TechSpot

I cant follow the 8 step guide

By Arsenalman
Nov 22, 2008
  1. Hi,

    my parents pc seems to be infected with something.
    Spec.: pendium 4,
    1gig ram I think
    Running windows XP pro service pk 2


    When I start it up and log into a profile it only gets as far as loading the background. no icons or the start menu appear.

    the mouse is there and I can get to the control panel through ctrl-alt-del

    I tried booting in safe mode using F8 but it wouldn't work.

    I found I can run programs from the control panel and used msconfig to boot into safe mode that way but I have the same problem as before no icons and no start bar at the bottom of the screen.

    Does anyone have any suggestions of how I could proceed?

    Thanks for your help
     
  2. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Check the Shell value for Winlogon in your registry. Under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    should show:

    Shell REG_SZ explorer.exe

    Or download this tool: http://www.dougknox.com/xp/utils/XP_FixLogon.zip
    This utility checks for the correct GINA value in the Registry and will allow you to restore it, if its incorrect.


    Also as there is no such thing as a "pendium 4"
    You are highly advised to do the following:
    Please put your System Specs information in your Profile

    If you have a brand name computer (like Dell; HP; or other) please place the Computer name & Model number in your Mobo field of your Profile
     
  3. Arsenalman

    Arsenalman TS Rookie Topic Starter Posts: 18

    I didn't put the specs in my profile because it is not my PC.
    I built the computer a few years ago (2004).

    CPU: the processor is an Intel Pentium IV

    Motherboard: the motherboard is from AS Rock but I don't know the model number. I do know that it has integrated graphics.

    Memory: I think it has 1 gig

    Video card: N/A (integrated)

    Cooling: Fans

    the hard drive I think is 100 or 120 gig

    It is running windows XP

    I used the second method you suggested (Fix Win XP Logon)
    It says "Default Gina in use. DLL in use: MSGINA.DLL(standard)
    So I guess that was ok

    I was just thinking would it be possible to run the 8 step guide programs from the USB stick as I just did with Fix Win XP Logon.

    I will give it a go.

    I found that I can acsess AVG through the control panel and there seem to be quite a few viruses in the vault from previous recent scans. would it be worth posting any of that information here?

    In any case I will attempt the 8 step guide again and let you know how I get on. I believe the first step is an antivirus program.

    I will keep you posted.
     
  4. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Start with uninstalling AVG (trust me ;) ) No not disable!; uninstall :)
    Then install Avira, as per the guide (and continue)
     
  5. Arsenalman

    Arsenalman TS Rookie Topic Starter Posts: 18

    I had a slight problem with uninstalling AVG but I managed to find its setup exe and uninstalled it.

    I installed Avira and waiting for restart.

    By the way has AVG now been surpassed? Would you recommend uninstalling it from my other pcs and installing Avira?
     
  6. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Yes, sorry I have been caught up on other threads
    Avira for all :)
     
  7. Arsenalman

    Arsenalman TS Rookie Topic Starter Posts: 18

    Ok Im at step five but I cant install Superantispyware I get the following message:

    "the system administrator has set policies to prevent this installation"

    does this have anything to do with the fact that I am in safe mode?

    also after step 4 I can now see desktop Icons and the start bar.

    should I just skip step 5?
    do you want to see my logs so far?

    I skipped step 5 because i couldn't install that (see previous post)

    I have included the logs from: Avira, Malwarebytes' Anti-Malware and HJT

    I'm going to take it out of safe mode now, check if it is ok and let you know.

    Also if form the logs you see that I need to do something let me know thanks for your help.

    Great it seems to be working fine now

    All the profiles seem to be working.
     
  8. mflynn

    mflynn TS Rookie Posts: 2,655

    Hi Arsenalman

    In Kim's absence and you are online now, hope you don't mind Kim.

    Ok what happened was that run of MBAM cleared it enough to break it loose but you still have issues.

    UPDATE yes again MBAM and run it again. It found and cleaned so much it likely exposed more that the first run did not even see.

    Post me this new mbam log and then do step 5 SAS!

    Mike
     
  9. Arsenalman

    Arsenalman TS Rookie Topic Starter Posts: 18

    I will put it back into safe mode first
     
  10. mflynn

    mflynn TS Rookie Posts: 2,655

    No we are beyond that point now!

    Just go but do reboot between mbam and SAS.

    Mike
     
  11. Arsenalman

    Arsenalman TS Rookie Topic Starter Posts: 18

    OK I have the log it only found one thing?

    Should I try it again or do step 5

    Also as mbam was scanning, Antivir found a trojan: Is the TR/Crypt.XPACK.Gen Trojan in C:\System Volume Information\_restor{...}\RP861\A035353535.exe

    is it worth running antivir again too?

    Should I still go to step 5?
     
  12. mflynn

    mflynn TS Rookie Posts: 2,655

    I need to see the log, open mbam click logs and get me the last one.

    Oh you are not clean yet run the SAS and you will see get me the SAS log also after scan.

    Mike
     
  13. Arsenalman

    Arsenalman TS Rookie Topic Starter Posts: 18

    here is the SAS log

    and i'm guessing I'm not clear yet

    Im running it again
    I think i didnt select full scan the first time

    Im running it again
    I think i didnt select full scan the first time
     
  14. mflynn

    mflynn TS Rookie Posts: 2,655

    Nope! If you have others that use the computer I would keep my eye out for porn.

    Most all of this log in Tracking cookies not so bad in themselves but are the type of places visited that will surely pickup infections. Likely the cause of your problems now.

    No need to rerun the Virus scanner as when these scan across the files when they hit something it will pop up and catch it.

    You should UPDATE the Virus scanner now before running the tools.

    Did you change the settings to mbam and sas as below?

    SuperAntispyware config

    Update the program everytime you run it sometimes updates can be an hour apart.

    Click the Preferences button.

    Then Scanning Control.

    In Scanner Options make sure all boxes are checked except #3 Ignore System Restore.. are checked:

    In MalwareBytes

    After UPDATE but before running
    Click settings and confirm all are Checked.

    I repeat Update these 2 programs.

    So run FULL Scans in both and attach their logs.

    Mike
     
  15. Arsenalman

    Arsenalman TS Rookie Topic Starter Posts: 18

    Before your last post I was running SAS again because I had forgotten to click full scan the first time.

    I have attached the log.

    Its just gone midnight in london and I'm going home.

    I'll do what you said in the previous post tomorrow morning and post those posts as well.

    Thanks for your help mate!
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Arsenalman, please let me assist you until kimsland can return. It is important to deal with the entries we see in the log and not just continue to run cleaning programs. Per SuperAntispyware, you have GOT to get control of the Tracking Cookies! Please do the following:

    Have SAS remove the Tracking Cookies.
    Once done: Reset Cookies:
    Mbam shows that you have malware in the System Restore points. Do NOT use System Restore while cleaning. We will remove the old restore points when through.

    Adobe:
    Update Java:
    Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.
    Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:

    Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK the following:
    Control Panel> Add/Remove Programs> UNINSTALL the following:
    Start> Run> services.msc> DISABLE the following Services:
    Reboot into Normal Mode. You will get a nag message that you can close after checking 'don't show this message again'. Stay in Selective Startup.

    Please rescan with HijackThis in NORMAL Mode. Attach new log. We may remove some of the game entries.
     
  17. Arsenalman

    Arsenalman TS Rookie Topic Starter Posts: 18

    I couldn't do the reset the cookies bit because the boxes dont exist for me to unheck.

    for the first hijack this scan og the things I should check the following are not there so were not checked:
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

    Iattach the SAS log and the first hjt log.

    I will fix the entries listed in the previous post (the ones i found) and then continue with the next steps

    in ms config these are the options I have in the start-up tab:
    avgnt
    avgcc
    reader_sl
    jusched
    cftmon
    SUPERAntiSpyware
    ZoneAlarmPro
    PowerReg Scheduler

    Which onones should I uncheck?

    this it the final hjt log
    what should I do next?
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    To Reset Cookies:
    If you are still having a problem resetting Cookies, please tell me "what" boxes aren't showing and where.

    Open ZoneAlarm and disable the firewall for now:
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    Open Malwarebytes and disable it. You ran the program- we don't want it running in the background

    Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.
    You are still loading Adobe v7. Remove the following and uninstall in Add/Remove Programs:
    Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:
    Start> Run> services.msc> find each of the following Services and right click> Properties> Disable the Startup Type> Stop the Service> OK
    Control Panel> Add/Remove Programs> UNINSTALL Adobe v7.
    Please verify that you show Java v6u10.

    Please advise system status. Have original problems been resolved? Do any other problems exist? If yes, what?
     
  19. Arsenalman

    Arsenalman TS Rookie Topic Starter Posts: 18

    is that: tools>options>privacy>UNCHECK "Accept cookies from sites" ?

    EDIT: I just noticed that firefox hasn't been updated on this PC. Ill update it so that I have the third party option.

    I uninstalled adobe reader 7 but I still have other programs that came with Adobe acrobat 7.0 professional I'm assuming I can keep those.

    for java I have v6u10 but I also have J2SE Runtime Environment v5u3 and v5u4 should I get rid of these two?

    Is it normal that when I go to msconfig to take it out of safe mode all the boxes I unchecked in the startup tab are now checked again?

    the original issue is resolved and as far as I can tell there are no visible problems.

    I also want to ask what I should do with SAS it loads up when I start the pc is it best to keep it like that or try to disable it?

    I also attached a HJT log just in case something has slipped through the net.
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    It would be very helpful to you if you took some time to acquaint yourself with the setting you have in your browsers:
    Re: Firefox: Cookies>> there are two places with boxes:
    1> Allow Cookies> should be CHECKED- these are the Cookie for the site itself. Very few sites will allow access if you don't have Cookies enabled.
    2. Allot third party Cookies> should be UNCHECKED- these are the Cookies for the ads, the partners and any other junk on the site. You don't have to and should not accept them. They include Tracking Cookies.

    I am using Firefox v3.0,4 now but have been using it since it was released to public 4 years ago in v1. To the best of my knowledge, the two options for Cookies have always been available.

    Only the current version of Java should be kept. Most updates have been for security vulnerabilities. So keeping earlier, unpatched versions is a security risk. UNINSTALL both v5u3 and v5u4.

    Unfortunately, Java doesn't overwrite earlier versions, so each time there is an update, you must uninstall the previous version after getting the update. And please follow my instruction for disabling the Java auto-updater.

    I omitted one caution for you: when you reboot back into Normal Mode after making changes on the Startup menu, you will get a mag message. This can be ignored and closed after checking 'don't show this message again.' You must remain in Selective Stsrtup to keep the changes you made.

    Go back into msconfig> Uncheck what you did previously> Apply> OK> Reboot> Stay in Selective Startup as above.

    I say 'boot into Normal Mode' as opposed to Safe Mode.
    But boot into Selective Startup as opposed to Normal Startup.

    If your problems have been resolved, we can remove the cleaning tools:
    * Download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe)
    Clear your existing System Restore points and establish a new clean restore point:
    Your log is clean. If you repeat the changes in msconfig, following the instructions for handling the nag message, the processes should not start on boot.

    It was a pleasure helping you. Let us know if you need more help.
     
  21. Arsenalman

    Arsenalman TS Rookie Topic Starter Posts: 18

    ok all done
    thank you very much for your help
     
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...