Malware Help Please

HISTORY: I volunteered to help a friend with a PC from her business that was taken over by malware (pop-ups, trojans etc.). SurfSideKick, Mirar, CWSHidden.dll, PurityAd and several trojans were among the things that were found in scans using Ad-aware, CW Shredder, Spybot S&D, Windows Defender, Ewido, Trend Housecall online scan, and Panda Scan. I was able to get rid of many things by myself prior to coming across this forum, but I have a suspicion (which I believe has been confirmed) that something is still lingering. They used the computer all week and didn't notice any problems, but to make sure I have taken it home for the weekend to double check my efforts.

I have started the cleaning process over by following your "READ & RUN ME FIRST" instructions. Results follow:

1. Nothing malicious seen in add/remove programs

2. Nothing found in BitDefender quarantine

3. GetRunKey run (log attached)

4. ShowNew run (log attached)

5. Ccleaner run w/default settings

6. MS Malicious Software Remove Tool -- nothing found

7. Spybot S&D -- nothing found

8. Windows Defender -- nothing found

9. Bitdefender online scan -- nothing found (log attached)

10. Panda Activescan -- only cookies found (log attached)

11. HijackThis run per instructions (log attached)

NOTES:
1. While BitDefender online scan was running, the BitDefender AV window popped up and stated it had blocked the trojan "Adware.PurityScan.D" in Receptionist\Application Data\?pppatc~1\jvaw~1.exe.

2. While Panda was scanning I happened to notice several files named SurfSideKick##.zip (the "##" were different #'s from ~1-20). This was located in a C:\Program Files\Spybot - Search & Destroy\Recovery. The files will show up in a search, but if you navigate to the Spybot S&D directory the folder "Recovery" can not be seen. I don't have this on my PC, so I assume this is not a normal part of Spybot S&D.

3. In the folder \Receptionist\Application Data there is a folder named AppPatch and a second folder named Microsoft which sort down to the bottom of the list alphabetically. These seem suspicious.

​

Thanks in advance for any help you may be able to provide.

 

Additional attachments

 

Download
- Pocket Killbox
- ExplorerXP

<< The installed version of Java on this compter is out-dated. Install Java Runtime Environment (JRE) 5.0 Update 7 available from http://java.sun.com/javase/downloads/index.jsp. Uninstall all older versions of Java on your computer, before installing the latest version of Java. >>

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop. DO NOT run it as this time we will do that later in Safe Mode.

Close Notepad.

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post fresh logs from GetRunKeys and ShowNew.

 

Shadow,
Thanks for the help. I carried out your instructions, except I am unable to uninstall the current version of Java. It appears that the there is something on a network drive "F" which is needed to perform the uninstall. Because of this I did not install the updated version. I hope this is something that can wait until I take the computer back and reconnect it to the network.
Everything else seemed to go without a hitch -- the new RunKeys and ShowNew logs are attached. Thanks again.

 

Everything looks fine in the logs.

Yes, the Java update can wait until the comuter is reconnected to the network. Don't forget to do the update and unistall all old versions. Otherwise, the system will be vulberable to infection.

Flush all your restore points and create a new clean one for your system.

Disable And Enable System Restore
How to Protect yourself from malware!

Safe surfing.

 

Thanks for all your help S_P_D. One last minor question: Can the suspicious folders mentioned in #3 at the bottom of my original post be deleted? They are empty, but seem strange. Thanks.

 

It's probably safe to delete those, since they are empty.