Alexjc01
asked on
Confused! Is my PC infected or not
I recently ran an a2HijackFree and was astonished at the number of "bads" displayed.
Some I understood, researched and removed until only a few were left. BUt these few I can't find and don't seem to suffer from the symptoms. I ran a HijackThis and saved the log file. It reads as follows. I'm getting a bit out of my depth here so wondered if somebody can advise if I should be doing something more or not.
Logfile of HijackThis v1.99.1
Scan saved at 20:33:00, on 06/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\ibmpms vc.exe
C:\WINDOWS\system32\Ati2ev xx.exe
C:\WINDOWS\system32\svchos t.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\Ati2ev xx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spools v.exe
C:\Program Files\Symantec\LiveUpdate\ ALUSchedul erSvc.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcC DA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Lotus\ntmulti.exe
C:\WINDOWS\System32\QCONSV C.EXE
C:\Program Files\Intel\Wireless\Bin\R egSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e xe
C:\WINDOWS\system32\svchos t.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\TPHDEX LG.EXE
C:\WINDOWS\system32\TpKmpS VC.exe
C:\WINDOWS\system32\rundll 32.exe
C:\IBMTOOLS\UTILS\ibmprc.e xe
C:\PROGRA~1\ThinkPad\UTILI T~1\EzEjMn Ap.Exe
C:\WINDOWS\system32\dla\tf swctrl.exe
C:\WINDOWS\System32\svchos t.exe
C:\PROGRA~1\SYMANT~1\VPTra y.exe
C:\WINDOWS\system32\TpShoc ks.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
C:\WINDOWS\system32\LVComs X.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.ex e
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREF OX.EXE
C:\DOCUME~1\ALEXCA~1.R52\L OCALS~1\Te mp\Tempora ry Directory 2 for hijackthis.zip\HijackThis. exe
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.d ll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E 2544C21A09 F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-0 0123456789 0} - C:\WINDOWS\system32\dla\tf swshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D 4DAF1D92D4 3} - C:\Program Files\Java\jre1.5.0_06\bin \ssv.dll
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILI T~1\PWRMGR TR.DLL,Pwr MgrBkGndMo nitor
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.e xe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILI T~1\EzEjMn Ap.Exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tf swctrl.exe
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILI T~1\BatLog Ex.DLL,Sta rtBattLog
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTra y.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin \jusched.e xe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCt r\Binaries \MSConfig. exe /auto
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \OFFICE11\ EXCEL.EXE/ 3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.h tm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.5.0_06\bin \npjpi150_ 06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.5.0_06\bin \npjpi150_ 06.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4 C56B4E14E8 4} - C:\PROGRA~1\SPYWAR~2\tools \iesdpb.dl l
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~2\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E 8409F9A0BC 5} - C:\Program Files\Lenovo\PkgMgr\\PkgMg r.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F 5C6AF4DE1B D} - http://download.abacast.com/download/files/abasetup161.cab
O16 - DPF: {F11BFF96-CC7A-4482-819B-9 1EAE4C454E F} (NTR ActiveX 1.1.6) - http://www.inquiero.com/inquiero/mod/setup/ntractivex116_14.cab
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E 521B0D3C3B A} - C:\WINDOWS\system32\btxppa nel.dll
O20 - AppInit_DLLs: interceptor.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLog on.dll
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGi na.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklo ck.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogo nNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2ev xx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ ALUSchedul erSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcC DA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\E vtEng.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpms vc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver \11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService .exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEU P~1\LUCOMS ~1.EXE
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Lotus\ntmulti.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm 12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv .exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSV C.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\R egSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S 24EvMon.ex e
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.e xe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEX LG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpS VC.exe
Some I understood, researched and removed until only a few were left. BUt these few I can't find and don't seem to suffer from the symptoms. I ran a HijackThis and saved the log file. It reads as follows. I'm getting a bit out of my depth here so wondered if somebody can advise if I should be doing something more or not.
Logfile of HijackThis v1.99.1
Scan saved at 20:33:00, on 06/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\ibmpms
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\system32\svchos
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\Ati2ev
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spools
C:\Program Files\Symantec\LiveUpdate\
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcC
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Lotus\ntmulti.exe
C:\WINDOWS\System32\QCONSV
C:\Program Files\Intel\Wireless\Bin\R
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
C:\WINDOWS\system32\svchos
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\TPHDEX
C:\WINDOWS\system32\TpKmpS
C:\WINDOWS\system32\rundll
C:\IBMTOOLS\UTILS\ibmprc.e
C:\PROGRA~1\ThinkPad\UTILI
C:\WINDOWS\system32\dla\tf
C:\WINDOWS\System32\svchos
C:\PROGRA~1\SYMANT~1\VPTra
C:\WINDOWS\system32\TpShoc
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon
C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
C:\WINDOWS\system32\LVComs
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.ex
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREF
C:\DOCUME~1\ALEXCA~1.R52\L
R0 - HKCU\Software\Microsoft\In
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-0
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILI
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.e
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILI
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tf
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILI
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTra
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCt
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.h
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F
O16 - DPF: {F11BFF96-CC7A-4482-819B-9
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E
O20 - AppInit_DLLs: interceptor.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLog
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGi
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklo
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogo
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2ev
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcC
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\E
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpms
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEU
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Lotus\ntmulti.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSV
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\R
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEX
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpS
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I think I have all those. I'll run them again but last run found nothing more than a few cookies
Also do the following...
Turn Off System restore
>> Right click, My Computer,
>> Properties
>> Click on the System Restore Tab,
>> Put a checkmark in the box reboot computer into safemode (Press F8 before windows logo)
>> Run the above programs in safemode.
When finished, turn on system restore again.
Turn Off System restore
>> Right click, My Computer,
>> Properties
>> Click on the System Restore Tab,
>> Put a checkmark in the box reboot computer into safemode (Press F8 before windows logo)
>> Run the above programs in safemode.
When finished, turn on system restore again.
ASKER
I did the hijackthis analysis and am virus checking where recommended. Seems to be clean
http://www.hijackthis.de/logfiles/f2619ab6e5d82542c8dbe6a30ec1b977.html
this link is to the results
http://www.hijackthis.de/logfiles/f2619ab6e5d82542c8dbe6a30ec1b977.html
this link is to the results
ASKER
I don't have a checkbox for 'reboot computer into safemode (Press F8 before windows logo)'
Only turn system restore off!
Only turn system restore off!
No, when you turn off system restore reboot the computer and when it starts to load the POST before the windows logo press F8. It will then take you into the Advanced boot menu. From there select Safemode.
ASKER
Done. I now have these issues from a2Hijackfree
$statusbad$ 1047 TCP GateCrasher.b, GateCrasher.c
$statusbad$ 1050 TCP MiniCommand
$statusbad$ csrss.exe %winpath%\ This worm is transmitted via e-mail and attempts to install itself on your computer.
$statusbad$ csrss.exe %winpath%\winsecurity\ Email-Worm.Win32.Sober.z
Any ideas?
$statusbad$ 1047 TCP GateCrasher.b, GateCrasher.c
$statusbad$ 1050 TCP MiniCommand
$statusbad$ csrss.exe %winpath%\ This worm is transmitted via e-mail and attempts to install itself on your computer.
$statusbad$ csrss.exe %winpath%\winsecurity\ Email-Worm.Win32.Sober.z
Any ideas?
Can you please post the bad entries that you removed? all those entries point to something. You can look at the backup that hijackthis kept for all the fixed entries.
We could only diagnosed\fix malware if I see those bad entries.
What you really did by fixing them is disabling them from running at startup.
You're running in diagnostic startup mode which means you've disabled startup entries while running hijackthis and those entries didn't show in the log.
If you can't find the hijackthis backup, you could just run a Hijackthis startup list.
In Hijackthis "Misc Tools", click on "Generate Startup list log"
checkmark "list also minor sections(full)
checkmark "list empty sections(complete)
and upload the log at http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.
OR: just paste the log to this site:
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here.
We could only diagnosed\fix malware if I see those bad entries.
What you really did by fixing them is disabling them from running at startup.
You're running in diagnostic startup mode which means you've disabled startup entries while running hijackthis and those entries didn't show in the log.
If you can't find the hijackthis backup, you could just run a Hijackthis startup list.
In Hijackthis "Misc Tools", click on "Generate Startup list log"
checkmark "list also minor sections(full)
checkmark "list empty sections(complete)
and upload the log at http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.
OR: just paste the log to this site:
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here.
ASKER
http://www.rafb.net/paste/results/2zWFGC51.html
rpggamergirl - followed the second set of instructions and this is the link
rpggamergirl - followed the second set of instructions and this is the link
Sorry the startup list didn't help maybe because some startup are disabled.
What startup entries did you unchecked in msconfig?
A2HijackFree is claiming you have that Email-Worm.Win32.Sober.z
If so, just go and look for their files in your system.
You might have to show hidden files and folders first.
Look for these files:
C:\WINDOWS\csrss.exe
C:\WINDOWS\winsecurity\csr ss.exe
Also look for:
C:\Windows\WinSecurity\ser vices.exe
What startup entries did you unchecked in msconfig?
A2HijackFree is claiming you have that Email-Worm.Win32.Sober.z
If so, just go and look for their files in your system.
You might have to show hidden files and folders first.
Look for these files:
C:\WINDOWS\csrss.exe
C:\WINDOWS\winsecurity\csr
Also look for:
C:\Windows\WinSecurity\ser
ASKER
I unchecked msmsgs and ctfmon recently. mamsgs seems to re-check itself everytime I boot
I find csrss in C:\\WINDOWS\system32. I thought that one was OK
I also find services.exe in system32.
I find csrss in C:\\WINDOWS\system32. I thought that one was OK
I also find services.exe in system32.
those csrss.exe and services.exe in system32 folder are okay.
Are you showing hidden files and folders while looking for these files:?
C:\WINDOWS\csrss.exe
C:\WINDOWS\winsecurity\csr ss.exe
C:\Windows\WinSecurity\ser vices.exe
Don't use Search, because if you do, then you need to reconfigure it to search for hidden files and folders because by default it will NOT even if explorer is already showing hidden files.
Does that makes sense? :)
Are you showing hidden files and folders while looking for these files:?
C:\WINDOWS\csrss.exe
C:\WINDOWS\winsecurity\csr
C:\Windows\WinSecurity\ser
Don't use Search, because if you do, then you need to reconfigure it to search for hidden files and folders because by default it will NOT even if explorer is already showing hidden files.
Does that makes sense? :)
ASKER
I don't even have a C:\Windows\winsecurity folder and no C:\WINDOWS\csrss.exe either
>>I don't even have a C:\Windows\winsecurity folder and no C:\WINDOWS\csrss.exe either<<
Well, then A2Hijackfree was giving a false positive report, that's all I can think of.
Well, then A2Hijackfree was giving a false positive report, that's all I can think of.
ASKER
OK so this being the case, I guess I can assume it's pretty clean? I thought running a Hijackthis would be the proof. If the same issues were listed, they muxt be real. You havn't seen anything else in my Hijack this log tho right? So probably I should close this issue?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
All you have to do is copy/paste the log that you have above into the textbox and press analyze.