|
|
virus or something..help
|
|
|
mesa101
Member
|
9. March 2006 @ 15:31 |
Link to this message
|
|
im trying to help a friend fix his pc...he has an older emachine pc. about a 2003 model..running xp. when i first got it it was very slow and the screen would jitter when you tried to open a program..and a pop up screen at the bottom right tray says ::dangerous infection was detected on your pc the system willnow downloadand install most efficient antimalware program to prevent data loss and information theft.:: i ran ewido and spyware doctor and they found nothing..i install panda platinum and it found several malware things but the pop up is still there...i ran HJT but there was a very short list and everything looked legit...one thing i noticed about his version of XP was there was no system recovery program anywhere?..just system restore...i was gonna just reformat the thing but it's not there..may this older version requires the disc's..?
|
|
Advertisement
|
 |
|
|
|
spertti
Senior Member
|
9. March 2006 @ 15:34 |
Link to this message
|
|
|
|
mesa101
Member
|
10. March 2006 @ 11:25 |
Link to this message
|
|
Logfile of HijackThis v1.99.1
Scan saved at 4:06:30 PM, on 3/10/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\DOCUME~1\JULIA\LOCALS~1\Temp\200639165248_mcinfo.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\New Folder\HijackThis.exe
O2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\System32\hp5C7E.tmp
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\JULIA\LOCALS~1\Temp\200639165248_mcinfo.exe /insfin
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
|
|
-kemisti-
AfterDawn Addict
|
11. March 2006 @ 02:53 |
Link to this message
|
Download smitrem -> http://noahdfear.geekstogo.com/click%20counter/click.php?id=1
Save it on desktop and doubleclick it, it will then create smitRem folder on desktop
Fix with HjT (do a system scan only, checkmark these and press fix checked):
O2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\System32\hp5C7E.tmp
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\JULIA\LOCALS~1\Temp\200639165248_mcinfo.exe /insfin
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
Boot in safe mode (tap F8 while booting).
Delete, if found:
C:\DOCUME~1\JULIA\LOCALS~1\Temp\200639165248_mcinfo.exe
C:\WINDOWS\web\related.htm
Open smitRem folder and doubleclick RunThis.bat. Follow instructions.
Reboot, send a fresh HjT log and contents of c:\smitfiles.txt
And get antivirus, firewall and windows updates!
|
|
mesa101
Member
|
11. March 2006 @ 03:05 |
Link to this message
|
|
thanks.. i will do as you said and report back...thank you.
|
|
mesa101
Member
|
12. March 2006 @ 06:08 |
Link to this message
|
|
thanks spertti..and special thanks to kemisti...the directions you gave me worked like a charm.. the pc is running smooth...im very greatful...thanks for taking time to post and helping me out.
|
|
lauriantu
Suspended permanently
|
12. March 2006 @ 08:01 |
Link to this message
|
|
BUT FOR PRECAUTION download ZONE ALARM (the best firewall from all the world)
|
|
mesa101
Member
|
12. March 2006 @ 08:15 |
Link to this message
|
|
advice taken thanks
|
|
-kemisti-
AfterDawn Addict
|
12. March 2006 @ 08:16 |
Link to this message
|
|
@mesa101: I still need a fresh HjT log and contents of c:\smitfiles.txt in order to realize that same thing by myself :)
|
|
mesa101
Member
|
12. March 2006 @ 11:07 |
Link to this message
|
|
here is the HJT log................
Logfile of HijackThis v1.99.1
Scan saved at 4:02:07 PM, on 3/12/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\hijack this\HijackThis.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
|
|
mesa101
Member
|
12. March 2006 @ 11:08 |
Link to this message
|
|
here is the smit log........
smitRem © log file
version 2.8
by noahdfear
Microsoft Windows XP [Version 5.1.2600]
The current date is: Sat 03/11/2006
The current time is: 8:57:06.23
Running from
C:\Documents and Settings\JULIA\Desktop\smitRem
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pre-run SharedTask Export
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{D81E2FC4-B0A2-11D3-21AC-07C04C21A18A}"="Replay for WindowsXP"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{D81E2FC4-B0A2-11D3-21AC-07C04C21A18A}\InProcServer32]
@="C:\WINDOWS\System32\replmap.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
checking for ShudderLTD key
ShudderLTD key not present!
checking for PSGuard.com key
PSGuard.com key not present!
checking for WinHound.com key
WinHound.com key not present!
spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Existing Pre-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
Online Security Guide.url
Online Security Guide.url
Security Troubleshooting.url
Security Troubleshooting.url
~~~ Favorites ~~~
~~~ system32 folder ~~~
replmap.dll
1024 dir
ld****.tmp
ncompat.tlb
hp***.tmp
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1504 'explorer.exe'
Killing PID 1504 'explorer.exe'
Starting registry repairs
Registry repairs complete
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SharedTask Export after registry fix
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Deleting files
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Remaining Post-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~ Wininet.dll ~~~
CLEAN! :)
|
|
mesa101
Member
|
12. March 2006 @ 11:10 |
Link to this message
|
|
sorry it takes so long but i just have my friends tower..so i have to disconnect all my stuff to make his work..then burn information to disc's to get it to my pc....pain in the buttock's.
This message has been edited since posting. Last time this message was edited on 12. March 2006 @ 11:10
|
|
-kemisti-
AfterDawn Addict
|
12. March 2006 @ 20:35 |
Link to this message
|
|
Ok, logs are clean :) Next one is to get antivirus and firewall!
|
|
mesa101
Member
|
13. March 2006 @ 11:07 |
Link to this message
|
|
i use zone alarm security suite on mine...what do you use kemisti?...i used panda before zone..and had alot of trouble with freezing and long starts and shut downs...i will prolly use zone or mcafee on my friends system... i suggested he get more ram first he only has 128 on his {the system you debugged }...
|
|
-kemisti-
AfterDawn Addict
|
13. March 2006 @ 21:13 |
Link to this message
|
|
I use nod32 and outpost. Those are good and very lightweight.
|
|
Advertisement
|
|
|
|
mesa101
Member
|
14. March 2006 @ 07:32 |
Link to this message
|
|
both of those look tempting.. i may have to check them out..thanks
|
