Page 1 of 3 123 LastLast
Results 1 to 10 of 29

Thread: need a little help

  1. #1
    Senior Member
    Join Date
    Sep 2005
    Posts
    332

    need a little help

    Ok normally i would try and do this on my own but everything keeps shutting down/crashing? to oftn to get any good results.

    A roomate thinks there is a 'shell' being loaded on startup on my pc. My desktop icons regularly flash and refresh. Explorer wont stay open. House Call won't run. none of my av malware detectors stay open long enough to finish a scan.

    Running xp pro sp2 fully updated

    when i look at my system performance my cpu is always at 100% and my pagefile is over 500mb

    my pagefile settings are max an min set at 256mb

    also on startup there is something, not sure if bad or not just don't recognize, called geols31.exe running

    i wish i could try and give more info but nothing wants to stay open or run as i said even in safe mode as admin.

    if anyone can point me in the right direction to get more info for you guys please tell me what to do.
    \"He who shall introduce into public affairs the principles of primitive Christianity will change the face of the world.\"
    Benjamin Franklin

  2. #2
    Senior Member
    Join Date
    Sep 2005
    Posts
    332
    ok as soon as i posted this i actually got Ewidow to run a scan. This is what it says it was able to clean from backup. Not sure if the backups it used are corrupt or not so maybe this will help

    All of these were found in C:\system volume information\_restore .. . . .

    Backdoor.PPdoor.bc - found multiple times in that directory
    Adware.Virtumonde - ditto
    Downloader.CWS.cs - only one instance found
    Trojane.iespy - only one found
    Trojan.Agent.fd - again only one

    The one listed below were found in my \windows\system32 directory
    Adware.Virtumonde - again multiple times
    Backdoor.PPdoor.al - only one found with the .al
    Backdoor.PPdoor.bc - multiple found with the .bc

    didn't realize i could export ewidow scan results as a text file doing so now
    \"He who shall introduce into public affairs the principles of primitive Christianity will change the face of the world.\"
    Benjamin Franklin

  3. #3
    The ******* Shadow dalek's Avatar
    Join Date
    Sep 2005
    Posts
    1,564
    Yeah

    I would say you need to disable your system restore...How to Info then go back into safe mode and run your scans again, and clean them out, then reboot into normal, this should flush your old system restore points.

    Most of these System Restore points are created by the user downloading and installing programs, so when a malware is downloaded via a browser highjack, it becomes part of the system restore point, and each time you do a boot up, they can be reactivated, or if you try to do a system restore to an earlier date.

    Do a couple of online scans in Safe Mode with networking from Trend Micro and Panda...also you may want to get Stinger from McAfee...
    PC Registered user # 2,336,789,457...

    "When the water reaches the upper level, follow the rats."
    Claude Swanson

  4. #4
    Senior Member
    Join Date
    Mar 2005
    Posts
    400
    Your solution lies in buying a USB external enclosure for your hard drive.
    Removing hard drive, set drive jumpers as Master, put drive in enclosure, plug USB enclosure into a known UNINFECTED system. You should be able to access the drive as another drive letter now, say as, D: or E:

    Now run a checkdisk. If time permits, I would run a surface scan in conjunction with the checkdisk.

    Then perform your antivirus scans and spyware scans on the drive.

    On the external drive only, remove the following files/folders:

    1) Pagefile.sys
    2) Remove all files from \windows\prefetch
    3) Remove all files/folders from \documents and settings\username\local settings\temp
    4) Remove all files and folders from \documents and settings\username\local settings\temporary internet files\content.IE5
    5) Remove the file C:\Documents and Settings\PCPro\Local Settings\Application Data\IconCache.db

    After all you've done all that. Take drive out, reinsert in computer and reboot to SafeMode by pressing F8 repeatedly (once a second) until you get a menu. Choose SafeMode with networking. Don't press the F5 key as that is NOT what I want.

    While booting you will eventually see some graphic page (not the desktop yet), either saying "Loading SafeMode" or "Windows XP" or whatever. As long as you see some sort of graphic page (ANY graphic page), hold down the shift key until the desktop is fully loaded. Doing this prevents certain progams from autoloading on bootup.

    While in SafeMode, are things working somewhat?

    If so, shutdown normally and bootup to Standard mode, but again, press and hold the shift key until the desktop is fully loaded.

    Is it working?

    If so, get on the internet, download a program called "CodeStuff Starter". It's FREE and will allow you to uncheck those programs you don't want loading on startup. It's better than most of it's competitors.

    [Edit: Since I posted this, some other posts intervened saying Remove your restore points. I can agree with that too.]
    ZT3000
    Beta tester of "0"s and "1"s"

  5. #5
    If you can't slave the drive to clean it for some reason, maybe look at BartPE (http://www.nu2.nu/pebuilder/). You can run windows based Anti Malware stuff from it. Just DL the creator and add the modules that you want. You can make your own modules quite easily for it. I believe it already has Adaware modules already (although you will need to update defs). Only downside to this is that you need a PC to burn the .iso on.

    Edit: Forgot to mention, A nice little scanner that I quite like is Sysclean from Trendmicro(http://www.trendmicro.com/download/dcs.asp)
    If everything looks perfect, then there is something you don\'t know

  6. #6
    AO's Resident Redneck The Texan's Avatar
    Join Date
    Aug 2003
    Location
    Texas
    Posts
    1,539
    see if you can run a HIjackThis scan.... and do as suggested above and get into safe mode to run your other AV/Spyware scans
    Git R Dun - Ty
    A tribe is wanted

  7. #7
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    That Backdoor.PPdoor chit's nasty. Gonna be tough getting that out.

    http://forums.spywareinfo.com/index.php?showtopic=72965

    Symantec's got a VirtuMonde removal tool.

    http://www.symantec.com/avcenter/ven...irtumonde.html

    Sounds like you've been using Internet Explorer. That's how this stuff's gettin' in. FWIW.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  8. #8
    Hoopy Frood
    Join Date
    Jun 2004
    Posts
    662
    Originally posted here by brokencrow
    Sounds like you've been using Internet Explorer. That's how this stuff's gettin' in. FWIW.
    You mean a poorly configured Internet Explorer. Firefox has also had more than its share of security vulnerabilities. There just aren't many working exploits because the user base is still smallish.

    Run your browser under a different user account that only has read/write permissions to the cache folder and read permissions to the browser's home directory. If you need to save files, create a special folder that the user can only read/write to. Deny "Login over Network" for this user account under the Local Group Policy Settings.

    - X
    "Personality is only ripe when a man has made the truth his own."

    -- Søren Kierkegaard

  9. #9
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    No, I meant what I said. Internet Explorer, poorly configured or not.

    Firefox has also had more than its share of security vulnerabilities. There just aren't many working exploits because the user base is still smallish.
    All software has its vulnerabilities, including Firefox. It's the vulnerabilities it doesn't have, ActiveX and embedding, that make it much safer. Of course, you can download the ActiveX plug-in for Firefox, but I don't reco' it. And there's no doing away with Explorer's kernel status. Hack IE and you can get into the kernel. Hack Firefox and where are you?

    Just curious, anybody have a browser hijack for Firefox yet?
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  10. #10
    Junior Member
    Join Date
    Apr 2006
    Posts
    22
    I notice he still hasn't responded to this post to say how he's doing.

    Well since he's running XP, if you havn't been able to do your scans yet, or don't have another computer as most of these suggestions require.

    Reboot in safemode, through F8. Next I believe you can clear your restore points here, which is:
    rich click my computer>properties>System Restore Tab. Turn off system restore on all drives (if you have more than 1 you often have to do it on each).

    Next go to Start>Run
    type in MSCONFIG
    go to the startup tab and disable anything that looks suspicious (if your unsure you can always come back and fix this, unlike hijackthis's run list)
    Run a few of your utilities, reboot in normal mode, run them again.

    This will allow you to atleast have some usability of your computer and you should be able to do your diagnostics.

    Post a hijackthis scan if your unsure of what to disable, also if your unsure of any of the utilities starting up under MSCONFIG enter those as well.

    (yes I know there's better utilites than MSCONFIG, but how often can you get to them without already having them or having an internet connection that actually RUNS)

    Galiath

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •