Computer Hope
Software => Computer viruses and spyware => Topic started by: Jade on July 27, 2007, 02:59:49 AM
-
Maybe not, hopefully, someone's expertise can get me out of this.
To begin, my computer, given to me by my grandparents is no prize machine. It's an emachines computer with a 17" CRT monitor.. but I guess that's irrelevant. :)
I have 256MB of RAM, on about a 40GB hard drive. I'm running Windows XP Professional with Service Pack 2.
I tried, over and over again, using these anti-spyware/malware/viruses:
AVG Anti-Spyware
ashampoo Anti-Spyware 2
Ad-Aware 2007
a-squared free
CounterSpy
SUPERAntiSpyware Professional
ATF-Cleaner
HiJackThis
HouseCall
Spybot S&D
Advanced WindowsCare V2 Personal
avast! Antivirus
Now, my problem: I have no explorer.exe
I have no start bar, no icons, and the only way I can use my computer is through the "CTRL-ALT-DEL" function, and opening a program from there. My desktop background, however, does load fine. I'd consider myself somewhat knowledgeable in the way of computers, though I am no pro. :)
To be totally honest, I think this resulted from a keygen I downloaded online. I have the Sims 2, I lost my booklet, I found and downloaded the keygen, and it gave me a code that worked, and I used it; I then deleted the keygen.
Seriously, any help would be appreciated. Thanks. :)
EDIT: BTW, I have tried restarting explorer.exe manually. My start bar will work for about a half of a second, then will close, along with explorer.exe
-
try running the programs one at a time in safe mode (http://www.saviour-pc.com/forums/view.php?pg=safemode) with networking so you can update them
-
try running the programs one at a time in safe mode (http://www.saviour-pc.com/forums/view.php?pg=safemode) with networking so you can update them
I run them all often, and I update them before using them.
-
ok then follow my link and try in safe mode
-
ok then follow my link and try in safe mode
Alrighty. I'll do that right now.
-
ok then follow my link and try in safe mode
Alrighty. I'll do that right now.
I'm in safe mode now, and I'm running a scan with SUPERAntispyware, at the moment. Just out of total n00bishness, what's the difference between running a scan in safe mode opposed to running a scan when Windows is booted normally?
-
safe mode only lets key files run that are required for the OS (operating system) to work, which excludes your infection.
-
safe mode only lets key files run that are required for the OS (operating system) to work, which excludes your infection.
My infection is still active, I think. I am experiencing the same problems as when Windows was booted normally, i.e. the lack of the explorer.exe process and icons and start bar. [what's it really called? I call it the start bar.. hehe]
-
close enough... but you can still scan and do other thing correct? then the infection isn't completely active or you have more than one infection on your hands
-
close enough... but you can still scan and do other thing correct? then the infection isn't completely active or you have more than one infection on your hands
I can do just about anything that I could with a start bar, icons, and all that, but it's becoming more and more irritation to have to go to the task manager, and having everything all unorganized. I can scan, yes, and SUPERAntispyware came back clean. I don't know what to do now....
-
try your av?
-
try your av?
Okey-doke.
A quick scan, normal scan, or deep scan?
-
deep did you do a deep with super??
-
deep did you do a deep with super??
I don't think there's an option is SUPERAntispyware.. I'll re-look.
-
yep there is called complete scan
-
yep there is called complete scan
I already started avast!, so it'll be awhile. I'll watch TV for a bit and come back. :D
-
ok. i should be on I'm doing some testing for other sites right now too
-
Uh.. avast! scans the dumbest things. It took a whole 2 minutes to go through ALL my chat logs from MSN Messenger... I'm sure that's where the viruses are... :P
-
lol. did it find anything in them??
-
It's possible that your problem isn't actually caused by an infection. How long has this been happening? What were you doing when it first happened? Have you tried System Restore? Last known good configuration? I would suggest opening up the Run/New Task command and trying chkdsk /f (note the spacea). If you have an official Windows CD, also give sfc /scannow (again, note the space) a try.
Continue with unlovedwarrior's suggestion of scanning in Safe Mode and let us know how it goes. Once you're done, restart back into Normal Mode and post a HijackThis log. If you have an infection, we'll do our best to find it and remove it. If you don't have an infection, then at least ruling it out can lead us into an appropriate direction.
safe mode only lets key files run that are required for the OS (operating system) to work, which excludes your infection.
My infection is still active, I think. I am experiencing the same problems as when Windows was booted normally, i.e. the lack of the explorer.exe process and icons and start bar. [what's it really called? I call it the start bar.. hehe]
It's called the Taskbar.
-
lol. did it find anything in them??
I just came to check avast! here, and it found something. A worm/trojan.
-
Did the "scannow" thing, command prompt opened up and asked me if I'd fancy it's services upon system restarts. I said, "yeah, that'd be sweet."
:P
lol...
avast! is still doing it's thing.
-
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:46:45 AM, on 7/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Documents and Settings\MaryP_2\Desktop\HiJackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://yahoo.sbc.com/dsl
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [AntiSpyWare2Guard] C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWare2Guard.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ashampoo AntiSpyWare 2 Service (AASW2_Service) - Unknown owner - C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
O23 - Service: WindowZones Service (WZSvc) - ByteCrusher - C:\Program Files\WindowZones\WindowZones.sys
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
--
End of file - 3817 bytes
-
Jade, could you possibly perform the HijackThis scan in Normal Mode? When run in Safe Mode, a lot of things tend to not show up.
-
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:15:23 AM, on 7/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\MaryP_2\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wuauclt.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://yahoo.sbc.com/dsl
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [AntiSpyWare2Guard] C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWare2Guard.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ashampoo AntiSpyWare 2 Service (AASW2_Service) - Unknown owner - C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
O23 - Service: WindowZones Service (WZSvc) - ByteCrusher - C:\Program Files\WindowZones\WindowZones.sys
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
--
End of file - 4241 bytes
-
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O23 - Service: WindowZones Service (WZSvc) - ByteCrusher - C:\Program Files\WindowZones\WindowZones.sys
i dunno about those two thing but other than that it looks ok but lets see what CBMatt has to say when he gets back online
do you recognize these programs?
plz don't remove anythinguntil told... thank you
-
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O23 - Service: WindowZones Service (WZSvc) - ByteCrusher - C:\Program Files\WindowZones\WindowZones.sys
i dunno about those two thing but other than that it looks ok but lets see what CBMatt has to say when he gets back online
do you recognize these programs?
The first, I don't. The second I recognize, it's a program called "WindowZones," and it's normal. :)
-
ok. you have two anti-viruses? they both aren't active at the same time are they??
-
ok. you have two anti-viruses? they both aren't active at the same time are they??
I haven't used WindowZones in awhile, so I think not.
-
i would recommend removing the one you don't use and just keeping avast anti-virus and i also recommend removing the yahoo one too
-
WindowZones is not an AV software. It's a sand boxing utility that supposedly runs programs in a safe zone that denies them access to the rest of the system.
-
oh lol.. like buffer zone
-
So... any ideas?
-
It's possible that your problem isn't actually caused by an infection. How long has this been happening? What were you doing when it first happened? Have you tried System Restore? Last known good configuration? I would suggest opening up the Run/New Task command and trying chkdsk /f (note the spacea). If you have an official Windows CD, also give sfc /scannow (again, note the space) a try.
Continue with unlovedwarrior's suggestion of scanning in Safe Mode and let us know how it goes. Once you're done, restart back into Normal Mode and post a HijackThis log. If you have an infection, we'll do our best to find it and remove it. If you don't have an infection, then at least ruling it out can lead us into an appropriate direction.
safe mode only lets key files run that are required for the OS (operating system) to work, which excludes your infection.
My infection is still active, I think. I am experiencing the same problems as when Windows was booted normally, i.e. the lack of the explorer.exe process and icons and start bar. [what's it really called? I call it the start bar.. hehe]
It's called the Taskbar.
did you try those?
-
It's possible that your problem isn't actually caused by an infection. How long has this been happening? What were you doing when it first happened? Have you tried System Restore? Last known good configuration? I would suggest opening up the Run/New Task command and trying chkdsk /f (note the spacea). If you have an official Windows CD, also give sfc /scannow (again, note the space) a try.
Continue with unlovedwarrior's suggestion of scanning in Safe Mode and let us know how it goes. Once you're done, restart back into Normal Mode and post a HijackThis log. If you have an infection, we'll do our best to find it and remove it. If you don't have an infection, then at least ruling it out can lead us into an appropriate direction.
safe mode only lets key files run that are required for the OS (operating system) to work, which excludes your infection.
My infection is still active, I think. I am experiencing the same problems as when Windows was booted normally, i.e. the lack of the explorer.exe process and icons and start bar. [what's it really called? I call it the start bar.. hehe]
It's called the Taskbar.
did you try those?
Yeah, it checked the disk, fixed something or other, booted, then nothing new.
-
My step-mom's IT specialist put XP Pro on it for me.. so yeah, I don't have disks or anything. :)
-
then try just chkdsk /f (note the spacea) no cd required
-
look here (http://www.computerhope.com/forum/index.php/topic,16027.0.html) also
-
It's possible that your problem isn't actually caused by an infection. How long has this been happening? What were you doing when it first happened? Have you tried System Restore? Last known good configuration?
-
It's possible that your problem isn't actually caused by an infection. How long has this been happening? What were you doing when it first happened? Have you tried System Restore? Last known good configuration?
It first happened after I restarted it, shortly after I installed the Sims 2, along with a keygen. I remember doing a scan, and finding a trojan, with "Sims 2 keygen" in it's name somewhere...
EVERY TIME I do AVG Anti-Spyware scans, I find "hijacker.small". I put it in quarantine, I try deleting it, but it just regenerates... I don't know if that could cause my problem, maybe..
I tried "Last Know Good Configuration" and System Restore was turned off.
-
I wouldn't be opposed to the idea of totally re-installing Windows, but we don't have any backup disks, and I don't know how.. hehe. I'm on my computer downstairs right now.
-
I would backup what you need from there, do a complete format and a clean install....
Then i would add at least another 256M of RAM...
Finally i would steer clear of any keygens and warez, Period.
-
I would backup what you need from there, do a complete format and a clean install....
Then i would add at least another 256M of RAM...
Finally i would steer clear of any keygens and warez, Period.
I don't know how to do any of that...
I can stay away from that stuff. :)
-
Keygen, eh? So, am I to assume that's an illegal download of The Sims? I don't think it's any coincidence that this happened. Downloaded games and keygens are full of trouble. It may be possible to fix this, but I think it would be simpler and more effective to reformat. That computer didn't come with any CD's?
-
Keygen, eh? So, am I to assume that's an illegal download of The Sims? I don't think it's any coincidence that this happened. Downloaded games and keygens are full of trouble. It may be possible to fix this, but I think it would be simpler and more effective to reformat. That computer didn't come with any CD's?
It wasn't an illegal download of The Sims 2, thanks, and I'd be happy to prove it. What I lost was the manual, which had the Serial # printed on it.
We don't have any CD's, for the OS, no.
-
I didn't mean to make it sound like I was accusing. There's no need to provide proof; I'll take your word for it. Keygens are still trouble, though. Next time, you should give the company a call. Usually, if you can prove that you own a legal copy (they'll tell you how), they will provide you with a new key. It's much safer this way.
Anyway...you say AVG AS keeps picking up a hijacker... Where is the infected file located? Have you tried deleting it manually? Perhaps you could post an AVG log?
-
I just did a full AVG Antispyware scan and it come out totally clean.. that's a plus, I guess.
I've been doing scans all day, and I've been using the downstairs computer. Right now, Spybot S&D is scanning... so we'll see.
First, I did an a-squared scan, and it took several hours. It came back with a few piece of adware and tracking cookies, but other than that, clean.
I then did AVG Antispyware it it came back totally clean.. hmm.
Now, I'm doing a Spybot scan, and after it's finished, I'll do another deep scan with avast! antivirus.
For the record, I tried calling EA Games, and they told me I need to send them a request for a new serial# along with my disk, and $10, I think. I just thought a keygen would be easier... I won't do that anymore.. :)
-
I can't find the infection for the life of me.
Is there any way just to clear EVERYTHING besides the OS itself?
/me is hopeful. :)
Thanks for all the help so far, by the way.
-
what kind of computer is it and how old?
-
what kind of computer is it and how old?
It's an emachines that my grandparents purchased me at Wal-Mart, I believe. It's about 4 years old, give or take a year.
-
ummm... you might be able to contact them and order the cds for a reasonable price if you continue to have problems later on.
-
ummm... you might be able to contact them and order the cds for a reasonable price if you continue to have problems later on.
Yeah, I hate to say it, but this might be your best bet as of right now. Just give eMachines/Gateway a call and there's a good chance they'll help you out. Keep us updated.
-
ummm... you might be able to contact them and order the cds for a reasonable price if you continue to have problems later on.
Yeah, I hate to say it, but this might be your best bet as of right now. Just give eMachines/Gateway a call and there's a good chance they'll help you out. Keep us updated.
Alrighty then. There's no way I can, like, wipe everything and just re-install XP? I can save the Windows file to disk or anything?
-
Sorry you can't reinstall Windows without a Windows XP install disc.
-
Sorry you can't reinstall Windows without a Windows XP install disc.
Is there a way to delete EVERYTHING besides the OS?
-
Yes.
But how do you plan to re-install ? ?
-
I don't think wiping anything but the OS will do any good since its sounds like it's your OS that's messed up.
-
Any idea how much they'd charge me for back-up disks?
-
I've never had to order any, so I don't know how much they charge, but I wouldn't expect it to be too much. Check here for contact info...
http://www.emachines.com/support/upgrades.html
If you don't want to call, you can chat with a tech.