[pchelpers] System cleanup notes

• From: Scott McNay <wizard@xxxxxxxx>
• To: pchelpers <pchelpers@xxxxxxxxxxxxx>
• Date: Sat, 21 Apr 2007 21:00:20 -0500

Hi folks,

Recently I cleaned up a moderately-infected system.  I had trouble
getting the original computer to work, so moved the hard drive to
another similar computer, then cleaned it up and gave it back.  It was
returned to me because it was rebooting by itself; I put a different
drive into another computer, and updated all of the software and moved
the data over.  The notes below describe what I did to the second
computer.

I have a number of log and undo files also, if anyone is interested.


--Scott.

********************************

Had trouble getting original computer to work. Got another computer of
similar model, 566Mhz instead of 466Mhz, and 256MB memory instead of
192MB memory; moved hard drive over. Tried to upgrade memory, but had
similar problems to first computer. Finally got working again, but
unable to get any 256MB sticks to work; either bad or incompatible.
So, only 256MB. but still better than original. Dog slow to start up.

C: drive compressed (probably partly responsible for slowness), only
13GB drive and less than a gig free; tight for XP. Not enough free
space for swap file, defragmenting, and System Restore to operate
properly.

Adjusted mouse pointer to flash when Ctrl key tapped.

Turned on System Restore?

Removed "OuterInfo"/"Yazzle" adware (browser popups).

Attempted to remove "VSAdd-in for Internet Explorer"; failed.

Uninstalled Java 1.5.0.3 (old)

Uninstalled "DeluxeCommunications" adware.

Attempted to update Adobe Flash; failed.

Installed KB925902 security update.

Uninstalled IpWins (don't think it was present before).

Attempted to remove "VSAdd-in for Internet Explorer" (again); failed
(again)

Set small icons on start menu, so that all will be visible.

Ran HiJackThis 1.99.1
   Removed all File Missing/No File items
   Removed suspicious items:
      C:\WINDOWS\system32\cbxuvvu.dll
      C:\Program Files\ComPlus Applications\hokel.dll
      C:\WINDOWS\system32\gcemxqqr.dll
      C:\WINDOWS\system32\wxogsjdl.dll
      C:\WINDOWS\system32\ssqpn.dll
      C:\Documents and Settings\Xxxxxx\Local Settings\Temporary
         Internet Files\Content.IE5\CWWA19GY\
         NewSoftware2007Install[1].exe
      "C:\Program Files\Common Files\WinAntiSpyware 2007
         Free\uwasdc.exe"
      "C:\Program Files\Common Files\WinAntiSpyware 2007
         Free\uwasers.exe"
      "C:\Program Files\Common Files\WinAntiVirus Pro
         2007\mav_startupmon.exe"
      rundll32.exe "C:\WINDOWS\system32\dhxupdqj.dll",setvm
      "C:\Program Files\SysProtect Free\usypcw.exe" -c
      winlog.exe
      C:\Program Files\SysProtect Free\USYP.exe /scan
      "C:\Program Files\SysProtect Free\USYP.exe" /min
      C:\WINDOWS\system32\WPDShServiceObj.dll
      C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
      C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
   Removed Groove stuff
   Removed International options group
Restarted.

Symantec is version 10.1.5.5000, definitions dated Sep 8 2006, rev 41

Ran HiJackThis again.
   Removed (again), with help from KillBox:
      C:\WINDOWS\system32\cbxuvvu.dll
      C:\WINDOWS\system32\vebgmjjg.dll
      C:\WINDOWS\system32\ssqpn.dll
      C:\Documents and Settings\Xxxxxx\Local Settings\Temporary
         Internet Files\Content.IE5\CWWA19GY\
         NewSoftware2007Install[1].exe /p
      rundll32.exe "C:\WINDOWS\system32\kabixayb.dll",setvm
      C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

Restarted.

Pop-ups still occurring.

Looked in Services list; "Client IP-IPX" still listed but is disabled;
need to delete. Disabled Machine Debug Monitor (not needed). Disabled
Remote Registry (not needed). Disabled Wireless Zero Configuration
(not needed).

Removed Ink correction.

Turned off Advanced Text Services.

Used WinSockFix to reset TCP/IP chain.

Symantec quarantined/deleted:
   C:\Windows\109uninst.exe
   C:\Windows\uni_eh10.exe
   c:\Windows\NDNuninstall7_48.exe
   C:\Windows\system32\install.exe
   C:\Documents and Settings\Xxxxxx\Application
      Data\Winantispyware2007freeinstall[1].exe
   Trojan.Vundo: C:\Windows\System32\cbxuvvu.dll
   WinFixer: C:\Documents and Settings\Xxxxxx\Local
      Settings\Temp\InstallProvider\setup.exe
   Adware.SurfSideKick: C:\Documents and Settings\Xxxxxx\Local
      Settings\Temp\i5a.tmp
   Adware.TargetSaver: C:\Documents and Settings\Xxxxxx\Local
      Settings\Temp\GLF67GLF67.exe
   Trackware.Webhancer: C:\Documents and Settings\Xxxxxx\Local
      Settings\Temp\b129.exe
   Adware.Maxsearch: C:\Documents and Settings\Xxxxxx\Local
      Settings\Temp\b122.exe
   Spyware.ISearch: C:\Documents and Settings\Xxxxxx\Local
      Settings\Temp\b104.exe
   Infostealer: C:\Documents and Settings\Xxxxxx\Local
      Settings\Temp\rvwvngqp.dll
   Trojan.Adclicker: C:\Program Files\Common
      Files\{C079711B-0234-1033-0917-010323200001}\update.exe
   Trojan Horse: C:\Documents and Settings\Xxxxxx\Local
      Settings\Temp\rxcvlueh.dll


Moved following items from C:\Windows\System32 to C:\!Killbox\system32:
   brenlvjm.dll
   dhxupdqj.dll
   gcemxqqr.dll
   gppvjqxp.dll
   jkhhtayv.dll
   mmmajtuf.dll
   nnlif.dll
   okxxrjal.dll
   pbrkayqr.dll
   taliyajv.dll
   vinvljxa.dll
   winlog.exe
   wqqrmypk.dll
   wxogsjdl.dll
   yayay.exe
   yqkrnrpv.dll
   yqohuxmh.dll
Failed to move:
   cbxuvvu.dll
   ssqpn.dll

Installed Symantec 2007 April 8th definitions, rev 19.

Ran unbrand.vbs.

Rebooted.

Installed and ran CCleaner 1.36.430.

Ran EasyCleaner2.0

Deleted IE7 temp folder in C:\
Deleted C:\Windows\$NtUninstallWudf01000$
Deleted C:\Windows\$NtUninstallWMFDist11$
Deleted C:\Windows\$NtUninstallwmp11$
Deleted C:\Windows\$NtUninstallMSCompPackV1$
Deleted C:\Windows\$NtServicePackUninstallNLSDownlevelMapping$
Deleted C:\Windows\$NtServicePackUninstallIDNMitigationAPIs$
Deleted C:\WINDOWS\$hf_mig$ (used for version control; should not be
   needed if updates installed via MicrosoftUpdate).
Deleted C:\Windows\IE7Updates
Deleted C:\WINDOWS\system32\ZoneLabs (no longer installed)
Deleted contents of c:\System Volume Information (System Restore
   files)

Compressed c:\System Volume Information.

Ran RootKitRevealer 1.7, no significant discrepancies.

Added devmgr_show_nonpresent_devices and devmgr_show_details system
variables.

Deleted non-present devices.

Consolidated software installers into Software\Xxxxxxh's folder on
desktop.

Renamed account to correct spelling.

Installed SpywareBlaster 3.5.1

Updated Flash to 9.0.28.0

Installed root certificates for some mil web sites.

Updated Java to 1.5.0.11.

Updated DirectX to April 2007 release.

Installed TweakUI.

Installed Windows Defender.

Deleted references to "Client IP-IPX" in registry.

Deleted references to "VSAdd-in for Internet Explorer" from registry.

Ran Autoruns, deleted some file-not-found items.






-- 
-------list-services-below-----------
Regards, John Durham (list moderator) <http://modecideas.com/contact.html?sig>
Freelists login at http://www.freelists.org/cgi-bin/lsg2.cgi
List archives at http://www.freelists.org/archives/pchelpers
PC-HELPERS list subscribe/unsub at http://modecideas.com/discuss.htm?sig
Latest news live feeds at http://modecideas.com/indexhomenews.htm?sig
Good advice is like good paint- it only works if applied.

• Follow-Ups:
  • [pchelpers] Re: System cleanup notes
    • From: Susan

Other related posts:

• » [pchelpers] System cleanup notes
• » [pchelpers] Re: System cleanup notes

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page

• » View list details
• » Manage your subscription