Recovering from Huge Infestation

Hello there,

I've followed your lead post step by step till.. Very nice guide. Thank you.

I'm on the trailing edge of cleaning up a neighbors system - I never knew how much crud someone could get installed on their computers I knew I was in for it when Adaware started out finding almost 1500 items...

Worms, Trojans, Virii, Spyware, you name it... VX2 was my favorite to get rid of.

Anyway, I think it is all mostly clean, but I have a couple of nagging questions and doubts before I can be sure I'm done.

ZoneAlarm keeps seeing Process 1888 (application: l?ass.exe) trying to access the Internet - I keep denying till I know what it is...so far doesn't seem to hamper anything. Is this a valid program or malware remnants?

ZA also sees wtta.exe trying to reach out - I keep denying - and again, life is normal without it.

I managed to manually update to SP2 (XP Home) because I cannot get Windows Update to run - the page loads and hangs at "Checking for the latest version of the Windows Update software..." I've hnuted for solutions, but nothing has worked yet. I regained the Recycle Bin functionality after VX2 - is this the same kind of induced problem? Any suggestions? I'd like them to get updates automatically since they seem to need all the help they can get. No...automatic updates are set, but not functioning either.

Lastly, I finally got rid of the last clinging virii (Downloader.Qoologic.J and .K) on an online scan from safe mode, but now http doesn't seem to function anynmore though I can do a manual ping with both IP and plain name addresses (so rules out DNS settings). I retried the LSPfix I found which regained my ethernet port (which started this whole thing) but no luck on that.

I can use any help I can get after my five day long crash course on this project. I'm afraid of being burnt out and missing something. I can provide a HJ this log if you wish.

Thanks for your consideration.

 

Yes, I hear you about AdAware. I had a complete browser hijack and crazy shit on the comp that would not let it do anything. I ran the thing in safe mode just once, and AdAware really calmed everything down. It is easily the best ad software you can have.

Best to run it every day before surfing. Make sure to have that vx tool in there too. I'm sure there is still spyware on the comp, but at least it helps get rid of a lot of bugs and spyware.

Internet explorer seems to get infected easily. I did notice that yahoo launch really downloaded lots of crap. I'd advise people to avoid using that thing. If you want to look at video, just rely on realplayer or windows media only.

 

I added all the good stuff and will be telling them to run the apps regularly - the worst I get on my own computer are some tracking cookies now and then. Education is everything. I replaced their Real and Quicktime apps with the "Alternative" versions, which are just the codecs with media player shells.

I just want to make sure I've got things in order so I can turn on system restore again and have a good restore point in case their son puts Kazaa and blubster back on after he is done being grounded from the computer

 

Sorry - not a bump, but an update.

The Trojan Downloader.Qoologic.J (Windows\System32\hmplhl.exe) and Downloader.Qoologic.K (Windows\System32\czglcl.dll) are back somehow?!?

But due to this, I have http again in safe mode, so am rerunning virus scans now. I'm glad I didn't give their computer back like this, but I am genuinely stumped...on top of the problems from my first post in this thread...
The trendmicro scan found the czglcl.dll file and called it Narrator something, but couldn't clean...I'd have the full name, but the browser crashed and I now have no http in safe mode again

Anyone willing to take this one on, please?

Thanks,

Bitty_Byte

 

Thanks - here it goes

 

In services I only see two lsass.exe images:

One is belongs to SYSTEM using 1300K of memory
The other belongs to Owner using 6880k of memory

Should I delete one, both, or neither of these?

 

Thanks for the advice.

l?sass.exe did not show up in the Windows task manager, but was in the Hijack This process manager...go figure. Both suggested processes were deleted and all suggested HT entries deleted.

After rebooting into safe mode, I could not find the wtta.exe or jvi_os.exe files to delete - neither in the listed directories nor in a computer wide search, including hidden folders...

I rebooted and test drove the system after taking the new HT snapshot:

-The processes were gone and nothing is coming up pestering ZoneAlarm to get out.

-I virus scanned the drive and AVG noted the czglcl.dll file is now gone as well

-Windows Update is still hosed and does not get past "Checking for the latest version of the Windows Update software..." I also cannot access the automatic updates applet in the control panel - nothing happens if I click on it. Any ideas on these? Is there some fix like with the VX2 recycle bin thing or should I take it to another forum

-Everything else seems to be great now.

 

That entry disappeared since I manually deleted that file trying out a suggestion from the software forum history before your reply.

I got the Windows Update problem fixed. I finally googled this up and it worked - http://reviews.cnet.com/5208-6142-0.html?forumID=5&threadID=51555&messageID=616145

I also removed the Odysseus Marketing actsetup.cab setting

I think all is good now. Thanks for the excellent advice and services. I'm glad I found your forums - definitely bookmarked for the future.