1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Please tell me if I am infected.

Discussion in 'Windows XP' started by ClickCardo, Feb 8, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. ClickCardo

    ClickCardo Thread Starter

    Joined:
    Dec 24, 2005
    Messages:
    62
    Nothing shows on ZoneAlarm or SpySweeper.

    See all my gory details in attached text file.

    Thanks
    CC
     

    Attached Files:

  2. 1002richards

    1002richards Retired Trusted Advisor

    Joined:
    Jan 29, 2006
    Messages:
    5,333
    Hi ClickCardo,
    From what you say I think you need to post a HijackThis log and then wait for someone qualified (gold shield next to their name) to take you through what needs to be done. Please go no further than the steps below and posting your results for now.You may want to print off this guide just in case.

    Using Hijackthis with the self-installer that puts it into Program Files for you:

    go to Click here to download HJTsetup.exe


    • Save HJTsetup.exe to your desktop.
    • Double click on the HJTsetup.exe icon on your desktop.
    • By default it will install to C:\Program Files\Hijack This.
    • Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
    • Put a check by Create a desktop icon then click Next again.
    • Continue to follow the rest of the prompts from there.
    • At the final dialogue box click Finish and it will launch Hijack This.
    • Click on the Do a system scan and save a log file button. It will scan and then save the log and then the log will open in Notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Paste the log in your next reply.
    • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

    Once you've done this, wait for advice.

    Richard.
     
  3. ClickCardo

    ClickCardo Thread Starter

    Joined:
    Dec 24, 2005
    Messages:
    62
    Rich

    Thanks for the HiJack advice, but like my thread/text-file said I cannot even boot. I've clean installed XP Pro a second time only to get to the same point again. The problem came up without much warning so I'm not sure when I would run HiJack. Can you read the details in the text file completely and help give me a process for doing HiJack if you then still think it is the best way to go?

    Thanks
    CC
     
  4. bearone2

    bearone2 Banned

    Joined:
    Jun 4, 2004
    Messages:
    5,809
    za and spysweeper are not av programs.

    a clean install should include, removing, then creating partition/s and formatting prior to the install.

    if you just overlayed xp on xp, you didn't necessarily fix the problem or eliminate any virus problems.
     
  5. ClickCardo

    ClickCardo Thread Starter

    Joined:
    Dec 24, 2005
    Messages:
    62
    I have ZA Security Suite so yes it does have Virus Checker. I know SpySweeper is a spy checker, ala it's name, I was checking for spyware naturally too. No I do not think I overlayed XP on XP since I formatted the C partition then reinstalled.
     
  6. ClickCardo

    ClickCardo Thread Starter

    Joined:
    Dec 24, 2005
    Messages:
    62
    Richard

    So sorry it took me so long to get back to you, but I wanted to try and be somewhat sure my problems were not hardware related. In the mean time I took out my main data drive, disconnected the boot and put a new spare drive to be the boot. I then booted from Windows XP Pro install disk deleted partition then re-created partion and formatted it before clean install of XP. Next I added the chipset drivers and then I installed my Zone Alarm Security Suite all without being hooked up to the web. After turning that on I went to Windows Update and installed evry critical update necessary as well as some optional software/hardware ones including IE7. I installed Speedfan, Nero and a shredder and then the trial version of True Image 10.0. I then made a complete disk image backup of the boot drive and placed it on my second data drive which I had left in the pc. I also successfully burned some CD's. Finally, I was able to boot the trial True Image boot CD and was able to get right up to the last step before doing a restore. Finally I had ZA virus/spy scan my drives with none found.

    I surfed a few well known safe websites with IE7 and burned some CD's to communicate with the pc I'm writing this on. Everything very swell. I then reconnected the original boot drive and made sure it was now just another data drive. I could not access it's primary partition, but was able to get some data files off it's extended partition. I next tried to boot off a hard drive diagnostic CD and True Image boot CD's to no avail. I then was able to boot into regular Windows fine. I deleted all the partitions off the original boot drive. I was then able to boot the hard drive diagnostic CD and zero'ed the original boot drive. Rebooting into Windows went fine and I created a primary and extended partition on the original boot drive which I formatted. I was able to copy a file to the original drive.

    I tried to boot off the True Image boot CD's to no avail again. This is when I followed your HiJack This procedure exactly and have pasted in the results below. Can you tell from it if I am infected with malware? Maybe the True Image trial boot CD has a time limit?

    More help will be much appreciated.

    Rich





    Logfile of HijackThis v1.99.1
    Scan saved at 5:42:59 PM, on 2/12/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\ZoneLabs\isafe.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
    C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\SpeedFan\speedfan.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
    O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
    O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
     
  7. 1002richards

    1002richards Retired Trusted Advisor

    Joined:
    Jan 29, 2006
    Messages:
    5,333
    Hi,
    Can someone help ClickCardo with this please?
    Thanks.

    Richard.
     
  8. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Doesn't look like malware to me.
     
  9. ClickCardo

    ClickCardo Thread Starter

    Joined:
    Dec 24, 2005
    Messages:
    62
    could it be a MBR virus? something is still off.
     
  10. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only

    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.




    Download and install AVG Anti-Spyware 7.5 AVG ANTI-SPYWARE IS ONLY FOR SYSTEMS RUNNING WIN 2K and XP
    (This is Ewdio 4.0 renamed. If you already have Ewido installed, please update to this version which has a special "clean driver" for removing persistent malware)
    1. After download, double click on the file to launch the install process.
    2. Choose a language, click "OK" and then click "Next".
    3. Read the "License Agreement" and click "I Agree".
    4. Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install".
    5. After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
    6. The main "Status" menu will appear. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'.
    7. Then right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows".
    8. Go to Start > Run and type: services.msc
    • Press "OK".
    • Click the "Extended tab" and scroll down the list to find AVG Anti-Spyware guard.
    • When you find the guard service, double-click on it.
    • In the Properties Window > General Tab that opens, click the "Stop" button.
    • From the drop-down menu next to "Startup Type", click on "Manual".
    • Now click "Apply", then "OK" and close the Services window.
    9. Select the "Update" button and click "Start update". Wait until you see the "Update succesfull message. If you are having problems with the updater, manually update with the AVG Anti-Spyware Full database installer from here. Exit AVG Anti-Spyware when done - DO NOT perform a scan yet.

    Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

    Scan with AVG Anti-Spyware as follows:
    1. Launch AVG Anti-Spyware, click on the "Scanner" button and choose the "Settings" tab.
    • Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
    • Under "How to Scan?" check all (default).
    • Under "Possibly unwanted software" check all (default).
    • Under "What to Scan?" make sure "Scan every file" is selected (default).
    • Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".
    2. Click the "Scan" tab to return to scanning options.
    3. Click "Complete System Scan" to start.
    4. When the scan has finished you will be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.

    IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button?

    5. Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
    6. Exit AVG Anti-Spyware when done, reboot normally and submit the AVG Anti-Spyware report in your next reply and a new Hijackthis log.

    Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. If Explorer or other programs are open during the scan that means certain files will also be in use. Some malware will insert itself and hide in areas that are "protected" by Windows when the files are being used. This can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.

    Note: If AVG Anti-Spyware "crashes" or "hangs" during the scan, try scanning again by doing this:
    1. Scan one sector of the system at a time by using the "Custom Scan" feature. To do this select Scanner > Custom Scan and click on Add drive/directory/file. Browse to C:\Windows > System, add this folder to the list and click on "Start Scan". When the scan is complete, repeat the Custom Scan but this time, browse to and add the System32 folder. Then keep repeating this procedure until all your folders have been scanned. Make sure you include the Documents & Settings folder.

    2. If this still does not help, then turn the ADS scanner off while making a Custom Scan. To do this select Scanner > Scan Settings and untick "Scan in NTFS Alternate Data Streams". Then repeat the steps above for performing a Custom Scan.
     
  11. ClickCardo

    ClickCardo Thread Starter

    Joined:
    Dec 24, 2005
    Messages:
    62
    Cybertech

    Thank you so much for following up on this. I just got your post now (9:30pm) on my other computer (which I might want to do this on also). In the mean time I was working with my pc builder's tech support thinking maybe it's a hardware problem. We made some BIOS changes and even updated the BIOS to the latest version. It turns out that the True Image boot CD would boot when the old Raptor boot drive, which was now a data drive, was not connected. It would NOT boot the True Image CD when it was connected. This was repeatable. The tech turned me over to the RMA people.

    They still did not believe there was a problem since I had added the new XP boot drive and still had the old data drives as well as the Raptor connected. They said when they got it they would just connect only the original Raptor and install XP from it's CD. If that worked they told me it would not be their problem since it could boot from a CD and the system would be as delivered.

    I told them I'd save them time and try that exact procedure myself. I disconnected the extra old data drive. I then booted the Windows install CD where I then deleted all the partitions on the Raptor and new boot drive. I then disconnected the new boot drive. I then booted again from the Windows install CD and created one big partition on the problem Raptor and full formatted it. Windows installed perfectly and I can now boot from the True Image boot CD ok. That's where I stand. I have heard about MBR viruses, but know nothing else about them. Could I have had a MBR virus? Would it be gone now? Would the other drives have MBR's and viruses too?

    Please let me know what you think I should do next? Should I do your procedure on my brand new XP installed, never internet connected, pc? Should I connect the other two drives and then do it? Just let me know. Could this pc I'm posting on have a MBR virus? It has showed some different slight peculiarities too, but seems to generally be working ok. Should I run your procedure on it also before hooking the two together?

    I just am desperate to start setting my old pc back up and not infect it again. Just let me know what you think given the new info.

    Thanks
    Rich
     
  12. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    The hardware you are describing is not something I have any experience with.
     
  13. ClickCardo

    ClickCardo Thread Starter

    Joined:
    Dec 24, 2005
    Messages:
    62
    Cybertech

    Thanks for the fast response.

    Are you sure you're not familiar with computer hard drives and cd drives and cd's and computer's BIOS? That is the only hardware I am speaking of. Maybe you are not familiar with MBR's on hard drives and that they may contain viruses since I am not. Is that the case?

    True Image is hard disk imaging backup software. It takes a byte for byte backup copy of a hard drive. It has a CD you can boot from just like the Windows XP install CD can. You boot from the True Image (TI) boot CD because the boot hard drive with XP on it might have gone bad and been replaced with a new hard drive. By booting from the TI CD you can use it to restore your backup of the XP hard drive you made earlier to the new hard drive. Is this what you meant when you said you are not familiar with my hardware?

    Any further explanation of what you meant by being not familiar with my hardware would be most appreciated.

    Also let me know if I can do anything else to better explain my hardware or situation.

    Thanks
    Rich
     
  14. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    I know about computer hard drives and cd drives and cd's and computer's BIOS etc but I've never used True Image but now with your explination I understand what it does.

    I'm not sure about MBR virus, never encountered one.
     
  15. buddythedog

    buddythedog

    Joined:
    Feb 18, 2005
    Messages:
    284
    ClickCardo

    As I read along and have reviewed what's posted, at this point after you've done all the formats and installs are you still having a problem? If yes what is it?
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Please tell infected
  1. ZawMyoLatt
    Replies:
    4
    Views:
    303
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/542281

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice