posted by ![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
oldbloke at 04:29pm on 12/10/2006
oldbloke at 04:29pm on 12/10/2006Computer virus check report
Date 2006-10-11 Analyst Dave Budd MC Reference 061003
Compaq Presario 2800, Pentium4mobile 1.7GHz, 256MB
Windows XP Home (no service packs)
Initial check
Boots OK. User passwords not set on Alastair, Andrew, Jane, Matthew.
Logs off as soon as login requested!
Try Safe Mode. No password on Administrator. Same logout problem.
Try boot from UBCD
Use Registry Restore tool to take registry from last restore point
Now logs in OK from standard boot.
Norton Internet Security installed, no antivirus component.
Spyware Doctor installed and running.
XP firewall is enabled on only some connections: set on all.
Windows Update on
Remote Assistance Requests on - disabled
System Restore is enabled.
Does not recognise USBstick
Went online long enough to download vs8pkg version of VirusScan8 and latest SDAT
Installed VirusScan: found Generic.StartPage.c; StartPage-DU!htm; StartPage-AP; Generic.f; QLowZones-2.gen; Exploit-MhtRedir.gen; Generic.Adclicker.b; Downloader-ME; Proxy-Hino.dldr; Downloader-JH; Downloader-ADG; Downloader-DA.dll; Downloader-AFH; StartPage-AX; Qhosts-18!hosts; Downloader-OV; Downloader-PZ; Downloader-DS; Downloader-JH; Downloader-EX; StartPage-EH; StartPage-DU.dll; MultiDropper-JK; StartPage-DH.er; QLowZones-4; QFav-1.
Safe Mode scans
Booted to Safe Mode. Logged in as Administrator
Set passwords:
• Administrator:
• Alastaire:
• Andrew:
• Jane:
• Matthew:
VirusScan: More of same viruses removed from restore area. Still some not deletable in system area.
Removed registry entries for sys.reg hijacker and gwiz/ntsystem malware.
Re-boot (to Safe Mode): USBstick now recognised.
Copied installers for SAV32CLI, AdAware, SpyBotS&D, HijackThis!, ProcessExplorer.
Installed AdAware, SpyBotS&D.
AdAware (2years old): 123 objects found (alexa, CoolWebsearch, GmsoftDialer, istbar, moneytree, browser hijack, sidefind, TIB browser, other, tracking cookies). Removed.
HijackThis!: Removed some stuff that sends IE to hijack sites, etc. Spotted markers of zlob, used Regedit to remove key.
Base Scan
Booted to Safe Mode with Command Prompt, logged in as Administrator
SAV32CLI C:\*.* -F –ALL –REMOVE –DI –DN –REC –NC
Found: Troj/PurScan-M ; Troj/Xoad-A; Dial/Tibsys-A; Troj/StartPA-FP (removal failed); Dial/Dialer-U; Troj/PurScan-R.
Removed some registry entries relating to StartPA-FP and renamed the dll. Rewritten instantly. Not sure how to remove – vendors’ sites info not useful.
Booted back to Safe Mode With Networking, updated SpyBotS&D and AdAware
AdAware found a few items, removed.
SpyBotS&D: All-in-One Telcom; CoolWWWSearch(various subtypes); IsearchTech.PowerScan; SmitFraud.C. Error during check. Removed stuff found so far.
Re-booted to finish fixes and re-scan.: Alexa; Zlob.BigDown. Fixed.
VirusScan: A few items from restore folder. Still can’t shift StartPage.
AdAware still picking up various items.
Deleted all references to pnpsvc in registry, still can’t delete aqhsalci.dll (StartPage), entries rewritten.
Booted from UBCD. Deleted AQHSALCI.DLL, pnpsvc.inf. Can’t find associated qcache.exe (probably cleaned by earlier scans). Removed all known registry entries for StartPage.EF. Created dummy dll file to try to prevent it being rewritten. Re-ran SAV32CLI.
Booted to Safe Mode. Re-checked registry: OK. Re-ran VirusScan: OK.
Cleaned bad sites out of ZoneMap registry entries.
Booted to Normal mode: SpyBotS&D autoran and found 26 items. All fixed
Registry entries for StartPage haven’t come back.
Normal mode scans
Logged in as Alastair, went online.
Updated VirusScan, re-scan with all 3 scanners: AdAware still finding stuff.
Nothing too worrying. Downloaded CWShredder, ran it: nothing found. AdAware was just reporting some leftover reg entries, which it dealt with. Re-scan in Safe Mode just to be sure: OK.
Uninstalled Spyware Doctor; Updated Windows Update. 21 updates waiting: installed.
Service Pack 2 downloaded and installed.
Final status
Believed clean.
Basic machine security OK.
Antivirus and antispyware scanners configured OK.
Passwords are:
• Administrator:
• Alastaire:
• Andrew:
• Jane:
• Matthew:
Notes
VirusScan is set to do a full scan at 12:33, or when you boot up if later. This slows the machine down a lot. You can kill the scan by rightclikcing on the Vshield icon, selecting VirusScan Console, then rightclicking the “Scan All Fixed Disks” task and selecting Stop.
Remember to run SpyBot and/or AdAware about once a week.
Let Windows Update install patches!
Date 2006-10-11 Analyst Dave Budd MC Reference 061003
Compaq Presario 2800, Pentium4mobile 1.7GHz, 256MB
Windows XP Home (no service packs)
Initial check
Boots OK. User passwords not set on Alastair, Andrew, Jane, Matthew.
Logs off as soon as login requested!
Try Safe Mode. No password on Administrator. Same logout problem.
Try boot from UBCD
Use Registry Restore tool to take registry from last restore point
Now logs in OK from standard boot.
Norton Internet Security installed, no antivirus component.
Spyware Doctor installed and running.
XP firewall is enabled on only some connections: set on all.
Windows Update on
Remote Assistance Requests on - disabled
System Restore is enabled.
Does not recognise USBstick
Went online long enough to download vs8pkg version of VirusScan8 and latest SDAT
Installed VirusScan: found Generic.StartPage.c; StartPage-DU!htm; StartPage-AP; Generic.f; QLowZones-2.gen; Exploit-MhtRedir.gen; Generic.Adclicker.b; Downloader-ME; Proxy-Hino.dldr; Downloader-JH; Downloader-ADG; Downloader-DA.dll; Downloader-AFH; StartPage-AX; Qhosts-18!hosts; Downloader-OV; Downloader-PZ; Downloader-DS; Downloader-JH; Downloader-EX; StartPage-EH; StartPage-DU.dll; MultiDropper-JK; StartPage-DH.er; QLowZones-4; QFav-1.
Safe Mode scans
Booted to Safe Mode. Logged in as Administrator
Set passwords:
• Administrator:
• Alastaire:
• Andrew:
• Jane:
• Matthew:
VirusScan: More of same viruses removed from restore area. Still some not deletable in system area.
Removed registry entries for sys.reg hijacker and gwiz/ntsystem malware.
Re-boot (to Safe Mode): USBstick now recognised.
Copied installers for SAV32CLI, AdAware, SpyBotS&D, HijackThis!, ProcessExplorer.
Installed AdAware, SpyBotS&D.
AdAware (2years old): 123 objects found (alexa, CoolWebsearch, GmsoftDialer, istbar, moneytree, browser hijack, sidefind, TIB browser, other, tracking cookies). Removed.
HijackThis!: Removed some stuff that sends IE to hijack sites, etc. Spotted markers of zlob, used Regedit to remove key.
Base Scan
Booted to Safe Mode with Command Prompt, logged in as Administrator
SAV32CLI C:\*.* -F –ALL –REMOVE –DI –DN –REC –NC
Found: Troj/PurScan-M ; Troj/Xoad-A; Dial/Tibsys-A; Troj/StartPA-FP (removal failed); Dial/Dialer-U; Troj/PurScan-R.
Removed some registry entries relating to StartPA-FP and renamed the dll. Rewritten instantly. Not sure how to remove – vendors’ sites info not useful.
Booted back to Safe Mode With Networking, updated SpyBotS&D and AdAware
AdAware found a few items, removed.
SpyBotS&D: All-in-One Telcom; CoolWWWSearch(various subtypes); IsearchTech.PowerScan; SmitFraud.C. Error during check. Removed stuff found so far.
Re-booted to finish fixes and re-scan.: Alexa; Zlob.BigDown. Fixed.
VirusScan: A few items from restore folder. Still can’t shift StartPage.
AdAware still picking up various items.
Deleted all references to pnpsvc in registry, still can’t delete aqhsalci.dll (StartPage), entries rewritten.
Booted from UBCD. Deleted AQHSALCI.DLL, pnpsvc.inf. Can’t find associated qcache.exe (probably cleaned by earlier scans). Removed all known registry entries for StartPage.EF. Created dummy dll file to try to prevent it being rewritten. Re-ran SAV32CLI.
Booted to Safe Mode. Re-checked registry: OK. Re-ran VirusScan: OK.
Cleaned bad sites out of ZoneMap registry entries.
Booted to Normal mode: SpyBotS&D autoran and found 26 items. All fixed
Registry entries for StartPage haven’t come back.
Normal mode scans
Logged in as Alastair, went online.
Updated VirusScan, re-scan with all 3 scanners: AdAware still finding stuff.
Nothing too worrying. Downloaded CWShredder, ran it: nothing found. AdAware was just reporting some leftover reg entries, which it dealt with. Re-scan in Safe Mode just to be sure: OK.
Uninstalled Spyware Doctor; Updated Windows Update. 21 updates waiting: installed.
Service Pack 2 downloaded and installed.
Final status
Believed clean.
Basic machine security OK.
Antivirus and antispyware scanners configured OK.
Passwords are:
• Administrator:
• Alastaire:
• Andrew:
• Jane:
• Matthew:
Notes
VirusScan is set to do a full scan at 12:33, or when you boot up if later. This slows the machine down a lot. You can kill the scan by rightclikcing on the Vshield icon, selecting VirusScan Console, then rightclicking the “Scan All Fixed Disks” task and selecting Stop.
Remember to run SpyBot and/or AdAware about once a week.
Let Windows Update install patches!
(no subject)
(no subject)