Please Help Finish Malware Removal

Hi,
I've been trying to remove malware on a friends 3 yr old Dell running XP Pro.

I did the "READ & RUN ME FIRST...." thing (actually twice, except the HJT fixes). The 1st time Ccleaner cleaned up a ton of stuff & the other programs cleaned up about 60 items. The 2nd time the other programs cleaned up 5 items....except for the Panda ActiveScan & the HJT.

When I went to the folders listed in the Panda scan results I only found the switchagreement.txt file. What 's the deal?

From reading some of the post, I see some things in the HJT log that should be fixed but, I think I need some expert advice here (not sure I would get them all).

Also, I've been runing the programs only from the Administrator account. Do they need to be run from the Limited User account as well?

Your help would be greatly appreiciated....Thanks.

 

Welcome to MajorGeeks.com!

Please see the below threads on how to install and run Spy Sweeper and Ewido Anti-Malware. After you ran both programs, attach the logs to your next post along with a fresh HJT log from normal mode.

• Running Spy Sweeper...
  
  
• Running Ewido Security Suite ...

 

OK...well, after a couple of botched tries(you'll see in the Spy Sweeper log) & a little sleep I finally did exactly as you instructed.

I had a little trouble working with Spy Sweeper...it finally worked fine after I shut down IE. As you see it did pick up a few more things.

I had run Ewido prior to opening this thread but, wasn't sure I had set it up as you required so I removed it & re-installed it per your instructions. I've attached the prior log & the current one. As you can see this last scan came up clean.

HJT looks cleaner but, you tell me .....is it OK or do we have more work to do?

Thanks again

 

Please look in Add/Remove Programs for the following and uninstall them if found:

Ewido

Spy Sweeper

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab

Again, make sure ALL browser windows are closed when you click FIX.

Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

c:\eied_s7.cab

Next, run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

• Temporary Files
• Temporary Internet Files
• Recycle Bin

And Click OK.

After you complete the above, REBOOT and proceed with the rest of this fix...

Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot once more and then scan with HijackThis and attach the new log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

I'm back.....did everything you asked.

Couldn't find c:\eied_s7.cab. Made sure Viewing of Hidden Files & Folders was checked & searched the entire c: drive. Didn't find it.

When I ran Ad-Aware it only came back with 2 negligible items (see log). I did mark them to be fixed anyway.

Spybot S&D came back with "No immediate threats found".

All the rest went smoothly & the system seems to be running stable & snappy so far. I'll have a better feeling after I let my friend run it from her dial-up for awhile (I have a router/firewall over here, she only has the software protection I loaded after reading your other threads like "Understanding, Cleaning And Preventing Spyware".

Does the HJT log look good to you? Should I run it again & remove all the entries that refer to programs that have been removed or were run online like Symantec & Housecall etc?

Should I run Ccleaner from the Limited Account now & what's your feeling about running Ccleaners "Scan for Issues" or are there other better or safer programs for cleaning the Registry?

Thanks Again

 

Yes, your HJT log is clean. It's not necessary but if you like you can. It's only ActiveX controls so it's nothing major.

No, I don't recommend anything but the cleaner. The "scan for issues" has known to cause various problems so I would skip it all together.

If you want to run a registry cleaner, use something like Reg Surpeme Pro or Registry Mechanic.


Are you having any further problems?