TechSpot

Is my computer infected?

By adu123
Oct 5, 2007
  1. It's been a while since the last time I posted my question here, I hope you guys did not forget me. Ok, let's go back to the subject: This morning I was surfing the internet and all of sudden it got disconnected, then it automatically took me to a website where it did a online scan for me which only took like about 15 seconds, it found 10 spywares and other nasty virse, I forgot the exact amount of them. I still unsure whether my computer is infected, any help would be grateful.
    Note: it took a little bit longer to login than usual this morning
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the Panda Antirootkit scan.

    Regards Howard :)

    This thread is for the use of adu123 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. adu123

    adu123 TS Maniac Topic Starter Posts: 278

    hey Howard, it's been a while since the last time I needed your help, how've you been? At this point, I can only give you the HJT log and the AVG Antispyware log because both combofix and AVG Antirootkit are incompatible with Window Vista, I hope you can help me determine whether my computer is at risk, tell me if you need anythg else. Thank you
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That`s strange, because I`ve had several members who are running Vista, post Combofix logs and the reults of the AVG Antirootkit scan.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    F2 - REG:system.ini: UserInit=C:\Windows\system32\Userinit.exe

    Click on the fix checked button.

    Close HJT and reboot your system.

    Other than the above entry, your HJT log is clean.

    Please try and post a Combofix log as well as the results of the AVG Antirootkit scan, if you can.

    Regards Howard :)

    This thread is for the use of adu123 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. adu123

    adu123 TS Maniac Topic Starter Posts: 278

    I've deleted F2-REG:system.ini: UserInit=C:\Windows\system32\Userinit.exe as you told me to, but I'm curious what is it and what it does, can you give me more detail on it?
    Beside, I suspected this log file: O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) is related to spyware, adware.... because it has no name and file, should I delete it? Also, the problem with AVG Antirookit is that it won't respond when I double-click on it, however, the installation process was very smooth. I will try to download those two again to see how it goes, thanks
     
  6. adu123

    adu123 TS Maniac Topic Starter Posts: 278

    I've attached the combofix log you asked for, but I have couple question regarding to it:
    1) The publisher of Combfix is unknown, is it safe to run/use it?
    2) In step 12, it says: Type "Y" (and Enter) to start the fix, shouldn't you type 1 instead of Y to continue?
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Yes, Combofix is safe to use.

    Yes, type 1. Combofix has been updated, so the instructions are out of date. I will update them.

    Your log appears to be clean.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of adu123 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  8. adu123

    adu123 TS Maniac Topic Starter Posts: 278

    When I tried to download HighjackThis, I was not able to save the file in the directory as C:\Program files\hijackThis\HijackThis.exe which is instructed in step4. After I click the save button, it says path does not exist, check the path and try again. why is that? Any suggestion?
     
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Save HijackThis.exe to wherever you want.

    Double click my computer, then double click on your hard drive. Open your programme files and click file/new folder. Name the folder HJT. Drag the HijackThis.exe file into that folder.

    Rename it as per the instructions and create a desktop shortcut as instructed.

    Regards Howard :)
     
  10. adu123

    adu123 TS Maniac Topic Starter Posts: 278

    I've made a new folder and named it HJT, then I save the file in the directory as C:\Program files\HJT, but when I clicked the save button, it says:
    "C:\Program files\HJT\HijackThis.exe, you don't have permission to save in this location. Contact the administrator to obtain permission."
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You don`t click any save button.

    Once you`ve created the new folder as I instructed, locate where you saved the HijackThis.exe file. Right click on it and select copy.

    Open the folder you`ve just created and right click and select past.

    That should`ve put HijackThis.exe into that folder.

    Now rename it as instructed.

    Regards Howard :)
     
  12. adu123

    adu123 TS Maniac Topic Starter Posts: 278

    I got it, thanks alot. However, I saw two logs that I think they needed to be remove because they either have no name or no file, I want your opinion on that.
    These are the logs:
    1) O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    2) O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Yes, that`s fine mate.

    If you`d like to post a HJT log, just so I can look it over, please feel free.

    Regards Howard :)

    This thread is for the use of adu123 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  14. adu123

    adu123 TS Maniac Topic Starter Posts: 278

    I have some questions regarding to system recovery disc: Suppose my computer has a pre-installed program that allow me to create my own recovery disc, if I create those recovery disc while my computer is infecting, will those recovery disc also be infected? If yes, what will happen if I use those infected recovery disc to reformat my computer?
     
  15. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    If you create a recovery disk from an infected system, there`s a very good chance the recovery will also be infected.

    If you then use that recovery disk, the chances are you`ll just be putting the malware back on your computer.

    The best thing to do is make sure you`ve no malware before you create the recovery disk.

    Regards Howard :)

    This thread is for the use of adu123 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  16. adu123

    adu123 TS Maniac Topic Starter Posts: 278

    hey howard, thank you for your reply. Now I know when is the best time to create those recovery discs (right after I purchase my computer), right?
     
  17. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Yes, that`d be the best time.

    Regards Howard :)

    This thread is for the use of adu123 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  18. adu123

    adu123 TS Maniac Topic Starter Posts: 278

    Hey howard, I've noticed my other computer(Window XP Home) is running kind of slow recently, for instance, it took longer to load the homepage. I hope can you tell me if there are any nasty things in my system, I've provided the requested logs, and the Panda Anti-rookit did not detect any rookits.
     
  19. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    There`s nothing nasty in your log files. I have to point out, that not running any antivirus or firewall software is a security risk.

    However, try the following and see if it helps to speed things up a little.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    AVG Anti-Spyware Guard

    Close the services window.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe

    O4 - HKLM\..\Run: [Storm2Set] C:\WINDOWS\system32\rundll32.exe "C:\PROGRA~1\StormII\StormSet.dll",CheckEnv

    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

    O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')

    O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')

    O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')

    O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')

    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')

    O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')

    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')

    O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')

    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

    Click on the fix checked button.

    Close HJT and reboot your system.

    Regards Howard :)

    This thread is for the use of adu123 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  20. adu123

    adu123 TS Maniac Topic Starter Posts: 278

    If there are nothing nasty in my system, why are you suggested me to fix all the things(that's too much) you listed? What are they related to? Are you sure fix them won't cause further problem?
     
  21. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    While none of the things I listed are nasty. They are unnecessary and by not having them running on start up, should help to speed up your system.

    If you fix something, then find you want it running, all you have to do is run HJT and click the config button, followed by the backups button. Tick the items you want to restore and click the restore button.

    Regards Howard :)

    This thread is for the use of adu123 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  22. adu123

    adu123 TS Maniac Topic Starter Posts: 278

    hi howard, I think I need your help again. Within these couple days, my computer took longer to load the webpage, and froze whenever I drag the video clip to my itune (so I can transfer them to my ipod). I've provided the required logfiles for you to check, thanks!
     
  23. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your log files appear to be clean.

    So, I`m not sure what`s causing your problem, but it doesn`t appear to be malware related.

    Regards Howard :)

    This thread is for the use of adu123 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  24. adu123

    adu123 TS Maniac Topic Starter Posts: 278

    How do I completely get rid of MSN messenger? I've located the folder in my C drive, but when I tried to delete it, it says "you need permission to perform this operation", what should I do?
    I doubt Anti-Spyware a reliable tool because it never detected trojan or spyware other than tracking cookies, what is the reason for that?
     
  25. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    See this article HERE for instructions on how to remove MSN messenger.

    Regards Howard :)

    This thread is for the use of adu123 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...