[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 417
  • Last Modified:

NEW WIN XP BUILD, HOW TO GET RID OF PERSISTENT SPYWARE?

I'M WORKING UP A FULL NEW GAMING BUILD WITH ALL NEW PARTS. SEVERAL PROBLEMS AND SYMPTOMS ARE UN-RESOLVED. YOUR HELP IS APPRECIATED.
I've installed a full new copy of win XP PRO w/SP1 , Pc-Ciillin 2005, and updated Spybot and SDpyblaster progRAMS. The Problems are:

l. AFTER AN INITIAL LOPGON FOR NET UPDATES WITH TRIAL NORTON AV, AS USUAL I THREW IT IN THE TRASH AND INSTALLED THE BEST PC-CILLIN. ALTHOUGH I GOT NO VIRUSES OR TROJANS, PC-CLLIN AS WELL AS SPYBOT FOUND A TON OF TRASH WARE THAT NORTON LET BY. I GOT RID OF MOST OF IT BUT THESE BUGGERS....
.....THERE IS A FULL 30 SECOND BLACKOUT ON BOOT BEFORE WINDOWS STARTS LOADING THAT WASN'T THERE INITIALLY AND I'VE NOT SEEN IN OTHER XP's. SEARCHING EVENT VIEWER I FOUND A NOTE THAT A DELAY OF 30000 MIILISECONDS OCCURED LOOKING FOR A THING CALLED 'ZESOFT' SERVICE..A NOT FOUND ERROR. I'VE SEARCHED FOR THIS BUGGER AND NONE OF THE SPYWARES OR MY AV FINDS IT . IS THIS WHAT MY 30 SECOND BOOT BLACKOUT IS FROM AND HOW DO I RID MYSELF OF 'ZESOFT'?

2.. WHEN I SCAN FOR SPYWARE WITH PC-CILLIN 2005 IT FINDS 5 PIECES REPEATEDLY FOR MANY MINUTES PERHAPS A THOUSAND INSTANCES THEN REPORTS AND INTERNAL ERROR AND SCAN COULD NOT BE COMPLETED. IF I TRY TO DELETE WHAT WAS FOUND, PROGRAM WILL FREEZE WITHOUT ANY DELETES. SPYBOT S&D DOES NOT FIND THESE 5 PIECES OF SPYWARE....BARBUDDY.A, SAHAGENT, HUNTBAR.A, WEBSEARCH.A., AND BHO_HUNTBAR.F
c...I also and can't fully expell the mcafee32 worm

3. ALTHOUGH THE MODEM IN USE IS A 56K V90 AND HAS BEEN USED WITHOUT ISSUE FOR DOWNLOADING WITH OTHER BUILDS OVER MY DIALOUT, THE PAGE ACCESS AND DOWNLOADING WITH THIS NEW XP MACHINE IS VERY SLOW. ALSO I'VE NOTICED THE REMOVAL OF SOME OF THE AUTODIALING WARE THAT NORTON LET IN, IMPROVED USABILILITY AT DESKTOP. BUT, LIKE RIGHT NOW I'M ALSO DOING A DOWNLOAD AND SOME OF WINDOWS APPS I TRY TO OPEN ARE SLOW, AND ITS EVEN MORE NOTICEABLE IF I OPEN ANOTHER BROWSER AND TRY TOO SURF... IT IS ETERNALLY SLOW. IS THIS BECAUSE OIF THE SPYWARE DOING THEIR TRASH AT SAME TIME I'M TRYING TO WORK ON NET?

Thanks for any and ALL help! Dan
0
pazsint
Asked:
pazsint
  • 5
  • 4
  • 2
  • +1
1 Solution
 
CodedKCommented:
Hi.

Do u have a usb device like Hard disk connected?
When windows starts there is a delay if u have such a device connected.

About Spyware problem :

-----------------------------------------------------------------------------------------------------
Online check (Big Database):
http://housecall.trendmicro.com
-----------------------------------------------------------------------------------------------------
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
SpySweeper ==> http://www.spychecker.com/program/spysweeper.html
SpywareBlaster ==> http://www.spychecker.com/program/spywareblaster.html
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html
-----------------------------------------------------------------------------------------------------
Also have a look at Microsofts anti spyware tool :-
http://www.microsoft.com/athome/security/spyware/software/default.mspx
http://www.microsoft.com/security/malwareremove/default.mspx
and click on "Check My PC for infection"
-----------------------------------------------------------------------------------------------------
For removal infection go to
http://www.sarc.com/avcenter/tools.list.html
-----------------------------------------------------------------------------------------------------
HijackThis ==> http://www.merijn.org/files/hijackthis.zip
analysis ==> http://www.hijackthis.de
-----------------------------------------------------------------------------------------------------
Application (Management)

Download Codestuff Starter...
http://members.lycos.co.uk/codestuff/
 
For applications/malware that run on startup... coz they dont always hide at
currentversion\run where the average user will search...
Search on google for each exe running to identify whether they are legitimate.
-----------------------------------------------------------------------------------------------------
Hard-disk and registry cleaners:
CCleaner :   http://www.ccleaner.com
BeClean   :  http://boozet.xepher.net/beclean/download.htm
and Dustbuster  http://www.pcworld.com/downloads/file_description/0,fid,22384,00.asp
-----------------------------------------------------------------------------------------------------
A firewall like Zonealarm....
-----------------------------------------------------------------------------------------------------
Its good to be prepared but dont overdo it... :/
Installing many of these apps mentioned will slow down ur computer...
So choose the one that fit ur needs and install it :)

Hope this helps.. :)
0
 
CodedKCommented:
USING HIJACK THIS:

Download HijackThis from:
http://www.gatesofdelirium.com/ee/tools/

With all browser windows closed - run HijackThis and
copy and paste the log file into the Analysis site here:
http://www.hijackthis.de/en

Click on the "Analyze" button and when the analysis is done -
Click on the "Save Analysis" button -
A page will be generated with your saved analysis -
Post a LINK to that page back here...

Please, do not post your log file here!!!

Here's the Experts-Exchange guidelines on posting HijackThis logs:
http://www.experts-exchange.com/Web/Browser_Issues/Q_21149514.html

Good luck!
0
 
pazsintAuthor Commented:
Codeks...
 Thanks for all the info...as you say I don't like to overun software either. I use Hijack, Spybot, Spywareblaster. , as well as Pc-Cillin AV. Anyway I used the Hijack analyses, and only found one bad line that won't stay deleted...
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitedza32.exe

I've gone to SP 2 for XP now and cleaned everything up registry and unnecessarys and temp files...still have these issues:

1...Pc-Cillin still finds those 5 trashwares repeatetedly...I'm going to call them for tech help on this one.

2...that 30 second blackout is still there...no I don't keep any USB items plugged in during satrt up. I did find that ZESoft listed running in the services. Although I stop it, it reappears on next boot with same blackout period.

3...Also Now I find these XP apps don't work...Notepad, Help, and Sys Info.....why?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
rossfingalCommented:
Hi!

Do as advised above -
Run HijackThis - run your log through the Analysis site -
Post a LINK to your log back here.
We'll take a look at it.

RF
0
 
Rich RumbleSecurity SamuraiCommented:
TURN OFF SYSTEM RESTORE ;) Then run tools such as ad-aware or hijackthis only after system restore is off:
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
-rich
0
 
pazsintAuthor Commented:
Ross and Rich...Thanks
Yes I have system restore off in XP when using desktop cleaners. Hijack and analyses found only one bad line and removing it didn't take it all out. Here's is what I have learned, done, and removed in the meantime...
X-Clean found 10 more items including 8 lines of Websearch in registry.
Then X-Soft found 21 more entries ater that...at total of 38 offending lines, pieces files, etc were removed after I used after all the known best suggested trashware removers had their shot at it...what an eye opener...guys those 2 progs are all I'll use now!
 One catch is the X-Soft that apperas to be the best is a pay to remove software ..but it may well be worth iit. I was able with their list to take out a few more lines manually, and may yet get rid of the last 3 bugs in here, especiailly that 'ZeSoft' which only X-Soft out of ten progs I tried found.
the X-Soft link....
http://www.spywareguide.com/txt_onlinescan.html

By the way I haven't yet been able to get the XP progs working.... surely you guys would know what that is, please?
0
 
rossfingalCommented:
I would still advise you to run HijackThis and post a LINK to your log.

RF
0
 
CodedKCommented:
:)

To tell u the truth i dont believe in spyware so much... :/
I dont believe that a person who knows his system well, would have serious spyware issues .. i think you know
your system... :)
So maybe its a hardware issue.

About those 5 files ... they may be in use.
Try to clean them in safe mode. Disable all services...

Try this and tell me

Good luck :)
0
 
pazsintAuthor Commented:
ROSS...Ok here is my HJ analyses link...
http://www.hijackthis.de/logfiles/1abfa0fd19dd0f6d6d9fcadd32fb02b4.html
The 2 WNC's are my AT&T dialout, the NV Tray is the nVidia VGA program, but the two Tcpip's at the end of the list I'm not sure of...what do you think?
Thanks!

TO CodedK: I have managed to get all but two items off...and those are found by Pc-Cillins spyware scan only...Huntbar.A and Websearch.A .  I called Pc-Cillin and they suggested using X-Cleaners micro prog and it did help. I know of some hardware issues but have been worlking them out on the side...the only thing possibly related in that vein is I still have this 30 full second delay after bios post while system blacks out and nothing happens before windows XP starts to load. Then again I reallly think something put a line in on me to have  the bugo start up before windows does, and I killed it but haven't found the annoying delay code..see?
Thanks too.
0
 
CodedKCommented:
I read on a forum that some drivers can generate such problems.
Try the following:

Update Windows.... Search for hardware updates also.
Download Driver Genious
www.driver-soft.com

Do u have Nvidia?
0
 
CodedKCommented:
More:
Update your Bios.
Defrag your harddrives.
:)
0
 
pazsintAuthor Commented:
Thanks to all who tried on this one, I have found the solution to all my bugs.

 Here is how I did it...
There indeed were several variants of spyware on the machine, and allthough most of the bad code was removed by the programs mentioned above not all the changes were found, For example on the 30 second blackout delay on boot, even though I killed 'ZESOFT' something left a change to my boot.ini code, and once I repaired it..viola no more blackout boots...the bad code was causing a full 30 second delay while windows looked for it befgore bnooting to the default drive...here is the proper basic boot.ini code for win2000/XP machines (1 DRIVE AND 1 BOOT PARTITION):

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

The rest of my symptoms, the malfunctioning of Pc-Cillin, and its inability to remove the spyware it found, and the pieces of mal-code left behind was casued by my use of the registry cleaner EASY CLEAN by Toni Arts. I've used this one on win2000 for years, and it is a good program, but if you use it on WinXP it removes certain lines of code from your registry that also causes the windows apps Help&Support and System Information to not work!

This script Repairs Windows® XP Help and Support after running Easy Cleaner or similar registry cleaners.

Note: If you have used Easy Cleaner, there is a workaround that prevents Help and Support from becoming corrupt: In the options, add Help to the Skip List.
http://personal.inet.fi/business/toniarts

Now...the non-working Notepad prog on my machine was solved by examining the WINDOWS file....it worked there...the trouble was the start menu icon and the shortcut under accessories were pointing to... \system32\activemovies.exe
...which I have no idea where it came from except some malware that got in here while using Norton AV.

And finally the Pc_Cillin spyware malfunctions were apparently also caused by the registry program Easy Cleaner too. Once I repaired the registry, the Pc-Cillin spyware scan only found the final line of
spyware code and was able to take it out...so all things are now normal.

So there folks... peristence pays off ! Good Luck and Thanks!

The question is now closed..moderator please return my points.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

  • 5
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now