|
HELP - Massive System Problem
Ok where to start.
I was using my PC this morning running XP SP3 when my desktop background suddenly changed to a screen advertising something like XP adware remover or something similar. Ive no idea how it got there! :confused: Next thing I know a program called 'a' is trying to access the net so I immediately do a full system clean up, Ccleaner and Adaware. Next thing I notice is all my URL's are being redirected to odd sites and the system locks up. Upon rebooting I get as far as the 'Welcome' page and no further. Ive tried re-booting in safe mode to no avail... I really am stuck! Any ideas?? |
Re: HELP - Massive System Problem
Run msconfig to see if there's anything there that could be causing it?
Have you tried Spybot as well? I have it as well as Adaware but that often misses things that Spybot catches. |
Re: HELP - Massive System Problem
Sounds like you've somehow got yourself a pretty nasty malware infection there. If you can't boot into safe mode then there's not a lot else that you can really try.
You could try putting the drive into another working machine with up to date AV and Spyware scanners and see if you can clean it that way [Warning: You could end up infecting the other machine this way]. You could try booting the machine with a live CD of some sort (either Windows based, or Linux) and see if you can scan for/clean the infections that way. Failing that your best bet would be to completely rebuild the system, to be honest that's what I'd normally recommend in situations like this anyway. Here's my post from another thread (which was similar to this one) which explains why: Quote:
|
Re: HELP - Massive System Problem
Problem is windows WONT load in any way. Not even in Safe mode. Is there anything I can try before windows boots?
|
Re: HELP - Massive System Problem
Sounds like a format is your only option :(
|
Re: HELP - Massive System Problem
Ok update, ive managed to get XP to reboot in one of the many options of safe mode, ive unplugged my wireless dongle just to be sure, and ive just updated my internet banking details via my laptop.
I'm running an adaware scan at the moment, is there anything else I can try whilst ive got the bloody thing at least running in some form? BTW if anyone wants to be uber helpfull, my msn chat address is chrisjones 88@msn.com im online now if you want to message me.... please lol admin edit (Russ): I've added a gap to stop the spambots going mental with your email address... |
Re: HELP - Massive System Problem
Get a copy of HijackThis (http://www.trendsecure.com/portal/en...kthis/download) and post the output here. Someone should be able to point you at the nasty entries.
Seriously though, you might be better rebuilding - I'd never trust a machine again that has been infected at the level yours seems to have been unless I had. |
Re: HELP - Massive System Problem
I know what your saying, but for my own sanity I need to try, even if its just to back up game files or GFX settings before re-build.
|
Re: HELP - Massive System Problem
Google for 'xp antivirus 2008'
It sounds to me like you've picked up one of the many variations of this particularly nasty parasite. |
Re: HELP - Massive System Problem
Yeah I looked at 'windows warning message' too, problem is, ive no idea how I picked the bugger up!
Ive still got windows running in safemode, adaware has picked up one or two nasties so I might have caught it soon enough. Any other ideas for programs I could try? Ive also got spybot sat ready to run. Ive downloaded HijackThis to a memory stick, will try that shortly. |
Re: HELP - Massive System Problem
Quote:
Once you've used the removal tool, give a full system scan with an anti-virus ( I used Avira ) Also gave it the one over with some anti adware software and all seems fine now. Good luck :) |
Re: HELP - Massive System Problem
Could you direct me to the removal tool by chance? That would be great.
|
Re: HELP - Massive System Problem
http://fix-computer-problem.com/rogu...antivirus.html
Thats if it is xp antivirus 2008. Also some manual instructions here :) http://www.windowsvistaplace.com/xp-...pyware-removal |
Re: HELP - Massive System Problem
Whilst im at the half way point (windows is busying itself) I would like to take the time to thank everyone - The community spirit you have all show has been fantastic. Really thankful to you all.......... especially if I dont loose my Rfactor, Live4Speed and GTR2 sim settings haha.
|
Re: HELP - Massive System Problem
:LOL:
Well, if we can save your gaming settings it will all have been worth it :D |
Re: HELP - Massive System Problem
Quote:
|
Re: HELP - Massive System Problem
Did you get HijackThis to work?
|
Re: HELP - Massive System Problem
Will get onto that next, I just wanted to rid my system of as many 'nasties' as quickly as possible. Just watching the Grand Prix at the moment as my system seems a LOT more stable. Ive left it ticking over with Spybot, still offline so theres no threat of it uploading any data.
Will be back onto it around 3pm :-) |
Re: HELP - Massive System Problem
If you have a second PC available it may be worth pulling the hard disk and slaving it to the second machine.
In that situation the infected copy of XP is not 'live' which means that any malware will not be active and able to cloak or replicate itself. I've found that scanning the hard disk in that inactive mode can be more successful with some persistant beggars. It also provides a safe way for you to browse to game folders and rescue your saved scores/settings etc.. |
Re: HELP - Massive System Problem
I ran a through check with several spyware progs in safemode, then did the same in standard boot. Things do 'seem' better so far, so fingers crossed I got the swine before things got too bad.
I'll be back onto it in an hour or so, needed a break as I have been looking at the monitor all morning. That will teach me not to have such a big drive full of 'stuff' haha. ---------- Post added at 13:56 ---------- Previous post was at 13:53 ---------- Ok - the one time I dont mind ITV having long-ass ad breaks haha Sink ur teeth into this lot Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 13:43:42, on 07/09/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\RTHDCPL.EXE C:\Program Files\CyberLink\PowerCinema\PCMService.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\HP\KBD\KBD.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\MouseDrv.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\PS2USBKbdDrv.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Sitecom\Sitecom Wireless Network USB Adapter Turbo G WL-172\Installer\WLANUTL.EXE C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\ CLMLServer.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe c:\windows\system\hpsysdrv.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/iesearch/default.htm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\WINDOWS\system32\WSBar.dll O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe" O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [WireLessMouse] C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\MouseDrv.exe O4 - HKLM\..\Run: [WireLessKeyboard] C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\PS2USBKbdDrv.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0 O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM') O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user') O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user') O4 - Startup: PowerReg Scheduler.exe O4 - Global Startup: Sitecom Wireless Utility.lnk = C:\Program Files\Sitecom\Sitecom Wireless Network USB Adapter Turbo G WL-172\Installer\WLANUTL.EXE O8 - Extra context menu item: Search with Wanadoo - res://C:\WINDOWS\system32\WSBar.dll/VSearch.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/ O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\ CLMLServer.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe -- End of file - 7824 bytes ---------- Post added at 14:46 ---------- Previous post was at 13:56 ---------- Does all that help? See above |
Re: HELP - Massive System Problem
Ok, initial thoughts:
1. Can't see an AV running. What one are you using? 2. Can't see a firewall running. What one are you using? 3. This entry appears to be redundent, and can probably be 'fixed': Code:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)Code:
O4 - Startup: PowerReg Scheduler.exeOther than that there doesn't seem to be much there to worry about (a couple of minor niggles over the Wannado branding and search setups). It's possible that you've got some sort of rootkit which has hidden itself from HijackThis, but there's no real way to diagnose that without some more intensive checking. You could try rootkit revealer (info and download here: http://technet.microsoft.com/en-gb/s.../bb897445.aspx) and see if that throws anything up. |
Re: HELP - Massive System Problem
Im currently running a scan with avira - Its found a few more 'baddies', apparently this has a built in rookit app.
|
Re: HELP - Massive System Problem
Quote:
Quote:
Oh, BTW Chris - you can safely turn off the QuickTime qttask & NeroCheck entries via the startup tab in msconfig, they're safe but not needed. |
Re: HELP - Massive System Problem
Well I left my system ticking away over night, no lock-up's or 'oddness' to report. Ive started removing some of the spyware/malware apps (I thought a combination of around 6 app's was a tad overkill) and ive dropped the anti-virus settings back to 'normal'.
I think, with all your help, I caught this virus before it managed to do to much damage. Regarding turning off entries via msconfig, whats the best method? |
Re: HELP - Massive System Problem
Quote:
enter 'msconfig' without quotes in command window under 'startup' tab check the list of entries. Google if necessary for anything that you are uncertain about and simply untick anything that you don't want running. Reboot and tick the nag box that shows at startup and job's done.. |
Re: HELP - Massive System Problem
ChrisJones -
Download SuperAntiSpyware and Trojan Remover That's the only two you need - should sort you out in about 40 mins. Forget anything else like HijackThis - you don't need it! |
| All times are GMT +1. The time now is 11:24. |
Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2026, vBulletin Solutions Inc.
All Posts and Content are © Cable Forum