gave because I didn't have a copy of the one I had used and wasn't even sure how to tell which it was. I hope this isn't a problem. Needless to say, I have told Norton to ignore the new ComboFix and the original version is available to us if I remove it from quarantine.

-- The performance of the computer has been sluggish, although I think it's a bit better.

-- Windows Messenger successfully removed.

-- Thanks - I missed that one among a pile of programs new to me. Gone.

-- These entries were already gone:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - ?p=ZJfox000
O24 - Desktop Component 0: (no name) - file:///C:/Documents and Settings/User/Desktop/PB300240.JPG

-- This was successful.

-- Done.

How it's running.

The hard drive seems to be constantly busy and the dial up connection box pops up frequently. I found and stopped a couple of scheduled tasks that they don't need which possibly triggered some, but I can't pin down why it happens so frequently. It occurs at least half hourly, seems to want to dial up if you switch to a web page previously loaded (after you have logged off the internet) and until I get all web pages closed down, I won't be sure if the behaviour stops. (Update - when the computer is connected via our broadband, we don't get many dialup-connection-box pop-ups. If the computer is disconnected, the hard drive seems to be busier than when connected and the box pops up reasonably often if you have a web browser open, even when it was only Firefox showing a page I coded up myself with nothing but some links for them. I'm still not sure what the hard drive keeps getting busy over - Norton? Windows indexing?)


Attached are the requested logs. Thanks for all the help.


To make it a little easier, here's a summary of the questions asked:

• Re-enable Epson via Ccleaner?
  
• msconfig - boot options greyed out.
  
• Office isn't marked as genuine.
  
• Windows Media Player Sharing - not a virus?
  
• Flash drive[/b]