Please tell me if I am infected.

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

1002richards

Retired Trusted Advisor
Joined
Jan 29, 2006
Messages
5,333
Hi ClickCardo,
From what you say I think you need to post a HijackThis log and then wait for someone qualified (gold shield next to their name) to take you through what needs to be done. Please go no further than the steps below and posting your results for now.You may want to print off this guide just in case.

Using Hijackthis with the self-installer that puts it into Program Files for you:

go to Click here to download HJTsetup.exe


  • Save HJTsetup.exe to your desktop.
  • Double click on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a log file button. It will scan and then save the log and then the log will open in Notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Once you've done this, wait for advice.

Richard.
 

ClickCardo

Thread Starter
Joined
Dec 24, 2005
Messages
62
Rich

Thanks for the HiJack advice, but like my thread/text-file said I cannot even boot. I've clean installed XP Pro a second time only to get to the same point again. The problem came up without much warning so I'm not sure when I would run HiJack. Can you read the details in the text file completely and help give me a process for doing HiJack if you then still think it is the best way to go?

Thanks
CC
 

bearone2

Banned
Joined
Jun 4, 2004
Messages
5,809
za and spysweeper are not av programs.

a clean install should include, removing, then creating partition/s and formatting prior to the install.

if you just overlayed xp on xp, you didn't necessarily fix the problem or eliminate any virus problems.
 

ClickCardo

Thread Starter
Joined
Dec 24, 2005
Messages
62
I have ZA Security Suite so yes it does have Virus Checker. I know SpySweeper is a spy checker, ala it's name, I was checking for spyware naturally too. No I do not think I overlayed XP on XP since I formatted the C partition then reinstalled.
 

ClickCardo

Thread Starter
Joined
Dec 24, 2005
Messages
62
1002richards said:
Hi ClickCardo,
From what you say I think you need to post a HijackThis log and then wait for someone qualified (gold shield next to their name) to take you through what needs to be done. Please go no further than the steps below and posting your results for now.You may want to print off this guide just in case.

Using Hijackthis with the self-installer that puts it into Program Files for you:

go to Click here to download HJTsetup.exe


  • Save HJTsetup.exe to your desktop.
  • Double click on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a log file button. It will scan and then save the log and then the log will open in Notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Once you've done this, wait for advice.

Richard.
Richard

So sorry it took me so long to get back to you, but I wanted to try and be somewhat sure my problems were not hardware related. In the mean time I took out my main data drive, disconnected the boot and put a new spare drive to be the boot. I then booted from Windows XP Pro install disk deleted partition then re-created partion and formatted it before clean install of XP. Next I added the chipset drivers and then I installed my Zone Alarm Security Suite all without being hooked up to the web. After turning that on I went to Windows Update and installed evry critical update necessary as well as some optional software/hardware ones including IE7. I installed Speedfan, Nero and a shredder and then the trial version of True Image 10.0. I then made a complete disk image backup of the boot drive and placed it on my second data drive which I had left in the pc. I also successfully burned some CD's. Finally, I was able to boot the trial True Image boot CD and was able to get right up to the last step before doing a restore. Finally I had ZA virus/spy scan my drives with none found.

I surfed a few well known safe websites with IE7 and burned some CD's to communicate with the pc I'm writing this on. Everything very swell. I then reconnected the original boot drive and made sure it was now just another data drive. I could not access it's primary partition, but was able to get some data files off it's extended partition. I next tried to boot off a hard drive diagnostic CD and True Image boot CD's to no avail. I then was able to boot into regular Windows fine. I deleted all the partitions off the original boot drive. I was then able to boot the hard drive diagnostic CD and zero'ed the original boot drive. Rebooting into Windows went fine and I created a primary and extended partition on the original boot drive which I formatted. I was able to copy a file to the original drive.

I tried to boot off the True Image boot CD's to no avail again. This is when I followed your HiJack This procedure exactly and have pasted in the results below. Can you tell from it if I am infected with malware? Maybe the True Image trial boot CD has a time limit?

More help will be much appreciated.

Rich





Logfile of HijackThis v1.99.1
Scan saved at 5:42:59 PM, on 2/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.




Download and install AVG Anti-Spyware 7.5 AVG ANTI-SPYWARE IS ONLY FOR SYSTEMS RUNNING WIN 2K and XP
(This is Ewdio 4.0 renamed. If you already have Ewido installed, please update to this version which has a special "clean driver" for removing persistent malware)
1. After download, double click on the file to launch the install process.
2. Choose a language, click "OK" and then click "Next".
3. Read the "License Agreement" and click "I Agree".
4. Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install".
5. After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
6. The main "Status" menu will appear. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'.
7. Then right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows".
8. Go to Start > Run and type: services.msc
  • Press "OK".
  • Click the "Extended tab" and scroll down the list to find AVG Anti-Spyware guard.
  • When you find the guard service, double-click on it.
  • In the Properties Window > General Tab that opens, click the "Stop" button.
  • From the drop-down menu next to "Startup Type", click on "Manual".
  • Now click "Apply", then "OK" and close the Services window.
9. Select the "Update" button and click "Start update". Wait until you see the "Update succesfull message. If you are having problems with the updater, manually update with the AVG Anti-Spyware Full database installer from here. Exit AVG Anti-Spyware when done - DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with AVG Anti-Spyware as follows:
1. Launch AVG Anti-Spyware, click on the "Scanner" button and choose the "Settings" tab.
  • Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
  • Under "How to Scan?" check all (default).
  • Under "Possibly unwanted software" check all (default).
  • Under "What to Scan?" make sure "Scan every file" is selected (default).
  • Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".
2. Click the "Scan" tab to return to scanning options.
3. Click "Complete System Scan" to start.
4. When the scan has finished you will be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.

IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button?

5. Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
6. Exit AVG Anti-Spyware when done, reboot normally and submit the AVG Anti-Spyware report in your next reply and a new Hijackthis log.

Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. If Explorer or other programs are open during the scan that means certain files will also be in use. Some malware will insert itself and hide in areas that are "protected" by Windows when the files are being used. This can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.

Note: If AVG Anti-Spyware "crashes" or "hangs" during the scan, try scanning again by doing this:
1. Scan one sector of the system at a time by using the "Custom Scan" feature. To do this select Scanner > Custom Scan and click on Add drive/directory/file. Browse to C:\Windows > System, add this folder to the list and click on "Start Scan". When the scan is complete, repeat the Custom Scan but this time, browse to and add the System32 folder. Then keep repeating this procedure until all your folders have been scanned. Make sure you include the Documents & Settings folder.

2. If this still does not help, then turn the ADS scanner off while making a Custom Scan. To do this select Scanner > Scan Settings and untick "Scan in NTFS Alternate Data Streams". Then repeat the steps above for performing a Custom Scan.
 

ClickCardo

Thread Starter
Joined
Dec 24, 2005
Messages
62
Cybertech

Thank you so much for following up on this. I just got your post now (9:30pm) on my other computer (which I might want to do this on also). In the mean time I was working with my pc builder's tech support thinking maybe it's a hardware problem. We made some BIOS changes and even updated the BIOS to the latest version. It turns out that the True Image boot CD would boot when the old Raptor boot drive, which was now a data drive, was not connected. It would NOT boot the True Image CD when it was connected. This was repeatable. The tech turned me over to the RMA people.

They still did not believe there was a problem since I had added the new XP boot drive and still had the old data drives as well as the Raptor connected. They said when they got it they would just connect only the original Raptor and install XP from it's CD. If that worked they told me it would not be their problem since it could boot from a CD and the system would be as delivered.

I told them I'd save them time and try that exact procedure myself. I disconnected the extra old data drive. I then booted the Windows install CD where I then deleted all the partitions on the Raptor and new boot drive. I then disconnected the new boot drive. I then booted again from the Windows install CD and created one big partition on the problem Raptor and full formatted it. Windows installed perfectly and I can now boot from the True Image boot CD ok. That's where I stand. I have heard about MBR viruses, but know nothing else about them. Could I have had a MBR virus? Would it be gone now? Would the other drives have MBR's and viruses too?

Please let me know what you think I should do next? Should I do your procedure on my brand new XP installed, never internet connected, pc? Should I connect the other two drives and then do it? Just let me know. Could this pc I'm posting on have a MBR virus? It has showed some different slight peculiarities too, but seems to generally be working ok. Should I run your procedure on it also before hooking the two together?

I just am desperate to start setting my old pc back up and not infect it again. Just let me know what you think given the new info.

Thanks
Rich
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
The hardware you are describing is not something I have any experience with.
 

ClickCardo

Thread Starter
Joined
Dec 24, 2005
Messages
62
Cybertech

Thanks for the fast response.

Are you sure you're not familiar with computer hard drives and cd drives and cd's and computer's BIOS? That is the only hardware I am speaking of. Maybe you are not familiar with MBR's on hard drives and that they may contain viruses since I am not. Is that the case?

True Image is hard disk imaging backup software. It takes a byte for byte backup copy of a hard drive. It has a CD you can boot from just like the Windows XP install CD can. You boot from the True Image (TI) boot CD because the boot hard drive with XP on it might have gone bad and been replaced with a new hard drive. By booting from the TI CD you can use it to restore your backup of the XP hard drive you made earlier to the new hard drive. Is this what you meant when you said you are not familiar with my hardware?

Any further explanation of what you meant by being not familiar with my hardware would be most appreciated.

Also let me know if I can do anything else to better explain my hardware or situation.

Thanks
Rich
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
I know about computer hard drives and cd drives and cd's and computer's BIOS etc but I've never used True Image but now with your explination I understand what it does.

I'm not sure about MBR virus, never encountered one.
 
Joined
Feb 18, 2005
Messages
284
ClickCardo

As I read along and have reviewed what's posted, at this point after you've done all the formats and installs are you still having a problem? If yes what is it?
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top