im trying to help a friend fix his pc...he has an older emachine pc. about a 2003 model..running xp. when i first got it it was very slow and the screen would jitter when you tried to open a program..and a pop up screen at the bottom right tray says ::dangerous infection was detected on your pc the system willnow downloadand install most efficient antimalware program to prevent data loss and information theft.:: i ran ewido and spyware doctor and they found nothing..i install panda platinum and it found several malware things but the pop up is still there...i ran HJT but there was a very short list and everything looked legit...one thing i noticed about his version of XP was there was no system recovery program anywhere?..just system restore...i was gonna just reformat the thing but it's not there..may this older version requires the disc's..?
Sounds like smitfraud infection. Post a HjT-log and someone will take a look. Instructions there > http://forums.afterdawn.com/thread_view.cfm/263784 ( steps 3 and 4 )
Logfile of HijackThis v1.99.1 Scan saved at 4:06:30 PM, on 3/10/2006 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\system32\slserv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\DOCUME~1\JULIA\LOCALS~1\Temp\200639165248_mcinfo.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\New Folder\HijackThis.exe O2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\System32\hp5C7E.tmp O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [msci] C:\DOCUME~1\JULIA\LOCALS~1\Temp\200639165248_mcinfo.exe /insfin O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
Download smitrem -> http://noahdfear.geekstogo.com/click counter/click.php?id=1 Save it on desktop and doubleclick it, it will then create smitRem folder on desktop Fix with HjT (do a system scan only, checkmark these and press fix checked): O2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\System32\hp5C7E.tmp O4 - HKLM\..\Run: [msci] C:\DOCUME~1\JULIA\LOCALS~1\Temp\200639165248_mcinfo.exe /insfin O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm Boot in safe mode (tap F8 while booting). Delete, if found: C:\DOCUME~1\JULIA\LOCALS~1\Temp\200639165248_mcinfo.exe C:\WINDOWS\web\related.htm Open smitRem folder and doubleclick RunThis.bat. Follow instructions. Reboot, send a fresh HjT log and contents of c:\smitfiles.txt And get antivirus, firewall and windows updates!
thanks spertti..and special thanks to kemisti...the directions you gave me worked like a charm.. the pc is running smooth...im very greatful...thanks for taking time to post and helping me out.
@mesa101: I still need a fresh HjT log and contents of c:\smitfiles.txt in order to realize that same thing by myself
here is the HJT log................ Logfile of HijackThis v1.99.1 Scan saved at 4:02:07 PM, on 3/12/2006 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\system32\slserv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\hijack this\HijackThis.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
here is the smit log........ smitRem © log file version 2.8 by noahdfear Microsoft Windows XP [Version 5.1.2600] The current date is: Sat 03/11/2006 The current time is: 8:57:06.23 Running from C:\Documents and Settings\JULIA\Desktop\smitRem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Pre-run SharedTask Export (GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler) Copyright(C) 2006 BleepingComputer.com Registry Pseudo-Format Mode (Not a valid reg file): [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" "{D81E2FC4-B0A2-11D3-21AC-07C04C21A18A}"="Replay for WindowsXP" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32] @="%SystemRoot%\System32\browseui.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32] @="%SystemRoot%\System32\browseui.dll" [HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{D81E2FC4-B0A2-11D3-21AC-07C04C21A18A}\InProcServer32] @="C:\WINDOWS\System32\replmap.dll" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ checking for ShudderLTD key ShudderLTD key not present! checking for PSGuard.com key PSGuard.com key not present! checking for WinHound.com key WinHound.com key not present! spyaxe uninstaller NOT present Winhound uninstaller NOT present SpywareStrike uninstaller NOT present ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Existing Pre-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ Online Security Guide.url Online Security Guide.url Security Troubleshooting.url Security Troubleshooting.url ~~~ Favorites ~~~ ~~~ system32 folder ~~~ replmap.dll 1024 dir ld****.tmp ncompat.tlb hp***.tmp ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 1504 'explorer.exe' Killing PID 1504 'explorer.exe' Starting registry repairs Registry repairs complete ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SharedTask Export after registry fix (GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler) Copyright(C) 2006 BleepingComputer.com Registry Pseudo-Format Mode (Not a valid reg file): [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32] @="%SystemRoot%\System32\browseui.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32] @="%SystemRoot%\System32\browseui.dll" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Deleting files ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Remaining Post-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~ Wininet.dll ~~~ CLEAN!
sorry it takes so long but i just have my friends tower..so i have to disconnect all my stuff to make his work..then burn information to disc's to get it to my pc....pain in the buttock's.
i use zone alarm security suite on mine...what do you use kemisti?...i used panda before zone..and had alot of trouble with freezing and long starts and shut downs...i will prolly use zone or mcafee on my friends system... i suggested he get more ram first he only has 128 on his {the system you debugged }...
