PDA

View Full Version : Stumped



sk69ersnz
02-04-2010, 10:32 PM
Hey guys,I have a problem with a friends laptop.I ran Malwarebytes in safe mode and it found 1170 infections,mainly Security Center stuff,now this thing has no antivirus or firewall.In normal mode nothing will run,I mean nothing.Under safe mode I tried to install Hijackthis and it came up with this..The system administrator has set polices to prevent this installation.Avast or any other antivirus will not install either,I don't know what to do next.

Speedy Gonzales
02-04-2010, 10:36 PM
If its 32 bit, install trojan remover in safe mode / networking. Update then click on scan. Then select all of the options under the utilities menu

sk69ersnz
02-04-2010, 10:38 PM
cheers Speedy,I have done that and it found nothing.System Restore is off too.

sk69ersnz
02-04-2010, 10:45 PM
Sorry,need sleep,I will check back in the morning.Cheers.

Speedy Gonzales
02-04-2010, 10:46 PM
Did you tell mbam to remove whatever if it found them?? If it wont remove them, boot into normal windows, rename the exe for it, then do another scan

sk69ersnz
02-04-2010, 11:01 PM
Yes mbam removed them all.I got Avast installed after running Ccleaner and it has found Win32:Fraudo [Trj].But still can't install Hijackthis.It has now gone into hibernation and killed Avast boot time scan,will start again,lol.

sk69ersnz
02-04-2010, 11:05 PM
Laptop does not start now.Little blue light flashes then nothing.

sk69ersnz
02-04-2010, 11:16 PM
forget last post.

pctek
03-04-2010, 06:40 AM
When it's that bad sometimes you have to slave the drive to another PC and scan it first that way.
And don't use Avast, use NOD32 or if you really can't, use MS Security Essentials. Avast will miss way too much and it will still be unstable.

As well as MalwareBytes, use Spybot too.

sk69ersnz
03-04-2010, 07:04 AM
I have never taken a laptop apart so I will try MS and see what happens.Got to turn hibernation off too.

Speedy Gonzales
03-04-2010, 07:07 AM
Its probably under a panel. Turn it off, unscrew the panel and pull it out

sk69ersnz
03-04-2010, 07:27 AM
I'm back into normal mode,seems to be behaving,I'll let you know what MS finds and try to get a hijackthis log on.

Driftwood
03-04-2010, 07:49 AM
If you are going to install MSSE, uninstall Avast first.

sk69ersnz
03-04-2010, 07:55 AM
Avast uninstalled,MS still installing,lol.This thing has 222mb of ram.

sk69ersnz
03-04-2010, 08:20 AM
Scan finished,found trojan downloader,now running windows updates which was also turned off.

sk69ersnz
03-04-2010, 08:35 AM
hijackthis log

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 9:29:57 a.m., on 3/04/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\WINDOWS\SoftwareDistribution\Download\ca9dce055 d1f0f23d2b57daec177104f\update\update.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=Q105&bd=pavilion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q105&bd=pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q105&bd=pavilion&pf=laptop
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 3612 bytes

Speedy Gonzales
03-04-2010, 09:14 AM
I would update to IE 7 or 8 and update to SP3. Both IE 6 and SP2 will no longer be supported soon. (July this year for SP2 anyway)

sk69ersnz
03-04-2010, 09:22 AM
I would Speedy but there is 1.9gb of free space,I've cleared a lot of stuff off it already.I'm gonna tell him to upgrade soon as,all he wanted was the internet back,unless you can think of something else to delete.

Driftwood
03-04-2010, 09:38 AM
What size is the Hard drive?

Speedy Gonzales
03-04-2010, 09:40 AM
Use ccleaner to remove the temp files etc. It may give them some more space

sk69ersnz
03-04-2010, 09:52 AM
hard drive is 35gig,have run ccleaner.

sk69ersnz
03-04-2010, 10:01 AM
need to do chores,doin defrag,will check back later,thanks.

sk69ersnz
04-04-2010, 09:59 AM
Big thanks to everyone who helped me through this painful process,I gave it back to my mate,I managed to convince him to buy something a bit more modern as this thing is far too slow and no good for his work.Cheers.