Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Too many worms for me alone


  • Please log in to reply
4 replies to this topic

#1 sthacker

sthacker

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 03 July 2005 - 12:12 AM

Working on a Dell Desktop, XP, that had the hard drive replaced a couple of months ago. My friend, the owner thinks it was about that time the trouble started, but that's not a hard fact. He uses Earthlink, and almost all time is spent in email.

When I first arrived he had been trying to download 105 email messages and it would get a few and lock up. He'd turn the computer off and back on and try again, same result 4 or 5 times. I deleted temp. internet files, offline content and all cookies. At some point, all emails were downloaded and he was happy for that, but it still is not good.

When Earthlink starts, it evidently starts a browser window. This is probably an option, I'm not very familiar with Earthlink. Anyway, when it starts, before the home page can be loaded, seven to twelve new windows open and each puts up a pop up that says a problem has been detected and user should go to a site for help. Some, but not all of the sites are: www.fixed-pc.com
www.updatepatch.info
www.e-regfix.com
www.regpatch.com
www.e-regclean.com
www.winregfix.com, and others.

The pop up windows appear to be from Microsoft, but the fact that every one is different made me suspicious, and I told him to steer clear of all of them, that I knew a place to get reputable, good help. Since we could not get onto the internet long enough to do even a minor download, (I was going to start with Ad-Aware and Spybot and failed) I came home, and put these onto CD's as well as HJT and Fxistbar.exe. Next session I ran Ad-aware and found and removed 665 critical objects. Ad-aware said it was very out of date, so obviously the current fixes I downloaded just before I put it on CD did not get integrated? I re-ran it and found 118 critical objects I'm not sure it's kosher to run it twice?

Next I ran Spybot (Yes, I'm working toward a log file for you!) and it hung. I re-ran it and it found 11 problems. Concerned about the validity of sending a log after running Ad-aware with down-level update files, I got on line and downloaded the current files. A rerun found 727 critical objects and one negligible MRU or something. I removed all 728 objects, but got a message that said all could not be removed, and did I want the rest removed on the next reboot. I said yes, and tried to restart from Windows, but all windows went blank, the task bar went away, and we were left with a blank screeen except for the desktop icons. None of them were operational, so I powered off and back on.
Now I re-ran Ad-aware to see if it would do the same thing. Found and removed 61 critical objects, no mention of anything needing a reboot. Finally I think I'm ready to get an HJT log, and the thing won't open or run on his system from the CD. I ran out of time and could not try to download it directly onto his system. Is this an intentional restriction of HJT, that it cannot be run from CD on another system? Or did I do something wrong in the copy, etc. I did it the same as the other 2 programs that ran fine.

What I'd really like to know if anyone finishes this tome, is a recommended path for all the above symptoms. Does this sound like a known worm or trojan? (s)
Should HJT be the next step? I'm very persistant, and even though the failing computer is 50 miles away, if that's the next thing to do, I'll get it done somehow. Thanks for your time and any help you can give us.

Stan

BC AdBot (Login to Remove)

 


#2 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:10:33 PM

Posted 03 July 2005 - 12:36 AM

Did you run Ad-aware and Spybot, in Safe Mode?
If you can, load them on the computer, and update them, before running them.
How to start Windows in Safe Mode

Does he have an Antivirus, and are the definitions up to date?
If he doesn't have one, AVG Free is a good one.
You need to run the AV in Safe mode, also.

HijackThis needs to be downloded to the computer.
How to post a HijackThis Log
You can also download the latest version from this link.

Edited by tg1911, 03 July 2005 - 12:39 AM.

MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#3 sthacker

sthacker
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 04 July 2005 - 09:56 PM

I read your response and didn't give you the courtesy of a reply. Sorry about that.
I'm planning to go work on this mess tomorrow afternoon. I don't know why I didn't think about running in safe mode. Thanks for the heads-up.

My plan of attack is try to get on the internet from his machine and update Spybot and Ad-aware. Then get a download of HJT. Then reboot in safe mode and run Spybot and Ad-aware.

(I've always wondered if it makes any difference which runs first?)

Then I'll run HJT, and get a log. Then reboot, get onlline and submit the log.

If this all works, I'll be back late tomorrow afternoon with the log.

Stan

#4 jgweed

jgweed

  • Staff Emeritus
  • 28,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, Il.
  • Local time:11:33 PM

Posted 05 July 2005 - 01:07 AM

You plan appears sound.
I usually run Ad-wareSE first, since it seems to run a little faster than Spybot.
Make sure his AV is up-to-date and run it in safe mode, as well. If he does not have a firewall, Sygate Personal Firewall (free) will do the trick.
Regards,
John
Whereof one cannot speak, thereof one should be silent.

#5 sthacker

sthacker
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 09 July 2005 - 01:16 AM

One of the Trojans not picked up by anything I've run yet is called W32.Wallz by Symantec. Dirtiest thing I've run into. See my post in the HJT log forum for more detail.

Thanks for all your time.

Stan




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users