My Computer Needs Help; trojan and worm found

[MelissaY]

Hey, let the Eset scanner run and remove the baddies. Once that is done then try removing that folder in normal mode. You want to get all remainders of the former user off that you can...sounds like he had not paid careful attention to anything. Also be sure to get those old anti-virus programs off of there too.

hi! :-)
i will rescan with eset and check-mark 'remove found threats' right now, then i will attempt to remove the 'complete' folder in normal mode. yes, the former user/seller sold my friend an infected pc it seems. this is my friends very first pc and she did not know to get the o.s./office products cd's etc.

regarding the previous anti-virus programs; i removed, first, 'viewpoint media player' and 'viewpoint toolbar' - and as soon as i did that, the others automatically disappeared from the add/remove programs list (those being; 'radialpoint security services', 'authentium antivirus sdk-2', and 'ppsdkredistributables'

thanks! melissay

[mustangzach]

.. or google trend micro housecall and run it, if the system boots. It usually gets rid of everything.

-Z

[jholland1964]

Mustangzach we are following the prescribed steps found here as we do in all cases of infected computer.

[MelissaY]

Hey, let the Eset scanner run and remove the baddies. Once that is done then try removing that folder in normal mode. You want to get all remainders of the former user off that you can...sounds like he had not paid careful attention to anything. Also be sure to get those old anti-virus programs off of there too.

jholland, good morning/afternoon to you. i'm very appreciative with your help and had to prematurely stop yesterday afternoon. i'm back and have the latest details to note. these steps were completed yesterday afternoon:

1. re-ran the eset scanner and check-marked 'remove found threats'
2. removed the 'complete' folder in normal mode start-up
3. previous anti-virus programs were already removed
4. new anti-virus program (avira) installed and scanned with report to follow
5. new firewall program (zone alarm) installed and engaged

these steps will be completed this morning:
1. re-run eset scanner again; please advise what i need to check-mark, 'remove found threats' or 'scan unwanted applications' with report to follow.

2. re-run new anti-virus program with report to follow.

3. re-run hijackthis scan again with report to follow

happy monday.
melissay

[jholland1964]

Hi Melissa, in Eset do the full system scan with remove found threats checked.
I will be waiting for the logs.
Judy

[MelissaY]

Hi Melissa, in Eset do the full system scan with remove found threats checked.
I will be waiting for the logs.
Judy

hi judy,
i ran the eset full scan and checked 'remove found threats'
the status of threats found=0
the logs are attached for your review.
again, thank you and i'll be looking for your reply at your convenience.
kindest regards melissay

ps. let me know if you need any other logs. :-)

[jholland1964]

Hi Melissa,
These entries need to be uninstalled;
Authentium AntiVirus SDK - 2
PPSDKRedistributables
Radialpoint Security Services
If you need to try it in safe mode if it cannot be done in normal mode. If they "say" they cannot be installed or are not present do a file search for each to be certain and delete if found.

Now before I add more to the uninstall list since this is a "used" computer and we know the stuff removed all ready came with the computer I need to know exactly what programs were installed by the present user or if they are used by the present user. Anything installed by the previous owner that are not used by this user may as well be removed but need to know "whose is whose".

You seem to know your way around a computer pretty well so these are the items I wonder about. If they are not used by the current owner then I would go ahead and remove them. Just let me know what you have taken off. I am not implying these are bad progams I am just leery as to what the previous owner put on there since we know for certain the folder containing all those viruses came from the previous owner. We may as well get this thing as clean as possible without "mucking up the works".

All the Verizon stuff...if this is the ISP of the new user it all can stay.
How about the Yahoo stuff, toolbar, Yahoo messenger?
All the items related to a scanner
The Walgreens Photo stuff
AOL Spyprotection
My Space IM
Netzero

Uninstall everything you know isn't needed by the present owner and then give me the list along with a NEW HJT scan. Then I can better tell you what you can fix using HJT.
Judy

[MelissaY]

Hi Melissa,
These entries need to be uninstalled;
Authentium AntiVirus SDK - 2
PPSDKRedistributables
Radialpoint Security Services
If you need to try it in safe mode if it cannot be done in normal mode. If they "say" they cannot be installed or are not present do a file search for each to be certain and delete if found.

when i went into safe mode i selected 'administrator' and was unable to delete the 'complete' folder. i did not attempt to go into safe mode and select 'my computer' - should i be deleting in safe mode and if so, which selection 'administrator or my computer'? also, at this point am i deleting via windows explorer or the hjt program? thanks for the clarification.

Now before I add more to the uninstall list since this is a "used" computer and we know the stuff removed all ready came with the computer I need to know exactly what programs were installed by the present user or if they are used by the present user. Anything installed by the previous owner that are not used by this user may as well be removed but need to know "whose is whose".

the only program installed by my friend was 'sweetim' - i was only expecting to help her remove that one, but upon implementing the scans from ianag, that's when the worm/trojan was found. we were not expecting that. :-s

You seem to know your way around a computer pretty well so these are the items I wonder about. If they are not used by the current owner then I would go ahead and remove them. Just let me know what you have taken off. I am not implying these are bad progams I am just leery as to what the previous owner put on there since we know for certain the folder containing all those viruses came from the previous owner. We may as well get this thing as clean as possible without "mucking up the works".

i can navigate my around the pc and i know my limits. the only thing i've removed is 'sweetim' (which it reinstalled itself), and anything related to 'mywebsearch' 'funwebproducts' 'smileycentral' - which i believe backdoored via 'sweetim'

All the Verizon stuff...if this is the ISP of the new user it all can stay.
How about the Yahoo stuff, toolbar, Yahoo messenger?
All the items related to a scanner
The Walgreens Photo stuff
AOL Spyprotection
My Space IM
Netzero

new user
verizon is their isp
motive is their router/modem
google is their default search engine
yahoo is their choice of email and im
brother mfc is their new printer
myspace im is theirs
new user only installed 'sweetim' not knowing it was spy/adware. my friend is a very basic user at an intermediate level.

previous owner
walgreens
limewire
board games
aol spyprotection
aim
epson printer
netzero for riverdeep
nextpimp
motorola ringtones crud
ipod
learn2
iden
previous owner installed limewire, ringtones, tons of board games, etc.

Uninstall everything you know isn't needed by the present owner and then give me the list along with a NEW HJT scan. Then I can better tell you what you can fix using HJT.

should i uninstall via safe mode or normal mode? via 'add remove programs' or 'windows explorer' or 'hijack this'?

i want to be very careful with what is removed since my friend has not secured the operating system or microsoft windows office disks. i've explained to my friend that when this guy sold her the pc; he should have wiped the drive and reinstalled the operating system, etc. and the pc should have been 'clean' - he should not have left her at 54% free space left on her 1.something GB hard drive, and all of his junk. i also explained that the operating system disks are her 'pink slip' to her system via microsoft and being able to run windows updates. i told her to get the original disks and ask the guy if he has installed it on any other pc's. if he has, i told her to tell him to uninstall it and give her the disks. she invested $500 on a used and infected system that has almost half the memory gone, she should not have to buy an entire new operating system and microsoft office software. i told her she could have spent the same amount of money via dell and not have to go through this, etc.

Judy

hi judy :-)
my reply is noted above. this is going well so far. i'm on the west coast, so. calif., after i get my kids to school, i'm going to my friends house to implement the latest procedures you've noted. thank you for everything thus far.

[jholland1964]

Hi Melissa,
One thing I forgot to tell you to do was to Enable Viewing of Hidden Files and Folders. You will find instructions for that in the READ ME Before Posting A Request For Assistance! link. So be sure to enable that before you begin removals.

For uninstalls try it first via Add/Remove. If the uninstall says that you have to reboot to complete then do it then and then go back to Add/Remove and continue.
If it seems to you that you will have to go into Safe Mode try going in under My Computer since the Administrator didn't work for you. But try all first from normal mode.

only thing i've removed is 'sweetim' (which it reinstalled itself), and anything related to 'mywebsearch' 'funwebproducts' 'smileycentral' - which i believe backdoored via 'sweetim'

You are definitely correct on the above. That funwebproducts stuff just gets in there and doesn't want out.
Use the Add/Remove to get rid of all the previous owner's things;

walgreens
limewire
board games
aol spyprotection (this one may be difficult because AOL can be as bad as spyware to remove and we might have to do part of this manually but try first via add/remove)
aim-also AOL
epson printer(this one might be difficult as it may ask for the disk. We will be able to get it off manually I imagine even if it asks for a disk)
netzero for riverdeep
nextpimp
motorola ringtones crud
ipod
learn2
iden
previous owner installed limewire, ringtones, tons of board games, etc.

should i uninstall via safe mode or normal mode? via 'add remove programs' or 'windows explorer' or 'hijack this'?

Do the normal mode Add/Remove uninstall route first. Make note of anything that won't uninstall or leaves files. When you do the uninstall if you get a message like "some files are only used by this program do you want to leave or uninstall" or something like that, can't remember the exact wording, tell it to take them all away.

She invested $500 on a used and infected system that has almost half the memory gone, she should not have to buy an entire new operating system and microsoft office software. i told her she could have spent the same amount of money via dell and not have to go through this, etc

You are absolutely right! Hopefully she should regain so drive space by uninstalling all of this junk. You might also do a search for music, maybe in My Music folder and see if previous owner has anything there, also maybe My Pictures too. Anything like that can just be deleted.

i want to be very careful with what is removed since my friend has not secured the operating system or microsoft windows office disks.

The key ones to try to protect are the operating system files. If there is a problem with Microsoft Office there is a very good FREE Office program called Open Office which has pretty much what Microsoft Office has AND allows you to open and also create items which can be used with Microsoft Office.
As far as being able to get updates, as long as this was not a pirated disk to begin with she should be able to get updates without the disk. Usually that isn't needed BUT of course when you do updates the MS site does check to be sure the os is a legal one.

Do all of this and then run a new HJT scan and post back with that and anything you were not able to remove and we will go from there.
Judy

[MelissaY]

Hi Melissa,
One thing I forgot to tell you to do was to Enable Viewing of Hidden Files and Folders. You will find instructions for that in the READ ME Before Posting A Request For Assistance! link. So be sure to enable that before you begin removals.

i've already enabled viewing hidden files and folders as per the posted instructions. thank you.

For uninstalls try it first via Add/Remove. If the uninstall says that you have to reboot to complete then do it then and then go back to Add/Remove and continue.

i was able to remove everything thru normal mode>add remove programs except for this program: iden gps upgrade utility. the error message i receive is "the log file crogram files motorola iden gps upgrade utility uninst.isu is not valid or data is corrupt. uninstall will not continue"

If it seems to you that you will have to go into Safe Mode try going in under My Computer since the Administrator didn't work for you. But try all first from normal mode.

You are definitely correct on the above. That funwebproducts stuff just gets in there and doesn't want out.

Use the Add/Remove to get rid of all the previous owner's things;
Do the normal mode Add/Remove uninstall route first. Make note of anything that won't uninstall or leaves files. When you do the uninstall if you get a message like "some files are only used by this program do you want to leave or uninstall" or something like that, can't remember the exact wording, tell it to take them all away.

You are absolutely right! Hopefully she should regain so drive space by uninstalling all of this junk. You might also do a search for music, maybe in My Music folder and see if previous owner has anything there, also maybe My Pictures too. Anything like that can just be deleted.

i perused the system via 'windows explorer>search>my computer' in order to remove some of the things i recognize as the previous owner. 'ppsdkdistributable' was not found during the search. i cant uninstall or delete these files/folders: 'authentium antivirus sdk2' and 'radialpoint security services' - i receive the same error message for both; 'another installation is in progress.' - i'm instructed to finish the installation and retry.


The key ones to try to protect are the operating system files. If there is a problem with Microsoft Office there is a very good FREE Office program called Open Office which has pretty much what Microsoft Office has AND allows you to open and also create items which can be used with Microsoft Office.

As far as being able to get updates, as long as this was not a pirated disk to begin with she should be able to get updates without the disk. Usually that isn't needed BUT of course when you do updates the MS site does check to be sure the os is a legal one.

thanks for the info. but if the previous owner does not give my friend all of the necessary disks that belong to her pc, i'm bustin some knee caps.

Do all of this and then run a new HJT scan and post back with that and anything you were not able to remove and we will go from there.
Judy

i would like to remove these programs (safely and completely);
aim
aol
authentium antivirus sdk2
avast
bearware
board games
bonjour
epson
funwebproducts
icq
ipod
itunes
learn2
limewire
m5shell is related to wurld media
macrogaming
morpheus
motorola
myjal (motorola ringtones)
mywebsearch
netzero
nextpimpmedia
nokia
popswatter
pure networks
radialpoint security services
smileycentral
sweetim
viewpoint

c windows pregetch file - i want to ensure nothing can load from there

registry - i want to ensure no hidden spyware has re-registered and can tap into the pc

the access pc from a remote location also had a bunch of options selected. i dont know the default selections, or what's OK to change to ensure no one can access her pc remotely but that she still has her internet connection, etc.

there is an error message upon pc startup that i want to remove;
'entry point not found: smartbridge alerts 'motivesb.exe' the procedure entry point 'getprocessingimage filenamew' could not be located in the dynamic link library PSAPI.dll'

attached are the latest hijackthis logs for your review. these logs were generated after i uninstalled via either add remove programs or windows explorer (delete manually).

my mind is semi-fried. but it's looking good and the pc is not freezing and crashing as it was previously.

take care judy.