Computer Repair

I have a machine to add memory to, de-virus and otherwise cleanup.

1. First problem, I can’t get a signal to the monitor. Did the video card die? Ah! Monitor cable wasn’t plugged in all the way.
2. Installed memory is a 128MB DIMM. Must check with Gateway TS to see what memory is allowed. Wow! Have to hand it to gateway. Surfing their support site for documentation is a breeze.
3. 256 MB of memory installed. The memory doesn’t have to be identically paired but I believe it best to put the larger DIMM in slot 1 so the 128MB DIMM was moved to slot 2.
4. Checking Add/Remove programs
5. Removed ViewPoint and ViewPoint Manager
6. Removed Diet Kaza
7. Removed KaZaA Lite–nix–uninstall file unavailable
8. Uninstalled MediaLoads
9. Uninstalled Morpheus–nix–uninstall file unavailable
10. Running Spybot and Adaware
11. Received new definitions.
12. Running Norton Antivirus Liveupdate – Subscription expires on the 27th, must advise.
13. Last full system scan was 1/11/2005. Scanning now.
14. Spybot issues:
    • Avenue A, Inc.
    • Advertising.com
    • Callinghome.biz
    • FastClick
    • HitBox
    • MoeMonkey
    • SurfSideKick

    Repairing…

15. Spybot S&D fixed all but Callinghome.biz and will attempt that on reboot. Time to start researching a manual removal.
16. Adaware found 215 problems. I won’t list all those but it does show that sixty pop six (\\windows\sixtypopsix.exe) is by a company called MediaMotor aka Roings LTD “a leader in targeted marketing” (their AIM is roingsmaster)
    

    Operates in stealth. Downloads additional trojan downloaders and malware.

    Some of the names include:

    • exdgen
    • Mediamotor
    • e2give
    • Ebates MoneyMaker (see also and manual removal instructions)
    • ImIServer IEPlugin
    • Roings aka MediaMotor
    • popuppers.com aka MediaMotor
    • Prutect
    • IBIS Toolbar
    • 180 Solutions
    • Clear Search
    • EzuLa
    • MemoryMeter

    You can right-click in adaware to select all. Also be sure to look under the "negligible objects" tab. Cleaning all issues.

17. Done. Waiting for virus scan to complete.
18. Virus scan complete. Symantec reports no viruses. Rebooting.
19. Of 9.7 gb only 421 mb of harddrive remain. Must fix that.
20. Spybot runs on boot. Results:
    • Callinghome.biz
    • AbetterInternet

    Fixed!

21. unplugged Internet connection to prevent new trojans
22. Used Partition Magic to remove the unused 3GB partition and combine it with the 9.7gb partition
23. Partition Magic failed. Trying again with one step at a time. Deleting Logical partition within Extended partition. Success.
24. Deleting Extended partition. Success.
25. Resizing primary partition for the full 13gb. Boom.
26. Restarting computer.
27. Partition Magic blew up again. Let’s try in safe mode.
28. Giving up on Partition Magic.
29. Re-created 3gb extended partition.
30. Deleting temporary files and Windows uninstall information for antique updates
31. Rechecking with Spybot SND. Reports clean.
32. Rechecking with Adaware. Reports 10 objects.
    • 2 tracking cookies (http://landing.domainsponsor.com/ and http://domainsponsor.com – considering no browser has been opened since the cache was dumped this is interesting)
    • A0079949.exe related to Win32.TrojanDownloader.Agent.Ay
    • MediaMotor
    • Prutect
    • ClearSearch
33. Installing VX2 cleaner plugin for Adaware
34. Checking for VX2 issues. Reports clean.
35. Checking CWShredder. Reports clean.
36. Reboot.
37. Running Spybot SND. Reports clean.
38. Running Adaware. Reports clean.
39. HijackThis found:
    • wsxsvc
    • Ebates_MoeMoneyMaker under program files
    • some other questionables
40. reboot
41. Removing Morpheus Gone.
42. Manually checking registry. Mainly looking under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ (Run, Run-, RunOnce, RunOnceEx) and HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ (Run Run- RunOnce) Found newdotnet parasite
43. Removed references to morpheus and kazaa within registry and program files.
44. reboot.
45. Reconnecting Internet connection.
46. Checking HijackThis
47. Task Manager won’t come up via cmtl-alt-del or right clicking the taskbar. Troublesome. Ah! A registry hack to enable/disable the Task Manager.
48. HijackThis reports clean.
49. Final virus scan with TrendMicro’s HousecallFound:
    • TROJ_UR.A – \\windows\system32\sysdrc.dll
    • TROJ_SMALL.AJM – \\windows\memmupdaterV2.exe
    • TROJ_SMALL.ABT – \\windows\pi1_25.exe
    • WORM_KLEZ.H – \Program Files\EarthLink 5.0\emailaddr@mindspring.com\mailbox\003.msf “OffersData(7).pif”
    • TROJ_UR.A – \\Documents and Settings\User C\Local Settings\TEMP\ICD8.tmp\sysdrc.dll
    • TROJ_DROP.A – \\Documents and Settings\User C\Local Settings\TEMP\iF5.tmp
    • TROJ_SMALL.ABT – \\Documents and Settings\User C\Local Settings\Temporary Internet Files\Content.IE5\7PBF500\pi1_25(1).exe
    • EXPL_IFRAMEBO.A – \\Documents and Settings\User C\Local Settings\Temporary Internet Files\Content.IE5\7PBF500\counter(1).js
    • EXPL_IFRAMEBO.A – \\Documents and Settings\User C\Local Settings\Temporary Internet Files\Content.IE5\1RXAFK7L\counter(1).js
    • TROJ_SMALL.UX – \\Documents and Settings\mb user\My Documents\backit\gmz\Tiberium Sun\TiberiumSunRAR.zip *Layer2 cctibsun\RAZOR.EXE*
50. One final Spybot S&D. Clean with the exception of 3 tracking cookies (no big deal).
51. One final Adaware. Clean with the exception of 4 tracking cookies (no big deal).
52. Norton Antivirus caught:
    • W32.Klez.H@mm

I did a preliminary cleaning that lasted 3 hours earlier in the week. Today’s cleaning started at 7am and ended at 7pm.