Help with a friend's PC

Discussion in 'adware, spyware & hijack cleaning' started by DavidH, Nov 25, 2003.

Thread Status:
Not open for further replies.
  1. DavidH

    DavidH Registered Member

    Joined:
    Nov 1, 2002
    Posts:
    40
    Location:
    Fort Worth, TX USA
    Hello,

    A friend of mine from work was recently referred to me because of some problems that he was having with his PC. And, he does have some problems. He initially had two complaints:

    1. Recent e-mails led him to believe he was infected with Klez.

    2. He complained of constant and persistent popups, some of them pornographic in nature. We all know what that means.

    As a result, we tried the following initial steps by telephone to get rid of the virus portion of his problem:

    1. Downloaded and installed a Klez Cleaner from Symantec.

    2. He bought Norton Internet Security PRO 2004 and installed it. I am not sure if he operated it properly. He said that even after using the remover, the AV still found the Klez virus, produced a message, and rebooted.

    He was still experiencing problems even after trying this. In fact, now he cannot even access the internet with IE. So this evening I had an opportunity to visit his house and take a look at his PC. Here is what I did:

    1. I managed to get his AV to update which surprised me as I was not able to get an internet page with IE. I ran a full scan which found dozens of viruses, trojans, and a LOT of spyware. I removed as much as I could. But, some executables I could not even remove in Safe Mode. So, I removed them manually from a DOS prompt. Those executables were related to spyware/adware.

    2. I manually went through the entire registry and removed everything that I could find from HKCU and HCLM that I thought was related to spyware or viruses based on the results of the Norton Scan. I also checked all of the registry Run, Run Services, etc. entries.

    3. After shutting down and removing as much as I could find, I retried the browser and it was a no-go. I could not even get the homepage to stay contant between reboots which confused me as I thought that I removed all malware. I again searched the registry and reset suspicious IE entries based on a comparison with a good Win98 laptop that I have. By the way, his PC is also Win98 with IE5.5 and very few security updates. I still could not get IE to access the internet and the home page was still changing after I did this. I can ping sites. I can run auto-update on some of his applications, but I just cannot get IE to operate correctly and unfortunately, he does not have another browser. For reference, the URL that the home page changes to starts with http://www.gohip.com with a bunch of garbage written after it.

    Currently the status remains the same. For his own safety, I disabled NetBIOS on his system and checked netstat to see if he had any odd listening ports. This is important as I cannot even access the Options of Norton FW. It says that I do not have sufficient privledges which seems strange because I was logged in under his account. That was the same account used to install these components. So, I left for the night (after 6 hours) and have downloaded and burned a series of applications to my home PC that I hope can help tomorrow. Here is what I have:

    1. TDS, PE, WG

    2. AdAware, Spybot

    3. Firebird, Mozilla, Netscape to provide a secondary browser and to see if this only affects IE.

    4. NOD32 DOS Version to do a quick DOS scan tomorrow.

    5. Outpost PRO and FREE, just in case.

    6. LSP Fix and a couple of other Winsock fix applications from CEXX.

    7. JavaCool Spyware Guard, Spyware Blaster, and MRU Blaster, for future use and protection.

    8. HijackThis

    I hope to give these applications a try tomorrow with the goal of ensuring the system is virus, trojan, worm, spyware, and adware free and also restoring his ability to use IE to access the internet. I am writing this message to ask the following of the members of this forum:

    1. Does anyone have any specific information about what might be causing the problems that I have noted?

    2. Am I headed in the right direction with the software that I have chosen to download and burn to CD this evening?

    Sorry as this message probably seems to lack some coherence. I can barely see straight after staring at his monitor for six hours and it is pretty late here. I also posted over DiamondCS, but decided to post here in order to maximize my feedback.

    Thanks for your time. :)
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi David,

    If it's possible can you get a HijackThis log from your friend's PC and post it here?

    That way we can have a look too and assist you in pinpointing out some possible malware.

    Make sure you have the latest version :

    HijackThis

    I would suggest you extract HijackThis.zip onto a floppy, so you'll have the .exe file on that floppy. Then take that floppy to your friend and save a HijackThis log on it and copypaste the complete contents here.

    Just to help you (if you already know how to use HijackThis skip this part)

    Whan arrived at your friends start hijackthis.exe from the floppy -> scan -> save log as a:\david.txt (or any name you want to give it) and when you're home again copypaste the complete contents of david.txt here please.

    Thanks!

    Good luck ;)

    Keep us posted,

    Cheers,
     
  3. DavidH

    DavidH Registered Member

    Joined:
    Nov 1, 2002
    Posts:
    40
    Location:
    Fort Worth, TX USA
    Hi Unzy,

    Thanks very much for the response. I have downloaded the latest copy of HijackThis and will follow your instructions later today as I am home at the moment. I will post the results. I have also found a GoHip removal tool and will be giving that a try. But, I will create the HiJack This logs before doing anything else.

    I feel sort of silly. After all that searching of the registry and the Program Files directory, I totally neglected to check the Startup area of the Windows Start menu or the Hosts file.

    Anyway, I will post the logs as soon as possible. I just hope we can get his IE to load a web page. It is so strange that the anti-virus can update and I can ping sites, but I just cannot get IE to load anything. This fellow was in real bad shape when I initially talked to him. No AV, AT, or firewall and he had a broadband connection. I hope that we can get things to work as I dread the alternative, formatting and re-installing.

    Thanks again for the feedback. I will be posting again as soon as I get the logs. :)
     
  4. DavidH

    DavidH Registered Member

    Joined:
    Nov 1, 2002
    Posts:
    40
    Location:
    Fort Worth, TX USA
    Hello,

    I want to start off by apologizing to the members of the TDS and Wilder's forum for my untimely response on this matter. I feel somewhat negligent as people in each forum gave me almost instant and worthwhile advice on this matter. I have been occupied at my work lately and was also, as far as I can see, compelled to pursue a more extreme course of action in this case rather than try to attack the specific infections on this users computer. My actions regarding this user's PC are as follows:

    I had originally and fully intended to reply to the TDS and the Wilder's forum with the HiJack This log as specified in the Wilder's forum. However, the copy that I had download using the link given was in ZIP format and I did not have the foresight to include an UNZIP utility in the library of software that I burned to disk and took with me to the user's residence. Additionally, given the number of viruses, worms, spyware and dialers detected on this user's system, I determined that it would be in the best interest of the user if I formatted his hard drive, reinstalled the software that he used, and also install the appropriate security software to ensure that such a situation would not arise in the future.

    After formatting, recovering the Operating System, and installing his required applications, here are the actions that I took:

    1. Installed Spyware Blaster and Spyware Guard to help mitigate future spyware risks.

    2. Installed Norton Internet Security, including the AV and Firewall, to help mitigate future virus and hacking issues. This included a full configuration of Norton to ensure that updates were automatically installed. I also configured the Norton firewall for every application that I had installed and gave him some basic instructions on how to deal with firewall messages. There may be better options than Norton, but he bought it before I had a chance to offer input.

    3. Installed AdAware and Spybot S&D to also help mitigate future spyware risks.

    4. Configured the users mail client, Outlook, to categorize ANY e-mail as being in the Restricted Zone. Also, counseled the user on the proper ways to deal with internet mail.

    5. Configured his browser with Default settings for all Zones. All browser configurations were modified to ensure the maximum amount of security. He uses IE as his default browser.

    6. Installed Netscape as secondary browser. This user would probably not recognize the other browsers like Mozilla, Opera, or Firebird, and I thought that Netscape, configured by myself, would be reasonably safe.

    7. Installed the latest Microsoft updates for his PC and also set his system to Automatically do Critical Updates.

    8. Configured ALL media applications for greatest security given their current configurable options and set the firewall up accordingly.

    9. Agreed with the user that I would check back quarterly to ensure that all security applications were updated and that his system was clean.

    10. Installed and properly configured a router for the user.

    I am hoping that the actions that I have listed above will help eliminate problems for that user. As I have said, I regret not replying before now as I have had many fine suggestions from the Wilder's and the TDS forums. I just wanted to wrap up this issue and express my appreciation for everyone who offered advice.

    Thanks very much for your support. I certainly appreciate it. :)
     
Thread Status:
Not open for further replies.