Page 1 of 4 123 ... LastLast
Results 1 to 10 of 37

Thread: Running out of options

  1. #1
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424

    Running out of options

    Hey guys,

    I'm trying to clean a customer's computer, but I'm running out of options and it still isn't clean...

    I've found (for now):

    cws.msconfig
    cws.svchost
    eXact.ISENEng
    SearchMiracle with related kalv*.exe files
    A hijacked HOSTS file
    QDownl Trojan
    Dialer-Q
    Trojano-620
    Trojano-369 (aka Virtumondo... I think)

    - The box is XP Pro with SP2, all updates/patches installed.
    - It's a programmer's computer, and she's got MySQL server and IIS running on it... I don't have it connected to a network, so the new infections can't come from there...

    - I turned off System Restore, and cleaned all TEMP files.
    - Did all the regular stuff: CWShredder (found the cws.msconfig and cws.svchost, and cleaned them... they keep coming back, though), AdAware, Spybot, HiJackThis (all in Save Mode or from BartPE),...
    - I cleaned the HOSTS file, made it read-only and removed (un)appropriate permissions. It was hijacked by SearchMiracle...
    - Turned on SpyBot's TeaTimer, installed Google Toolbar
    - Scanned with BartPE loaded with Avast, and another one with Stinger. Avast found and removed the Trojano's, but they seem to keep coming back...
    - ProcessExplorer and TCPView don't show anything abnormal

    I'm running Avast from BartPE again (takes around 2 hours... *sigh*) right now...

    The problem is that when I do all those things (CWShredder, AdAware, Spybot, HiJackThis, Avast, Tauscan, Stinger,....) it seems to be clean. Reboot the box, though, scan again, and there's a bunch of crap again...

    I think that those CWS's are causing all of it, and CA's help page isn't exactly helping... the processes I'm supposed to see aren't running, the files I'm supposed to see aren't there,...

    Anything else I can try? Anyone found an application that actually CLEANS a computer instead of just reporting that it cleaned it? I'm on a deadline

  2. #2
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    are you running these tools in safe mode?
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  3. #3
    Have you ran the virus scanner, spyware checkers, and the like all in 'safe mode' so you can make sure the viruses aren't latching onto other programs during the checks?

    Try this:

    1. Boot into safemode
    2. Run the virus scanner, clean anything it finds.
    3. Run the virus scanner again, clean anything it finds (just in case the viriuses try a "escape the titanic" move)
    4. Run the spyware cleaners.
    5. Run them again, for the same reason as #3.
    6. ???
    7. See if that solved your problem!

  4. #4
    the beign of authority kurt_der_koenig's Avatar
    Join Date
    Jan 2004
    Location
    Pa
    Posts
    567
    Good god! I thought a computer programmer would be 'smart' enough to protect oneself!?! Oh well.. May I ask, is reintalling a option?

  5. #5
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424
    I didn't run the AV's in Safe Mode... I ran them from BartPE-disks, though... would running them from Safe Mode make a difference as opposed to running them from BartPE?

    The spyware cleaners I did run in Safe Mode (and from BartPE, just to make sure)...

    And no, reinstalling is absolutely not an option (she doesn't have her original Windows disks anymore, and she's got JBuilder and stuff on there...no original disks anymore, either)

  6. #6
    Senior Member
    Join Date
    Dec 2003
    Location
    Pacific Northwest
    Posts
    1,675
    Hey Neg,

    One of the best combo's in addition to the AV and Malware cleaners you have already used is:

    Xen by Paul Brown and Clean Disk Security. They get into everything, swap file, index.dat, etc. Becareful to read the menus items and options provided in the clean up process, especially with XEN. It will even delete fonts, screen savers etc.

    Other than some registry work, that should finish the job.

    cheers
    Connection refused, try again later.

  7. #7
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424
    Thanks Relyt!

    I just installed those two and I'm about to check...

  8. #8
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    Neg: a (dumb) question: are you still with system restore disabled, right?
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  9. #9
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424
    Yups... haven't turned it back on yet.

  10. #10
    Senior Member
    Join Date
    Feb 2004
    Posts
    201

    Re: Running out of options

    Originally posted here by Negative


    -- Turned on SpyBot's TeaTimer,

    The problem is that when I do all those things (CWShredder, AdAware, Spybot, HiJackThis, Avast, Tauscan, Stinger,....) it seems to be clean. Reboot the box, though, scan again, and there's a bunch of crap again...

    Remove the Teatimer - I bet that's your problem. It's restoring the infected settings as the system reboots. For future - never install on infected machine - it keeps the infected settings!

    HTH


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •