I cant follow the 8 step guide

A

Arsenalman

Posts: 18   +0
Hi,

my parents pc seems to be infected with something.
Spec.: pendium 4,
1gig ram I think
Running windows XP pro service pk 2


When I start it up and log into a profile it only gets as far as loading the background. no icons or the start menu appear.

the mouse is there and I can get to the control panel through ctrl-alt-del

I tried booting in safe mode using F8 but it wouldn't work.

I found I can run programs from the control panel and used msconfig to boot into safe mode that way but I have the same problem as before no icons and no start bar at the bottom of the screen.

Does anyone have any suggestions of how I could proceed?

Thanks for your help
 
Check the Shell value for Winlogon in your registry. Under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
should show:

Shell REG_SZ explorer.exe

Or download this tool: http://www.dougknox.com/xp/utils/XP_FixLogon.zip
This utility checks for the correct GINA value in the Registry and will allow you to restore it, if its incorrect.


Also as there is no such thing as a "pendium 4"
You are highly advised to do the following:
Please put your System Specs information in your Profile

If you have a brand name computer (like Dell; HP; or other) please place the Computer name & Model number in your Mobo field of your Profile
 
I didn't put the specs in my profile because it is not my PC.
I built the computer a few years ago (2004).

CPU: the processor is an Intel Pentium IV

Motherboard: the motherboard is from AS Rock but I don't know the model number. I do know that it has integrated graphics.

Memory: I think it has 1 gig

Video card: N/A (integrated)

Cooling: Fans

the hard drive I think is 100 or 120 gig

It is running windows XP

I used the second method you suggested (Fix Win XP Logon)
It says "Default Gina in use. DLL in use: MSGINA.DLL(standard)
So I guess that was ok

I was just thinking would it be possible to run the 8 step guide programs from the USB stick as I just did with Fix Win XP Logon.

I will give it a go.

I found that I can acsess AVG through the control panel and there seem to be quite a few viruses in the vault from previous recent scans. would it be worth posting any of that information here?

In any case I will attempt the 8 step guide again and let you know how I get on. I believe the first step is an antivirus program.

I will keep you posted.
 
Start with uninstalling AVG (trust me ;) ) No not disable!; uninstall :)
Then install Avira, as per the guide (and continue)
 
I had a slight problem with uninstalling AVG but I managed to find its setup exe and uninstalled it.

I installed Avira and waiting for restart.

By the way has AVG now been surpassed? Would you recommend uninstalling it from my other pcs and installing Avira?
 
Ok Im at step five but I cant install Superantispyware I get the following message:

"the system administrator has set policies to prevent this installation"

does this have anything to do with the fact that I am in safe mode?

also after step 4 I can now see desktop Icons and the start bar.

should I just skip step 5?
do you want to see my logs so far?

I skipped step 5 because i couldn't install that (see previous post)

I have included the logs from: Avira, Malwarebytes' Anti-Malware and HJT

I'm going to take it out of safe mode now, check if it is ok and let you know.

Also if form the logs you see that I need to do something let me know thanks for your help.

Great it seems to be working fine now

All the profiles seem to be working.
 
Hi Arsenalman

In Kim's absence and you are online now, hope you don't mind Kim.

Ok what happened was that run of MBAM cleared it enough to break it loose but you still have issues.

UPDATE yes again MBAM and run it again. It found and cleaned so much it likely exposed more that the first run did not even see.

Post me this new mbam log and then do step 5 SAS!

Mike
 
OK I have the log it only found one thing?

Should I try it again or do step 5

Also as mbam was scanning, Antivir found a trojan: Is the TR/Crypt.XPACK.Gen Trojan in C:\System Volume Information\_restor{...}\RP861\A035353535.exe

is it worth running antivir again too?

Should I still go to step 5?
 
I need to see the log, open mbam click logs and get me the last one.

Oh you are not clean yet run the SAS and you will see get me the SAS log also after scan.

Mike
 
here is the SAS log

and i'm guessing I'm not clear yet

Im running it again
I think i didnt select full scan the first time

Im running it again
I think i didnt select full scan the first time
 
Nope! If you have others that use the computer I would keep my eye out for porn.

Most all of this log in Tracking cookies not so bad in themselves but are the type of places visited that will surely pickup infections. Likely the cause of your problems now.

No need to rerun the Virus scanner as when these scan across the files when they hit something it will pop up and catch it.

You should UPDATE the Virus scanner now before running the tools.

Did you change the settings to mbam and sas as below?

SuperAntispyware config

Update the program everytime you run it sometimes updates can be an hour apart.

Click the Preferences button.

Then Scanning Control.

In Scanner Options make sure all boxes are checked except #3 Ignore System Restore.. are checked:

In MalwareBytes

After UPDATE but before running
Click settings and confirm all are Checked.

I repeat Update these 2 programs.

So run FULL Scans in both and attach their logs.

Mike
 
Before your last post I was running SAS again because I had forgotten to click full scan the first time.

I have attached the log.

Its just gone midnight in london and I'm going home.

I'll do what you said in the previous post tomorrow morning and post those posts as well.

Thanks for your help mate!
 
Arsenalman, please let me assist you until kimsland can return. It is important to deal with the entries we see in the log and not just continue to run cleaning programs. Per SuperAntispyware, you have GOT to get control of the Tracking Cookies! Please do the following:

Have SAS remove the Tracking Cookies.
See the images here for removal setting:
http://superantispyware.en.softonic.com/images You can click on any of the images to enlarge.
Click to expand...
Once done: Reset Cookies:
For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.
Click to expand...
For Firefox: Tools> Privacy> Cookies section> UNCHECK 'accept third party Cookies.'
Click to expand...
Mbam shows that you have malware in the System Restore points. Do NOT use System Restore while cleaning. We will remove the old restore points when through.

Adobe:
Your Adobe Reader is out of date. Vulnerabilities can be exploited. Click here to download the latest version v9: https://www.techspot.com/downloads/2083-adobe-reader-dc.html
OR
Install the FoxIt Reader: this does the same thing as Adobe, but doesn’t have the bloat: http://www.foxitsoftware.com/pdf/rd_intro.php
Click on ‘Get it Free button
Click to expand...
Update Java:
Your version of Java is now outdated. Java vulnerabilities are commonly exploited by viruses so I strongly recommend you update. Click here to download the latest version of java ( Java Runtime Environment (JRE) 6.0 Update 10 ): http://java.com/en/download/manual.jsp
Please install it and then reboot your computer.
Click to expand...
Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Professional\wsbho2k0.dll
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O23 - Service: Microsoft ASPI Manager (aspimgr) - Unknown owner - C:\WINDOWS\system32\aspimgr.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Click to expand...
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:

Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK the following:
AVG Spyware Guard
Malwarebytes.
Symantec Network Drivers Service (SNDSrvc)
ZoneAlarm TrueVector Internet Monitor (vsmon)
Click to expand...

Control Panel> Add/Remove Programs> UNINSTALL the following:
ALL Java except v6u10
All Adobe Reader except v9-or-if you got FoxiIT- uninstall ALL Adobe
Click to expand...
Start> Run> services.msc> DISABLE the following Services:
AVG Anti-Spyware Guard > it is out of date
Click to expand...
Reboot into Normal Mode. You will get a nag message that you can close after checking 'don't show this message again'. Stay in Selective Startup.

Please rescan with HijackThis in NORMAL Mode. Attach new log. We may remove some of the game entries.
 
I couldn't do the reset the cookies bit because the boxes dont exist for me to unheck.

for the first hijack this scan og the things I should check the following are not there so were not checked:
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

Iattach the SAS log and the first hjt log.

I will fix the entries listed in the previous post (the ones i found) and then continue with the next steps

Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK the following:
Quote:
AVG Spyware Guard
Malwarebytes.
Symantec Network Drivers Service (SNDSrvc)
ZoneAlarm TrueVector Internet Monitor (vsmon)
Click to expand...

in ms config these are the options I have in the start-up tab:
avgnt
avgcc
reader_sl
jusched
cftmon
SUPERAntiSpyware
ZoneAlarmPro
PowerReg Scheduler

Which onones should I uncheck?

this it the final hjt log
what should I do next?
 
To Reset Cookies:
For IE:
For Internet Explorer:
1. Internet Options (through Tools or Control Panel)
2. Privacy tab>
3. Advanced button>
4. CHECK 'override automatic Cookie handling'>
5. CHECK 'accept first party Cookies'>
6. CHECK 'Block third party Cookies'>
7. CHECK 'allow per session Cookies'> Apply> OK.
For Firefox: Tools> Privacy> Cookies section> UNCHECK 'accept third party Cookies.'
Click to expand...
If you are still having a problem resetting Cookies, please tell me "what" boxes aren't showing and where.

In ms config these are the options I have in the start-up tab:Which onones should I uncheck?
Click to expand...
avgnt> LEAVE
avgcc> LEAVE
reader_sl> UNCHECK
jusched> UNCHECK then disable as follows:
Contorl PAnel> Java> Update tab> UNCHECK 'check for updates automatically'> answer YES when asked> Apply> OK
cftmon> UNCHECK
SUPERAntiSpyware> UNCHECK
ZoneAlarmPro> UNCHECK for now
PowerReg Scheduler> UNCHECK
Click to expand...

Open ZoneAlarm and disable the firewall for now:
C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Open Malwarebytes and disable it. You ran the program- we don't want it running in the background

Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.
You are still loading Adobe v7. Remove the following and uninstall in Add/Remove Programs:
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target toxisting PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
Click to expand...
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:
Start> Run> services.msc> find each of the following Services and right click> Properties> Disable the Startup Type> Stop the Service> OK
23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Click to expand...
Control Panel> Add/Remove Programs> UNINSTALL Adobe v7.
Please verify that you show Java v6u10.

Please advise system status. Have original problems been resolved? Do any other problems exist? If yes, what?
 
For Firefox: Tools> Privacy> Cookies section> UNCHECK 'accept third party Cookies.'
Click to expand...

is that: tools>options>privacy>UNCHECK "Accept cookies from sites" ?

EDIT: I just noticed that firefox hasn't been updated on this PC. Ill update it so that I have the third party option.

I uninstalled adobe reader 7 but I still have other programs that came with Adobe acrobat 7.0 professional I'm assuming I can keep those.

for java I have v6u10 but I also have J2SE Runtime Environment v5u3 and v5u4 should I get rid of these two?

Is it normal that when I go to msconfig to take it out of safe mode all the boxes I unchecked in the startup tab are now checked again?

the original issue is resolved and as far as I can tell there are no visible problems.

I also want to ask what I should do with SAS it loads up when I start the pc is it best to keep it like that or try to disable it?

I also attached a HJT log just in case something has slipped through the net.
 
is that: tools>options>privacy>UNCHECK "Accept cookies from sites" ?
Click to expand...
It would be very helpful to you if you took some time to acquaint yourself with the setting you have in your browsers:
Re: Firefox: Cookies>> there are two places with boxes:
1> Allow Cookies> should be CHECKED- these are the Cookie for the site itself. Very few sites will allow access if you don't have Cookies enabled.
2. Allot third party Cookies> should be UNCHECKED- these are the Cookies for the ads, the partners and any other junk on the site. You don't have to and should not accept them. They include Tracking Cookies.

I just noticed that firefox hasn't been updated on this PC. Ill update it so that I have the third party option.
Click to expand...
I am using Firefox v3.0,4 now but have been using it since it was released to public 4 years ago in v1. To the best of my knowledge, the two options for Cookies have always been available.

I have v6u10 but I also have J2SE Runtime Environment v5u3 and v5u4 should I get rid of these two?
Click to expand...
Only the current version of Java should be kept. Most updates have been for security vulnerabilities. So keeping earlier, unpatched versions is a security risk. UNINSTALL both v5u3 and v5u4.

Unfortunately, Java doesn't overwrite earlier versions, so each time there is an update, you must uninstall the previous version after getting the update. And please follow my instruction for disabling the Java auto-updater.

Is it normal that when I go to msconfig to take it out of safe mode all the boxes I unchecked in the startup tab are now checked again?
Click to expand...
I omitted one caution for you: when you reboot back into Normal Mode after making changes on the Startup menu, you will get a mag message. This can be ignored and closed after checking 'don't show this message again.' You must remain in Selective Stsrtup to keep the changes you made.

Go back into msconfig> Uncheck what you did previously> Apply> OK> Reboot> Stay in Selective Startup as above.

I say 'boot into Normal Mode' as opposed to Safe Mode.
But boot into Selective Startup as opposed to Normal Startup.

If your problems have been resolved, we can remove the cleaning tools:
* Download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe)
* Click the CleanUp! button.
* It will go thorough the list and remove all of the tools it finds and then delete itself (requiring a reboot).
Click to expand...
Clear your existing System Restore points and establish a new clean restore point:
Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
Next, go to Start > Run and type in cleanmgr> Select the More options tab> Choose the option to clean up System Restore and OK it.
This will remove all restore points except the new one you just created.
Click to expand...
Your log is clean. If you repeat the changes in msconfig, following the instructions for handling the nag message, the processes should not start on boot.

It was a pleasure helping you. Let us know if you need more help.
 

Similar threads

D
Windows is finally killing off the Control Panel
2 3 4
Replies
75
Views
1K
LimyG
LimyG
S
Sony's "soft pause" patent would let AI step in when players get distracted
Replies
10
Views
196
lonetac
L
S
BMW brings color changing tech closer to production with the iX3 Flow Edition
Replies
22
Views
207
Q Wales
Q Wales

Latest posts

Back