help!!!!!!!!!!!!!!!!!!!!

Discussion in 'Malware Help (A Specialist Will Reply)' started by CallOfOrion, Dec 9, 2006.

  1. CallOfOrion

    CallOfOrion Private E-2

    There is something seriously wrong with my computer. I don't have problems with internet pop-ups or pop-up bubbles from the system tray, but my computer is seriously slow, and whenever I try to install Ewido or any other anti-malware software, the program shuts down in the middle of installation. There are a few files on my hard drive that I don't recognize and are definitely not necessary windows files, but I can't delete them, I always get a 'read only' message even though the files are not read-only.

    I downloaded and installed Brute Force Uninstaller, but I don't understand how to use it.

    Also, I can't download updates from Microsoft.com. They always fail. I also often get a message about Windows Service Pack setup having an unknown error and needing to close.

    So please help me, I am clueless as to how to fix this, and my computer is dying.
     
    CallOfOrion, Dec 9, 2006
    #1
  2. DavidGP

    DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

    Hi and Welcome

    To gain wether all of the issues your PC has currently its best to fun through the below guide, this will tell us if its malware thats the cause of your problem, if not then thats one thing rules out and we can move onto another area it maybe.


    Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.
    • Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
    • Make sure you check version numbers and get all updates.
    • Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.
    • After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:
    Downloading, Installing, and Running HijackThis

    Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.




    • When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
      • CounterSpy
      • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
      • Bitdefender - from step 6
      • Panda Scan - from step 6
      • runkeys.txt - the log from GetRunKey.bat
      • newfiles.txt - the log from ShowNew.bat
      • HijackThis
    NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!
     
    DavidGP, Dec 9, 2006
    #2
  3. CallOfOrion

    CallOfOrion Private E-2

    ok. I cant even download AVG, MCaffee, Ewido, Hijackthis, or any of that stuff. Whatever's on here keeps stopping it. It gets as far as asking me what file to download it to, anf then it shuts down. I revealed hidden files and there was a bunch of crap on my desktop and in my c drive. The files i keep getting the 'read - only' message from are very strange. I uncheck the 'read-only' box, and click apply. then i right-click and choose properties again, and they are read only again. IF there's anything you can do to help, please tell me.

    Also, when i try to boot up in safe mode, the window closes before i can change anything
     
    CallOfOrion, Dec 10, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do you have access to another PC where you can download HijackThis, GetRunKey and ShowNew to? Also extract them from the ZIP files as requested on the other PC. Then copy them to a CD, a USB flashdrive, a floppy drive or whatever you have available to take to the infected PC and run them to get the logs that we need from them. None of these 3 programs need an installation! So they may be able to run.

    What antivirus application do you already have installed? Does it run?
    What antispyware applications do you already have installed? Do they run?

    If you cannot run anything that can help us to see what is really going on, there is not much we can do to help you. We need information! How about Task Manager.....does it run? Can you type us up a list of processes you see running?

    Gives us more explicit inforamtion. Statements like
    don't tell us anything too useful. What are the file names that you are referring too? When you right click on them and select Properties what info can you see?
     
    chaslang, Dec 10, 2006
    #4
  5. CallOfOrion

    CallOfOrion Private E-2

    I managed to get safe mode running, and ran Ewido, and it got rid of like 72 instances of something that i believe was spyware, and something else that i don't remember the name of that had a high risk factor. After I did that, I managed to run Hijackthis, and it didnt have anything weird, though i guess i'll attach the log anyway. I don't currently have an antivirus program, unless Ewido counts for that.

    After I exited safe mode and got on my normnal user name, i found that my desktop had been changed, and so had my theme. I went to control panel, and it was stuck in category view, I couldn't change it to classic. I also can't change my desktop or theme. my AIM account had been erased from the memory. On top of all that, I still can't get some programs to run right.

    What kind of things might be odd in task manager? I have processes running under the user names of:Jarrod(that's mine), Network Service, System, and Local Service.

    There are a few processes i recognize, like aim.exe, and iexplore.exe.

    here are some I don't recognize:
    wdfmgr.exe
    svchost.exe (there are 7 instances of this running)
    nvsvc32.exe
    spoolsv.exe
    ctfmon.exe
    lsass.exe
    services.exe
    winlogon.exe
    csrss.exe
    smss.exe
    wscntfy.exe
    system
    system idle process
    guard.exe
     

    Attached Files:

    CallOfOrion, Dec 10, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not install and rename HijackThis as requested. This is very important. Also can't you run the other tools now? At least GetRunKey and ShowNew at a minimum.

    After installing and renaming HijackThis as requested in step 7 of the READ ME, do the below!

    Do you have a UC-Logic Pen/Graphics Tablet ? If not, the WService.exe in your HJT log may be a trojan. I'm going to assume that this is a trojan and leave it in my fix. If you know it is not a trojan then skip it.

    Make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {d869742a-e5d2-4624-96c7-aae26170665e} - C:\Program Files\MMediaCodec\isaddon.dll (file missing)
    O4 - HKLM\..\Run: [UpdateService] C:\WINDOWS\system32\wservice.exe
    O4 - HKLM\..\Run: [Nord] C:\WINDOWS\system32\nordsys.exe
    O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
    O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\Program Files\MMediaCodec <--- the whole folder:
    C:\WINDOWS\system32\wservice.exe
    C:\WINDOWS\system32\nordsys.exe

    Now run Ccleaner.

    Now we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT


    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Dec 11, 2006
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds