-
December 8th, 2004, 05:48 PM
#1
Running out of options
Hey guys,
I'm trying to clean a customer's computer, but I'm running out of options and it still isn't clean...
I've found (for now):
cws.msconfig
cws.svchost
eXact.ISENEng
SearchMiracle with related kalv*.exe files
A hijacked HOSTS file
QDownl Trojan
Dialer-Q
Trojano-620
Trojano-369 (aka Virtumondo... I think)
- The box is XP Pro with SP2, all updates/patches installed.
- It's a programmer's computer, and she's got MySQL server and IIS running on it... I don't have it connected to a network, so the new infections can't come from there...
- I turned off System Restore, and cleaned all TEMP files.
- Did all the regular stuff: CWShredder (found the cws.msconfig and cws.svchost, and cleaned them... they keep coming back, though), AdAware, Spybot, HiJackThis (all in Save Mode or from BartPE),...
- I cleaned the HOSTS file, made it read-only and removed (un)appropriate permissions. It was hijacked by SearchMiracle...
- Turned on SpyBot's TeaTimer, installed Google Toolbar
- Scanned with BartPE loaded with Avast, and another one with Stinger. Avast found and removed the Trojano's, but they seem to keep coming back...
- ProcessExplorer and TCPView don't show anything abnormal
I'm running Avast from BartPE again (takes around 2 hours... *sigh*) right now...
The problem is that when I do all those things (CWShredder, AdAware, Spybot, HiJackThis, Avast, Tauscan, Stinger,....) it seems to be clean. Reboot the box, though, scan again, and there's a bunch of crap again...
I think that those CWS's are causing all of it, and CA's help page isn't exactly helping... the processes I'm supposed to see aren't running, the files I'm supposed to see aren't there,...
Anything else I can try? Anyone found an application that actually CLEANS a computer instead of just reporting that it cleaned it? I'm on a deadline
-
December 8th, 2004, 05:55 PM
#2
are you running these tools in safe mode?
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
December 8th, 2004, 05:56 PM
#3
Have you ran the virus scanner, spyware checkers, and the like all in 'safe mode' so you can make sure the viruses aren't latching onto other programs during the checks?
Try this:
1. Boot into safemode
2. Run the virus scanner, clean anything it finds.
3. Run the virus scanner again, clean anything it finds (just in case the viriuses try a "escape the titanic" move)
4. Run the spyware cleaners.
5. Run them again, for the same reason as #3.
6. ???
7. See if that solved your problem!
-
December 8th, 2004, 05:58 PM
#4
Good god! I thought a computer programmer would be 'smart' enough to protect oneself!?! Oh well.. May I ask, is reintalling a option?
-
December 8th, 2004, 06:00 PM
#5
I didn't run the AV's in Safe Mode... I ran them from BartPE-disks, though... would running them from Safe Mode make a difference as opposed to running them from BartPE?
The spyware cleaners I did run in Safe Mode (and from BartPE, just to make sure)...
And no, reinstalling is absolutely not an option (she doesn't have her original Windows disks anymore, and she's got JBuilder and stuff on there...no original disks anymore, either)
-
December 8th, 2004, 06:10 PM
#6
Hey Neg,
One of the best combo's in addition to the AV and Malware cleaners you have already used is:
Xen by Paul Brown and Clean Disk Security. They get into everything, swap file, index.dat, etc. Becareful to read the menus items and options provided in the clean up process, especially with XEN. It will even delete fonts, screen savers etc.
Other than some registry work, that should finish the job.
cheers
Connection refused, try again later.
-
December 8th, 2004, 06:25 PM
#7
Thanks Relyt!
I just installed those two and I'm about to check...
-
December 8th, 2004, 06:26 PM
#8
Neg: a (dumb) question: are you still with system restore disabled, right?
Meu sítio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
-
December 8th, 2004, 06:27 PM
#9
Yups... haven't turned it back on yet.
-
December 8th, 2004, 06:32 PM
#10
Re: Running out of options
Originally posted here by Negative
-- Turned on SpyBot's TeaTimer,
The problem is that when I do all those things (CWShredder, AdAware, Spybot, HiJackThis, Avast, Tauscan, Stinger,....) it seems to be clean. Reboot the box, though, scan again, and there's a bunch of crap again...
Remove the Teatimer - I bet that's your problem. It's restoring the infected settings as the system reboots. For future - never install on infected machine - it keeps the infected settings!
HTH
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|