Laptop infection

Hello helpful geeky type individuals!

My name's Laura, and I have gotten my laptop (Sony Vaio PCG-F630, running Windows XP Professional, Service Pack 2) infected with something nasty, about a week ago or so (around March 5th, I think). I followed the process outlined in your malware removal forum (ran cccleaner, superantispyware, spybot S&D, combofix and just now MGtools).

The superantispyware took 4 hours to run on the laptop last night and found NOTHING. I suspect that the virus (or whatever) was removing the info as the superantispyware program found it. . .Even on my basically clean PC, the SAspyware program found 16 things to clean up. GRRRRR

I had noticed winlogon.exe running several times in Task Manager, and read in this forum that the only version(s) that should be running would be running from the System32 folder. So, yesterday, I deleted three other versions which I found in the Windows/Software Distribution folder and I think the ServicePackFiles folder

I've tried deleting suspicious and unwanted folders and files but they keep being recreated.

I was alerted to this infection, when, as I ran spybot yesterday, I noticed my processor was running at 100% capacity even though I had no other applications running. Clearly, SOMETHING is using my computer. GRRRRRRRR (again)

So, here are the logs I got from the clean up services I've run. Thank you all so so so so much for your help in fixing this nasty problem

Laura

P.S. I confess that I hadn't installed any antivirus software on my (newish to me) laptop, so this is all MY OWN FAULT. *sigh* Thanks again for your help.

 

Hi kindredsgirl,
Welcome to Major Geeks!

I'm tending towards the thought that this is a software problem not hardware. Have you tried setting the computer back to a restore point from before the 5th of March? On the 5th, you put in a new Adobe Reader. Did you open a pdf file that day? If your computer is better after trying an earlier restore point, please report this back to me.

What is in this folder? (Do not open any files)

C:\WINDOWS\system32\LogFiles

And now, please do the following:


1) Please disable your guest account if this has not already been done.

2) And now, please disable Spybot's TeaTimer. This can be done two ways.
First:

• Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
• If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
• If you have Version 1.4, Click on Exit Spybot S&D Resident

or Second, For Either Version :

• Open Spybot S&D
• Click Mode, choose Advanced Mode
• Go To the bottom of the Vertical Panel on the Left, Click Tools
• then, also in left panel, click Resident shows a red/white shield.
• If your firewall raises a question, say OK
• In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
• OK any prompts.
• Use File, Exit to terminate Spybot

3) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

4) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime


After you click fix, just close hijackthis.


Let me know how things are going after this.
abri

 

Thanks! I'll work on this after I get my kitchen cleaned up! I really appreciate your help.

(and. .I hadn't set any restore points)

One of my thoughts was just to take my documents off the machine and reformat the hard drive and start over from scratch. . .*with* a firewall and antivirus software.

*chagrin*

L

 

By default they are turned on and one is set automatically periodically. If you did not turn this off, then they will be there.
abri