Computer Hope
Software => Computer viruses and spyware => Topic started by: Ivy on September 24, 2008, 06:29:51 AM
-
Hi ,
I read that thread , before posting for help, It says we need to download AVG 8.0 but my download stop hlaf way, I don't have any antivirus right now and I wanna get my system checked.
thanks!
-
Hey Evil,
Heres' what happened, I downloaded avast finally and it asks me to delete a few things and I did and my comp wasn't working anymore, I had to go back to a restore point to get this working, everything is infected!! What to do now!!
-
Post a HijackThis log please.
I wish you would have posted the logs the first time, then things may not have gotten this bad....
-
This is not the same system!
I ruined all the systems at my place!!
I tried downloading hjt, it doesn't work!!
-
What error do you get (if any)
-
It completes downloading and saves some kind of icons on my desktop and when I click on them they disappear.
-
Try this.
Download random's system information tool (RSIT) (http://images.malwareremoval.com/random/RSIT.exe) by random/random from and save it to your Desktop.
- Double click on RSIT.exe to run.
- Click Continue at the disclaimer screen.
- Once it has finished, two logs will open.
- log.txt <will be maximized and info.txt <will be minimized
- Please post the contents of both logs in the next reply.
-
Okay just now it did save a icon on my desktop but it won't open it is ''HJTInstall.exe.part''
Btw you might know that my windows is not orignal.
-
I tried downloading that, download completed but then this came
[Saving space - attachment deleted by admin]
-
Btw you might know that my windows is not orignal.
I had figured that out long ago....
I won't help with making it work illegally, but if there is malware issues I will help clean it up and then advise you do make it legal so these problems won't happen any longer. An improperly patched (updated) computer is very unreliable as you can see and putting a legal copy of Windows on an infected computer is very bad.
Try running this. Be sure to rename it.
Download Deckard's Association File Tool (DAFT) (http://www.techsupportforum.com/sectools/Deckard/daft.exe) and save it to your desktop.
- Rename daft.exe to daft.com and double click on it to run.
- Read the disclaimer and click OK.
- Click on the Scan button.
- If it finds faulty file associations, they will appear in red beside a checkbox. If this occurs, just place a checkmark (tick) in the boxes in question.
- Click the Fix button.
-
Btw you might know that my windows is not orignal.
I had figured that out long ago....
I won't help with making it work illegally, but if there is malware issues I will help clean it up and then advise you do make it legal so these problems won't happen any longer. An improperly patched (updated) computer is very unreliable as you can see and putting a legal copy of Windows on an infected computer is very bad.
Try running this. Be sure to rename it.
It wasn't my fault you know!! I was young and dumber when that guy fooled me and I told my pa that I needed a comp of my own choice so he got this guy and he got me this pc and years later I realized how he had cheated !!
-
Here, my God!!
[Saving space - attachment deleted by admin]
-
I didn't ask why or accuse you of anything, just stated where I stand on the issue. But to be honest, you now know it's not legit so the naive excuse no longer applies.
Can you do a system restore and try to get some functions back?
-
Also try restarting the computer then install HJT.
-
This is a restore point I'm working in right now, Actually earlier I had downloaded Avast and HJT etc but then Avast scanned the comp and asked me to chose what to do to the infected files I choose delete but then my comp stopped working, so I took it back to this restore point I created today itself, earlier I had no restore points.
Shall I restart the comp and see if download works?
-
You might try restoring the files that Avast removed and then restart.
There is a possibility, depending on how this copy of Windows was installed that Avast is removing files needed to run Windows properly. Many antivirus are starting to detect illegal code and remove it as if it were a virus.
-
Oh !! How do I restore those files?
-
Start Avast and go into the quarantine then choose the files and restore them. You will probably need to restart for it to take effect.
-
But I don't have Avast in this restore point!!!!!
-
Ohhh....
I need to do some looking around on this.
-
I'm so sorry, hope its not too much trouble!!
I restarted and windows gives this message on every restart.
[Saving space - attachment deleted by admin]
-
See if you can do this and then restart and try again.
Clearing Temp Folder
- Click on Start and then Run.
- In the text box in the Run window, type %Temp% and click OK. A folder full of files and other folders will appear.
- Remove everything inside the Temp folder, choose Edit and then Select All from the menu.
- Note: If you're prompted that there are hidden files in this folder, just click on OK to bypass the message.
- Now that all of the files and folders are selected, hit your Delete key or choose File and then Delete from the menu.
- Confirm that you want to delete the files by clicking Yes on the Confirm Multiple File Delete window that opens.
- After all of the files have been deleted close the window and empty your Recycle Bin.
-
Also try going into the control panel and create a new account. See if the new account will work for downloading the tools we need.
-
Ok, I deleted the temp files and Still that error came on restart.
I'm creating a new account now.
-
If the new account will not work right do this. Actually it won't hurt to do it anyway to make sure these files are gone.
Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system
Go to Start > Run and type notepad.exe then click OK
Copy the text in the Code box below and paste it into Notepad.
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell=explorer.exe C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell=explorer.exe C:\Documents and Settings\Administrator\Local Settings\Temp\lsass.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell=explorer.exe C:\Documents and Settings\Administrator\Local Settings\Temp\services.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell=explorer.exe C:\Documents and Settings\Administrator\Local Settings\Temp\smss.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell=explorer.exe C:\Documents and Settings\Administrator\Local Settings\Temp\winlogon.exe]
In Notepad go to File > Save as...
Next to File name: type fixme.reg Use the dropdown box next to Save as type: and select All files. Save it to the Desktop.
There should now be a file on the Desktop that looks like this (http://i154.photobucket.com/albums/s258/evilfantasy69/reg.jpg)
Double-click fixme.reg it and allow it to merge with the Registry.
You may not see anything happen but give it a few seconds or so to finish.
Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it did not work.
Now delete the fixme.reg file from the Desktop.
-
It says it has successfully merged with the registry or somethin like that!!
-
Do I delete it now?
-
Yes delete it now and try to install something again.
-
Its not working!!
What am I gonna do?!!
-
Okay, I created a new account, and on this new account I have almost no icons on the desktop, its like a new computer, But even on this account the download did not work!!
-
Go to C:\Program Files and look for the Avast folder. See if the quarantine folder is there and right click the files to see if there is a restore option.
-
There's just a temp folder of avast which is empty.
-
Its very very late at night now, I have to go to college tomorrow, actually practically its already tomorrow right now!!
Hey Evil, thankyou so much for helping!!!
I was wrong about you in many aspects, sorry!!
I'll come tomorrow now.
Hopefully we'll figure this out!!
Thanks again!
-
See if you can borrow an XP CD that matches your system Xp Home or XP Pro to do a repair install.
-
I dont know whom to take a cd from!!
is that the only way out?
-
I'm running out of ideas.
Create A Bootable/Slipstreamed Windows XP Installation CD http://www.theeldergeek.com/slipstream_01.htm
-
Okay, I got a windows xp 2 CD now :)
-
Download this guide.
Repair Install XP.pdf (http://www.fileupyours.com/files/208646/Repair%20Install%20XP.pdf)
-
Thanks Evil, I reformatted my computer yesterday!
Now I can download etc, I'll still download HJT etc and post a log here so you can take a look.
thanks :) :)
-
New HJT :)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:32:19 AM, on 9/29/2008
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\PCCNTMON.EXE
C:\Program Files\Sify Broadband\BBClient.exe
C:\Program Files\Sify Broadband\BBImpSec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [SifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B49B764-A2EE-4C58-ACFC-6B323C5575DA}: NameServer = 202.144.13.50,202.144.66.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{4B49B764-A2EE-4C58-ACFC-6B323C5575DA}: NameServer = 202.144.13.50,202.144.66.6
O17 - HKLM\System\CS2\Services\Tcpip\..\{4B49B764-A2EE-4C58-ACFC-6B323C5575DA}: NameServer = 202.144.13.50,202.144.66.6
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
--
End of file - 2864 bytes
-
Everything looks fine now.
-
Yes Currently it si, before that it was in west asia, in 48 days it will probably be in russia, I travel with my Group and stay in different places for 3 to 6 months, anyway I'd like you to edit your last post or just remove the place, that would be very nice you know! :)
-
Don't be over paranoid. Lots of people know where you are and it is a large country. We wouldn't allow information that could be harmful in any way to anybody to remain in the forums ;)
-
Read my profile :)
thankyou for helping again :)
-
Caught it and already was fixing. Sorry.
-
Its alright!!
Thankyou :)