Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

antivira finally gone.....but


  • Please log in to reply
9 replies to this topic

#1 daryl in despair

daryl in despair

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 19 February 2011 - 10:52 PM

Hello,

I was infected with the antivira va and have finally gotten that cleaned up thanks to the advice given in other postings. Now I am left with a very slow computer. This has been building for a while now. Its gotten to the point that its hard to function. My msconfig won't let me make changes. It keeps giving me an error of admin rights (even though I have admin rights). I downloaded Mike Lin's software, but there is much more running in the background than what shows up on the log on his program.

Is there a way I can send a log of everything that is running and get some advice on how to turn it off or delete if not needed? I just doubled the memory about a month ago and that didn't have any impact.

Any help would be appreciated. Thank you.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:12 AM

Posted 20 February 2011 - 08:35 PM

Hello, I guess you mean his StartupMonitor ??
This is probably the best toll for this Process Explorer
Is this XP or another OS.

I think you may still have infection so I would like tp run an online scan.
Please perform a scan with Eset Online Antiivirus Scanner.
This scan requires Internet Explorer,Opera or Firefox to work. Vista/Windows 7 users need to run Internet Explorer as Administrator.
To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Click the green Posted Image button.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Check Remove found threats and Scan potentially unwanted applications. (If given the option, choose "Quarantine" instead of delete.)
  • Click the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer.
  • If offered the option to get information or buy software at any point, just close the window.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply.
Note: A log.txt file will also be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
If you did not save the ESETScan log, click Posted Image > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Click Ok and the scan results will open in Notepad.
  • Copy and paste the contents of log.txt in your next reply.
-- Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.

NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 daryl in despair

daryl in despair
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 21 February 2011 - 12:54 AM

Thank you for the post and the direction. Yes, I should have mentioned I am running XP. I ran the ESET Scanner and it found 3 infected files. The the log is below:

C:\Documents and Settings\Daryl\Application Data\Sun\Java\Deployment\cache\6.0\2\42aa7c82-435a19cc multiple threats deleted - quarantined
C:\Documents and Settings\Daryl\Application Data\Sun\Java\Deployment\cache\6.0\20\6027d4-60ea3f92 a variant of Java/Exploit.Agent.NAL trojan deleted - quarantined
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Q3A5C1Q3\home[1].png a variant of Java/TrojanDownloader.OpenStream.NAZ trojan deleted - quarantined

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:12 AM

Posted 21 February 2011 - 10:47 AM

Hello, I nthought there was more.. How is it now?

Let's clear the junk files and rerun MBAm.

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link
  • Close all open browsers before using, especially FireFox. <-Important!!!
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Notes: On Vista, "Windows Temp" is disabled. To empty Temp, ATF-Cleaner must be Run As Administrator.
The Prefetch cleaning feature has been disabled for Vista Users. Tabs for applications that are not installed are grayed out.




Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 daryl in despair

daryl in despair
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 21 February 2011 - 11:54 PM

Thank you once again. I ran the ATF and cleaned out the temp files. I then ran another Malwarebytes. It was clean. There were no infected files. The machine is a bit quicker now, but after a reboot, I still have a lot of system processes running. I installed Process Explorer, but as far as I can tell it only tells me what is running, it doesn't give me a method of blocking it from the start menu. As I mentioned before, msconfig gives me an error when I try to turn things off. Should there really be 8 svchost.exe running on a start up? I have been trying to attach screendump of my task manager but keep getting an error on format. You should be able to paste this link into a browser. Also, the malwarebytes log is below.


http://img14.imageshack.us/i/startupfile.jpg



Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5836

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/21/2011 10:38:27 PM
mbam-log-2011-02-21 (22-38-27).txt

Scan type: Quick scan
Objects scanned: 173341
Time elapsed: 5 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:12 AM

Posted 22 February 2011 - 11:25 AM

Hello Svchost may not be the issue.. Having several running is common..

If you’ve ever taken a look at the Services section in control panel you might notice that there are a Lot of services required by Windows. If every single service ran under a single svchost.exe instance, a failure in one might bring down all of Windows… so they are separated out.

Those services are organized into logical groups, and then a single svchost.exe instance is created for each group. For instance, one svchost.exe instance runs the 3 services related to the firewall. Another svchost.exe instance might run all the services related to the user interface, and so on.

What is svchost.exe And Why Is It Running?

The Wuauclt.exe is the Windows Update AutoUpdate Client file. This file checks with the Microsoft web site for operating system updates. It shows up on the Task Managers process list when waiting for a response. The file can be deactivated and not affect the working of the operating system except updates will have to be searched for manually. The file is not a virus unless it is found in the windows/system32 folder. If it is found anywhere else, it is most likely a virus, Trojan or adware.

Yours is running high in your Image. Unless it is waiting on you to finish an update.
Do a File search for Wuauclt.exe and find its path. Post it here.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 daryl in despair

daryl in despair
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 22 February 2011 - 06:22 PM

It found 3 instances when searching for "wuauclt.exe

WUAUCLT.EXE-399A8E72.pf C:\WINDOWS\Prefecth
wuauclt C:\WINDOWS\system32
wuauclt C:\WINDOWS\ServicePackFiles\i386

Are these legit?

What is the preferred method of disabling process at startup? like the java scheduler or the real time player scheduler etc. The only thing I really want to start at startup is my virus software. Anything eles I can open manually.

Also, do you have a tip jar or anyware I can donate a token of my appreciation for helping me out?

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:12 AM

Posted 22 February 2011 - 10:08 PM

Ok. these are legit files..

Looks like we need to repair some of windows' internal registration settings
  • Please download Dial-A-Fix from one of the following mirrors:
  • Extract the zip file to your desktop.
  • Double click Dial-a-Fix.exe to start the program.
  • Press the green double checkmark box (Looks like this: Posted Image)
  • UNcheck "Empty Temp Folders", as well as "Adjust Time/Date" in the prep section. The prep section should then look like this:
    Posted Image
  • When the window looks like this, press the GO button in the bottom of the window.
    Posted Image
  • Exit/Close Dial-A-Fix



How to use MSCONFIG in Windows XP to disable
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 daryl in despair

daryl in despair
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 23 February 2011 - 07:33 PM

I ran the dial a fix. It popped up a couple of Error #127 regarding system32 but since we had just upgraded in that area, I assumed it didn't recognize the new version of whatever it was looking for. Once I hit OK on those errors, it completed the cycle.

I have tried to run MSCONFIG. Attached is the error that I receive when I run the program. Its regarding admin rights. However, when I check the accounts, both my wife and I (2 seperate accounts) have admin rights. This has been happening for some time now and when things get overloaded on my startup, I can't turn them off easily. I have read that it is a glitch when an HP printer is installed, but I followed those posts and it still is not working. Have you ever seen this before? Is there a better way to turn programs off?

http://img716.imageshack.us/i/msconfigerror.jpg/

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:12 AM

Posted 23 February 2011 - 08:12 PM

Use the RUN AS Command

As an administrator, you can use the run as command to start a program. To do so:
Locate the program you want to start in Windows Explorer, the Microsoft Management Console (MMC), or Control Panel.
Press and hold down the SHIFT key while you right-click the program icon, and then click Run as.
Click Run the program as the following user, and then type the user name, password, and domain of the administrator account that you want to use.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users