Seriously messed up computer

Discussion in 'Malware Help (A Specialist Will Reply)' started by mdowns, May 6, 2005.

  1. mdowns

    mdowns Private First Class

    Hey Geeks! :) This is a repost from a thread in the software forum. This is probably a more appropriate forum for this problem.

    I have been commissioned by a friend to fix his computer. The problem is...well, I'm a wannabe geek, not certified.

    Here's the deal. The computer is a Toshiba Satalite 5200: Pentium 4 2ghz, 512 MB RAM, 60 gig HD, GFroce 460 Go. It has a DVD drive that does not work (thus rendering moot the reinstallation option...sigh).

    From my limited experience, these are the things I have seen: random pop-ups from IE, CPU usage at 100 percent, when opening the ctr-alt-del panel I can only see the running processes tab, internet usage is crazy (after 30 seconds or so all internet traffic is halted...web-pages won't load...and even internet traffic on other computers hooked up to the router is halted).

    Since the internet is messed up, I can't do an online virus scan or download useful utilities from here. Since the DVD drive does not work, I can not transfer useful utilities from my computer to his. The only thing we can do is use the USB drive and flash memory cards to transfer programs (that will probably do for now).

    I have run McAfee Stinger on the computer, and it found some viri and trojans and removed them. I have also followed along with MA's suggested ad-ware and virus removal tricks and tips from the above sticky.

    However, I am still having problems with the computer. I have attached the hijack this file. I see some suspicious files on the log, but I'd like a second opinion from the geeks! :)

    Thanks for your help.
     

    Attached Files:

    mdowns, May 6, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    In the future please do not post HijackThis logs unless the are requested. This is clearly stated in the Announcement and the sticky threads. Also you must install HijackThis properly.

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    You are running it directly from the ZIP file and you will not get any backups.

    The OS and IE versions on this PC are seriously out of date and present a major security risk. After fixing your current problems you must get update or your problems will continue.

    Is this http://proxy:8080 a required setting?

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\WINDOWS\System32\msnmgr16.exe

    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
    O4 - HKLM\..\Run: [Bar Ding lolt] analiz.exe
    O4 - HKLM\..\Run: [Microsoft Java Virtual Machine] winscr32.exe
    O4 - HKLM\..\Run: [LSASS Daemon] LSASSd.exe
    O4 - HKLM\..\Run: [MSN service] msnmgr16.exe
    O4 - HKLM\..\Run: [Dgbeavl] C:\Program Files\Hamb\Ywqz.exe
    O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitedbt32.exe
    O4 - HKLM\..\RunServices: [Bar Ding lolt] analiz.exe
    O4 - HKLM\..\RunServices: [Microsoft Java Virtual Machine] winscr32.exe
    O4 - HKLM\..\RunServices: [LSASS Daemon] LSASSd.exe
    O4 - HKLM\..\RunServices: [MSN service] msnmgr16.exe
    O4 - HKCU\..\Run: [Microsoft Java Virtual Machine] winscr32.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\Program Files\Hamb\Ywqz.exe
    C:\WINDOWS\System32\analiz.exe
    C:\WINDOWS\System32\LSASSd.exe
    C:\WINDOWS\System32\msnmgr16.exe
    C:\WINDOWS\System32\winscr32.exe
    C:\windows\system32\elitedbt32.exe <-- also delete all other filenames that begin with elite and end with exe. There could be as many as 10 of these.

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, May 6, 2005
    #2
  3. mdowns

    mdowns Private First Class

    Hey chaslang. I'm sorry about not following the rules on posting...it was a bit late when I posted that...was a bit tired. Won't happen again. ;)

    So, I've reattached the new hijackthis log. Also, you'll notice that Norton's has been removed and Avast installed. I did that after posting last night and before I gave up and went to bed.

    Anyway, it seems like things are working pretty smoothly now. I'll get to updating the OS. I'm a little worried about the SP2 install (as per program conflicts and such), but I'll work on it.

    Let me know what you think of the new log.

    Thanks again.
     

    Attached Files:

    mdowns, May 6, 2005
    #3
  4. mdowns

    mdowns Private First Class

    Also, I forgot to mention in the previous post...

    I don't know what the proxy8080 setting is. Am I right to assume it's OK to delete?
     
    mdowns, May 6, 2005
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You still have HJT installed improperly:

    C:\Documents and Settings\zifire\My Documents\hijackthis\HijackThis.exe

    Please read my directions again; however, your log is not really showing any real major problems. All I see are some minor items you can fix. Like:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)

    But I do not see any reasons for popups or system slow downs. At least not from what a HijackThis log could find. So let's try a few other things just to hunt around for other possibilities.

    Please download HOSTER and then follow the below steps.
    • Unzip Hoster to a convenient folder such as C:\Hoster
    • Run Hoster.exe, click Restore Original Hosts and then click OK.
    • Click the X to exit the program.
    Now please download: Generic Detection Tool - NT/2000/XP

    Extract all the files from the Generic Detection Tool into its own folder.

    Then run find.bat. Post the log it creates back here as an attachment. Make sure you wait long enough for it to complete. A notepad window will popup with a log file in it when done.
     
    chaslang, May 6, 2005
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds