Page 1 of 2 12 LastLast
Results 1 to 10 of 16
  1. #1
    Member Priam's Avatar
    Join Date
    Nov 2006
    Posts
    68
    Points
    8

    Default Diagnosing and cleaning a non-networkable computer

    The title more or less covers it. I have a Toshiba Satellite laptop PC that's a few years old, running Win XP Home, that I use exclusively for my captioning work. The only things it encounters are another similar computer and my flash RAM stick. It's not the kind of thing I'm permitted to connect much of anywhere else, for reasons largely involving the confidential nature of my work. (I've connected it via hardline to the internet at large on one or two occasions to update when a new Service Pack came out, but that's it.)

    Somehow, something seems to have gotten into this computer, because when I took my flash RAM stick to a computer that I can use the internet with, my antivirus said "Hey, there's a problem."

    Without an internet connection or a CD-version purchase of some antivirus, I'm not completely sure how to go about diagnosing and treating this apparent infection. I'm a poor college student and nonprofit-organization worker, so I use MS Security Essentials and Spybot S&D, both of which rely pretty heavily on being connected to the internet for updates.

    Any good solutions for this situation?
    "It's everywhere, in the headlines in the newspapers, in the blurry images on television. It is a secret you have yet to grasp, but the first syllable has been spoken in a dream you cannot quite recall." ---Unknown Armies

  2. #2
    Member abseh1's Avatar
    Join Date
    Jul 2008
    Location
    Tampa Bay
    Posts
    2,319
    Points
    388
    Blog Entries
    2

    Default

    Scan the stick on the Internet computer

    Pull the non Internet HDD and slave it to the Internet computer and scan it for malware and replace it
    SIGNATURE...When I post info I assume you have already read this link
    How to Start Removing Viruses and Spyware from your Computer

  3. #3
    Member Priam's Avatar
    Join Date
    Nov 2006
    Posts
    68
    Points
    8

    Default

    Bit of a hard sell on a laptop drive. Something simpler, less invasive?
    "It's everywhere, in the headlines in the newspapers, in the blurry images on television. It is a secret you have yet to grasp, but the first syllable has been spoken in a dream you cannot quite recall." ---Unknown Armies

  4. #4
    Member Spyware Fighter
    Join Date
    Jun 2010
    Location
    Bement,Ill USA
    Posts
    1,340
    Points
    146

    Default

    Please download Combofix to your infected USB stick and then plug it into your non internet HDD then transfer Combofix to your desktop and follow the instructions for running Combofix.

    Install Recovery Console and Run ComboFix

    This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

    Download Combofix from any of the links below, and save it to your desktop.

    Link 1
    Link 2
    • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
    • Close any open windows, including this one.
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • If you did not have it installed, you will see the prompt below. Choose YES.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
    should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
    Leave your computer alone while ComboFix is running.
    ComboFix will restart your computer if malware is found; allow it to do so.


    Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.
    " Extinguishing Malware from the world"

    The Spware Help forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
    Thanks-




  5. The Following User Says Thank You to fireman4it For This Useful Post:


  6. #5
    Member Spyware Fighter
    Join Date
    Jun 2010
    Location
    Bement,Ill USA
    Posts
    1,340
    Points
    146

    Default

    Hello.

    Are you still there?

    If you are please follow the instructions in my previous post.

    If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

    Please reply back telling us so. If you don't reply within 3-5 days the topic will need to be closed.

    Thanks for understanding

    With Regards,
    fireman4it
    " Extinguishing Malware from the world"

    The Spware Help forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
    Thanks-




  7. The Following User Says Thank You to fireman4it For This Useful Post:


  8. #6
    Member Priam's Avatar
    Join Date
    Nov 2006
    Posts
    68
    Points
    8

    Default

    Sorry, yeah. Proceeding with the process now. I try not to use this computer any more than I have to, partly because it's old and partly because it's unpleasant. I'll post results tonight.
    "It's everywhere, in the headlines in the newspapers, in the blurry images on television. It is a secret you have yet to grasp, but the first syllable has been spoken in a dream you cannot quite recall." ---Unknown Armies

  9. #7
    Member Priam's Avatar
    Join Date
    Nov 2006
    Posts
    68
    Points
    8

    Default

    Hm. Well, this is probably not good.

    I couldn't install the Recovery Thing--no internet access--and the thing is occupied with the AutoScan program, and has been on the "scanning for infected files, this typically doesn't take more than 10 minutes, maybe double that if it's really bad" bit for some three hours. Granted the computer's pretty old, it's a Toshiba Satellite M35X-S171ST, so it's expected that it take longer than on a new system, but this seems a bit excessive. Any advice?

    update: But! But it is still doing things, apparently. Task manager reports that a grep.3xe, which is presumably the scanner program, is using and redistributing memory for usage. The page file is getting properly massive at 490 MB. Maybe I just have to let it process overnight. More news as I figure it out.

    Update again: Wow, so sometime between the twelve-hour and sixteen-hour mark, the thing finally finished. Here's the log:

    ComboFix 13-01-15.02 - Admin 01/16/2013 10:26:39.1.1 - x86
    Running from: E:\ComboFix.exe
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-12-16 to 2013-01-16 )))))))))))))))))))))))))))))))
    .
    .
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-11-18 155648]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-11-18 118784]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
    "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    C-Print Pro Server 2.6.2.lnk - c:\program files\NTID\C-Print Pro Server 2.6.2\C-Print Pro Server.exe [2009-9-25 109056]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\NTID\\C-Print Pro Server 2.6.2\\C-Print Pro Server.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "4580:TCP"= 4580:TCP:krywr
    .
    S2 yoxzcksxn;System Monitor;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    yoxzcksxn
    .
    Contents of the 'Scheduled Tasks' folder
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-AGRSMMSG - AGRSMMSG.exe
    MSConfigStartUp-guegae - c:\documents and settings\Admin\guegae.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
    Rootkit scan 2013-01-16 10:34
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\yoxzcksxn]
    "ServiceDll"="c:\windows\system32\aunmqzc.dll"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(204)
    c:\windows\system32\WININET.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\IEFRAME.dll
    .
    Completion time: 2013-01-16 10:36:39
    ComboFix-quarantined-files.txt 2013-01-16 15:36
    .
    Pre-Run: 35,315,884,032 bytes free
    Post-Run: 35,276,689,408 bytes free
    .
    - - End Of File - - 7CDBB74EA5ED8E8702CF70A34BBC3B50
    Last edited by Priam; 01-16-2013 at 11:38 AM.
    "It's everywhere, in the headlines in the newspapers, in the blurry images on television. It is a secret you have yet to grasp, but the first syllable has been spoken in a dream you cannot quite recall." ---Unknown Armies

  10. #8
    Member Spyware Fighter
    Join Date
    Jun 2010
    Location
    Bement,Ill USA
    Posts
    1,340
    Points
    146

    Default

    Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

    How to see hidden files in Windows

    Please click this link-->Jotti

    When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

    c:\windows\system32\aunmqzc.dll

    Please post back the results of the scan in your next post.

    If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
    " Extinguishing Malware from the world"

    The Spware Help forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
    Thanks-




  11. The Following User Says Thank You to fireman4it For This Useful Post:


  12. #9
    Member Priam's Avatar
    Join Date
    Nov 2006
    Posts
    68
    Points
    8

    Default

    No internet on that computer. Should I copy the aunmqzc.dll into an empty directory on my flash stick and scan it that way, or will that remove it from the necessary environment?
    "It's everywhere, in the headlines in the newspapers, in the blurry images on television. It is a secret you have yet to grasp, but the first syllable has been spoken in a dream you cannot quite recall." ---Unknown Armies

  13. #10
    Member Spyware Fighter
    Join Date
    Jun 2010
    Location
    Bement,Ill USA
    Posts
    1,340
    Points
    146

    Default

    No internet on that computer. Should I copy the aunmqzc.dll into an empty directory on my flash stick and scan it that way, or will that remove it from the necessary environment?
    Yes that would be great. I want to see if that file is bad.
    " Extinguishing Malware from the world"

    The Spware Help forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
    Thanks-




  14. The Following User Says Thank You to fireman4it For This Useful Post:


Page 1 of 2 12 LastLast