Tech Support banner
Status
Not open for further replies.
1 - 13 of 13 Posts

·
Registered
Joined
·
7 Posts
Discussion Starter · #1 ·
Dell Inspirton 3500 laptop, running Win2000 (64meg ram) very slow on internet. ISP tech said to run malware/spyware etc, which I did - Spyware Terminator and AVG 7.5, which found and deleted a number of high threat files, i.e. worms and trojans. I can now connect to internet and browse to one more page (sometimes) but after that can't go anywhere. I am posting the Hijack log and would also like to know if guard.exe (which I believe is a AVG background running program - which has not been initiated by me - unchecked in AVG) could be a problem. It takes up memory when it is not supposed to be running. Here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 9:28:36 PM, on 1/21/2007
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\spooIsv.exe
C:\WINNT\System32\sysamp.exe
C:\Program Files\DS Clock\dsclock.exe
C:\Program Files\Desksweeper\DeskSweeper.exe
C:\Download\unzip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINNT\System32\spooIsv.exe
O4 - HKLM\..\Run: [Services] C:\WINNT\System32\sysamp.exe
O4 - HKCU\..\Run: [DS Clock] C:\Program Files\DS Clock\dsclock.exe
O4 - Startup: DeskSweeper.lnk = C:\Program Files\Desksweeper\DeskSweeper.exe
O4 - Startup: dsclock.lnk = C:\Program Files\DS Clock\dsclock.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Windows System 32 - Unknown owner - C:\WINNT\sys32.exe (file missing)

Thanks...ennglish
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

I hate to be the bearer of bad news, but your system is woefully inadequate to run many of today's programs. You should have at least 256MB RAM, perferably more, even with Windows2000.

Next, you have fallen far far behind in your security patches. Windows 2000 has been at Service Pack 4 for quite some time. You are at Service Pack 2. Your version of Internet Explorer is outdated, and therefore full of security holes. IE has been at version 6 for quite some time, and is now at Version 7. (IE7 will not run on Windows 2000)

You have no Anti-Virus program. This leaves you at the mercy of the internet. Connecting to the Internet without antivirus protection is a "Welcome" doormat for malware. It can take as little as eight seconds to infect an unprotected computer.

The Anti-Virus program I'm recommending below requires you to be up to date on your Windows Updates, but will support 64BM RAM minimum spec.

You have no firewall. This gives you no control over inbound or outbound traffic, such as the worms that are infesting your system.

The first Firewall listed, Comodo, is an excellent firewall and supports your system specs.

We can help you to clean this up, but due to the lack of resources, it may be slow going for you. You may need to invest in more RAM to be able to install and Anti-Virus program and firewall. Not sure if this system is worth investing money into, as I have no idea how old it is. We can certainly try to fix it as it is.

You may want to consider disconnecting this machine from the internet, purchasing more RAM and installing it, and then carry out the fixes proscribed below. If that's not possible, carry on as best you can.

If at all possible, download all tools on a clean machine and carry them to, and then install on, the infected machine via Removable Media such as USB flash drive, or CDR.

---------------------------------------------------------------------------------------------

AVG Anti-Spyware would be a good program to keep, update and run a scan with once a week or so. It adds another layer of protection to your system's security tools. You may want to prevent AVG Anti-Spyware from running at Windows startup, and just call it into service when needed. This may help with system boot times. To do so, right click on the AVG A/S system tray icon, and uncheck Start with Windows. Also disable it's real time protection, as this will also use system resources, and will time out at the end of the trial period in 30 days. To do so:

Open AVG Anti-Spyware.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.

Hope that helps.

---------------------------------------------------------------------------------------------

Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

---------------------------------------------------------------------------------------------

I see you have AVG Anti-Spyware already. Please update it's definitions, and run a scan where I have placed it in this fix.

Run AVG Anti-Spyware
  • From the main screen, click on update, then click the Start
    update
    button.
  • After the update finishes (the status bar at the bottom will display "Update
    successful")
  • select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"
  • Exit AVG Anti-Spyware. DO NOT scan yet.
---------------------------------------------------------------------------------------------

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat. Please save it on your desktop.

@echo off
sc stop "Windows System 32"
sc delete "Windows System 32"
exit
Double click FixServices.bat. A window will open and close. This is normal.

---------------------------------------------------------------------------------------------

  • Double click on HijackThis.exe to run it.
  • Click on Open the Misc Tools section
  • click the button labelled "Delete A File on Reboot..."
  • In the dialogue that shows up, enter the path (copy and paste) of the file in "file name:" field C:\WINNT\sys32.exe
  • When you have selected the file, Click the "Open" Button
  • Click Click No at the next prompt
  • Do that for the following files also. [*] C:\WINNT\System32\sysamp.exe
    [*]C:\WINNT\System32\spooIsv.exe
  • When you get to the last one, click Yes when HJT asks you to reboot.

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click on the Scan tab
  • Click Complete System Scan to begin scanning.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

---------------------------------------------------------------------------------------------

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.

---------------------------------------------------------------------------------------------------------

Download SpywareBlaster 3.5.1
Install & update SpywareBlaster with the latest definitions.
After you have updated, click the button - enable protection for all unprotected items

---------------------------------------------------------------------------------------------


MICROSOFT UPDATES

It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

---------------------------------------------------------------------------------------------

Please download and install this excellent and FREE anti-virus program:

Please download Active Virus Shield (powered by Kaspersky) and save it to your desktop.
  • Please remember to register for your Activation Code using a legitimate email address.
  • Double-click avs.msi to run the installer, but please uncheck "Install Security Toolbar" during the installation process:





  • Then please update the program and run a systemwide scan. Allow it to neutralize all that it finds.
  • When done, launch Active Virus Shield's main window.





  • Click the Scan button on the left, and then click Detected.





  • In the ensuing window, click the Save As button to save a copy of the log.
  • Copy and paste that log in your next reply.
Note: You must only use 1 (one) AV at a time because if you have 2 or more AVs running at the same time, they will conflict with each other and make your security less reliable.

---------------------------------------------------------------------------------------------------------

You don't seem to have a firewall program installed. Using a firewall will allow you to give/deny access for applications that want to go online. Select one of these, or another of your choice:

.

---------------------------------------------------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click on
    located at the bottom of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*
Begin the scan by selecting
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on
    then click
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


---------------------------------------------------------------------------------------------

Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Please return with results from:

SDFix
AVG AntiSpyware
ActiveVirusShield
Panda online scan
HijackThis.
 

·
Registered
Joined
·
7 Posts
Discussion Starter · #3 ·
Firstly, thanks for the instructions, and, yes, you are correct, the machine is woefully old, underpowered and apparently vulnerable. I use it mainly as a word processor, yet since it's a laptop I'd like to be able to run it on the internet. I'll work on the sequences you described and get back to you. I don't use Internet Explorer on this machine; only Firefox.

Thanks again, ennglish.
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Hi Ennglish -

Though you use only Firefox, I still recommend you update IE to version 6 and certainly get the Security Patches at Windows update.

Looking forward to seeing your next logs.
 

·
Registered
Joined
·
7 Posts
Discussion Starter · #5 ·
I've thought more on your diagnosis and suggestions for cleaning up the problem, and it may be that given the age and lack of power of the laptop it may be more expense and trouble than it's worth. I bought the computer mainly as a portable word processor and should use it for that purpose. I have a desktop which I use for the internet.

My options seems to be:
1) Leave the laptop as is and use it for word processing. But it bothers me that something alien is on the machine. However, it does do word processing without any apparent problems.

2) Clean off the hard-drive completely and start from scratch. I do have my Win98 SE cd to install on it.

I like the #2 but I do need instructions on how to wipe the hard-drive and install Win98SE. Can you help me on that? I'd appreciate it.

Thanks...ennglish
 

·
Registered
Joined
·
7 Posts
Discussion Starter · #6 ·
P.S.: A follow-up on my message

I've looked over your instructions again. I had first found them very daunting, especially downloadind Kespersky - a 13meg file that I had no way of transporting to the infected machine. But it looks like if I follow your instructions I might be able to get on the internet to download it. So I think I'll give your way a shot - if that doesn't work, or more likely I screw it up (I'm pushing 70 and I'm in similar shape to the laptop) I'll try plan B or just use the machine for a kayak anchor.

Also, I had posted my problem on another site and a replier told me I had a "rabid emailer", that my e-mail password was stolen and I should set another one. He mentioned that I had been "keylogged". What is your opinion on this?
Thanks.
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
DO NOT go back to Windows 98. Support for it has ended, and it is an inferior OS to Windows2000, in my (and many others') opinion.

If you're only going to use this offline, it might be acceptable. We have dedicated forums here to help you with that.

If you have no other way of transporting files to the infected machine, just go ahead and use it. Clear the infection first though. Protect it second.

The main tool you need to run to clear your infection is SDFix, along with the service deletion batch file I have posted, and the file deletions.

Also, use your existing AVG Anti-Spyware and the online scan.

A stick of RAM for that machine should run you about $50 if you look online, or in the Sunday paper adverts.
 

·
Registered
Joined
·
7 Posts
Discussion Starter · #8 ·
SDFix report

Followed instructions but couldn't find the file: C:\WINNT\sys32.exe. Here's the SDFix report:


SDFix: Version 1.62

Wed 01/24/2007 - 13:53:05.89

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
rdriv

Path:
\??\C:\WINNT\system32\rdriv.sys

rdriv Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Files will be copied to Backups folder and removed:

C:\WINNT\system32\i - Deleted
C:\WINNT\system32\spooIsv.exe - Deleted



Alternate Streams Check:

C:\WINNT\system32
No streams found.

Final Check:

Remaining Services:
------------------


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip


Checking For Files with Hidden Attributes :

C:\NTDETECT.COM
C:\arcldr.exe
C:\arcsetup.exe
C:\PAGEFILE.SYS
C:\CONFIG.SYS
C:\IO.SYS
C:\MSDOS.SYS

Finished
This wasn't as bad as I thought. Might have made one mistake though: Instead of Run.This.bat at the end I mistakenly clicked on FixServices.bat, then the SDFix bat file.

ennglish
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
That's a good start. Continue on, and post all logs together when you've completed the tasks at hand, unless you run into issues.
 

·
Registered
Joined
·
7 Posts
Discussion Starter · #10 ·
It may take me some time to get the rest of it done. I tried connecting to the internet and had the same problem: homepage only and couldn't go anywhere. The Anti-Virus program is 13megs and I'd have to download it to my good computer and move it over. Right now I don't have enough good floppies and no memory sticks, so unless you have another program that's smaller to suggest, I will have to work that out...You also suggest using Panda, but that means getting online again...and so far I haven't been able to do that. What do we do about that?

Am curious to know what you think the problem is (are) at this stage and also why many more bytes are sent to the internet than I receive? Thanks, I'll stay in the game - see you soon.
ennglish
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Time to drag you into the modern era of computing, I reckon. :sayyes:

TO the best of my knowledge, you won't be able to split an executable file onto multiple floppies. You either need to borrow or purchase a USB flash drive (assuming this machine has a USB port), or use someone else's machine with a CD burner, if your desktop doesn't have one.

A USB drive can be obtained for less than $20 most times. I show you this as an example only:

http://froogle.google.com/froogle?h...&lmode=online&price1=&price2=20.00&lnk=prsugg

Until you get some cleaning power onto that system, you're going to have some issues with connecting. Hard to say until I get some more results back what might still be the cause.

Until you get some protection in place, you're open to recurring infection.

Sooo, bottom line is, you need to figure out some way to get an AV installed.

Most AV downloads are approximately that large.

An alternative is to go to the store and buy some AV product on CD, but when there are freeware options that are frequently better, I don't generally suggest that, and it may not be the correct solution for a machine you still seem unsure of.

More bytes may be going out than coming in because your machine may still be infected. That's why I'm trying to get you to run the tools I selected in the order in which I have them placed.

At the very least, run AVG Anti-Spyware right now, according to my instructions, and see what it comes up with.

Also, try this to see if it's your DNS cached which has become poisoned.

Go to Start>Run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)

Close the command prompt, and see if that helps your internet issue.

<edit> Also, whatever your next post is, please include a new HijackThis log. </edit>
 

·
Registered
Joined
·
7 Posts
Discussion Starter · #12 ·
Here's the AVG7.5 report. Have not been able to go online to do any active scans and have not gotten any of the larger Anti-Virus programs: report follows:

A V G A n t i - S p y w a r e - S c a n R e p o r t

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + C r e a t e d a t : 1 0 : 3 5 : 2 6 A M 1 / 2 6 / 2 0 0 7
+ S c a n r e s u l t :

N o t h i n g f o u n d .

: : R e p o r t e n d
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Sooo, bottom line is, you need to figure out some way to get an AV installed.
<edit> Also, whatever your next post is, please include a new HijackThis log. </edit>
 
1 - 13 of 13 Posts
Status
Not open for further replies.
Top