Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Malware type unknown from downloaded email and internet browsing


  • Please log in to reply

#16
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
The only malware Avast found was:
File C:\Documents and Settings\Admin\My Documents\BaCk from the\Documents and Settings\Adm\My Documents\Favorites\CORN\Field Crops Farm Farmer Supply Resources.url is infected by INI:Shortcut-inf [Trj], Moved to chest

The site you got it from may be infected.

The others are just corrupt possibly from a bad download. I usually just remove the whole file which is the bold path before the "|" or you can just ignore them.

Example:

File C:\Documents and Settings\Admin\Desktop\mbam-setup.com|>{commonappdata}\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref Error 42145 {Installer archive is corrupted.}

Your hard drive may be getting a bit old. Speccy reports it takes a long time to get up to speed.

03 Spin-Up Time 099 (093) Data 0000000989

Just a warning right now but it could mean the motor is getting tired so make sure you have saved anything important to a CD or DVD or external drive or send it to yourself as an email attachment if you have gmail or other webbased email.

7-zip probably saved the file as a .7z which won't work on the forum. Has to be .zip. The txt file may not have really been txt but something like autorun.txt.arn. Windows hides the extension so if you can't see it then you can't change. OTL usually unhides things but if not: Double-click on the My Computer icon.
Select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Put a checkmark in the checkbox labeled Display the contents of system folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
Press the Apply button and then the OK button

It could also just be too big. There is a limit to the size. I have sent you a PM with my email address so you can send it to me as an attachment.

The best way to stop Avast is to right click on the orange ball and select Avast Shields Control then tell it Disable for however long you want then it will ask you if you really meant it and you have to say yes.

Some people object to the voice notification of updates. To turn it off, click on the Avast ball then on Settings then on Appearance. Then on Sounds and uncheck Automatic Updates OK. (It will still update it just won't tell you about in a loud voice in the middle of the night.)

They have also started using their info popup to try and get you to upgrade so I go into Settings, Appearance, Popups and change the first two to 1 second.

If you haven't registered already then right click on the orange ball and select Registration Information and click on the link. (They just want you name and email address). The registration is good for 12-14 months then you will need to register again. They will, of course, try to talk you into buying the product but you can always register again for another year free tho it may not be the default.


Might as well run Process Explorer again and let's see if we see anything.
  • 0

Advertisements


#17
jdnz

jdnz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hello RKinner:

Thank you for responding.

Updates...

We should have double checked the file extension on the zip file. You were indeed correct. The file was saved as a .7z, not .zip. Glad you were able to provide us direction on how to correct that extension and change the settings.
For comparison, we uploaded two files - both Autoruns...one is from yesterday and the other is from today.

Note that Avast has been enabled and changed to your specified settings.

Attached File  AutoRuns 1-6-14.zip   45.22KB   99 downloads

Attached File  AutoRuns 1-7-14.zip   46.86KB   111 downloads

==============

We ran another Process Explorer and pasted it below.

==============

"Your hard drive may be getting a bit old. Speccy reports it takes a long time to get up to speed.

03 Spin-Up Time 099 (093) Data 0000000989"


That does not sound so good. Although, we can at least back up our files. What program do you suggest for backing up files? We have an external hard drive for these such things.

How does one decipher the above code to know it is not working correctly?

---------

Should we uninstall and re-install a fresh copy of Malwarebytes?

-----------

Process CPU Private Bytes Working Set PID Description Company Name Verified Signer
System Idle Process 95.00 0 K 16 K 0
procexp.exe 5.00 17,048 K 6,616 K 2828 Sysinternals Process Explorer Sysinternals - www.sysinternals.com (Verified) Microsoft Corporation
Interrupts < 0.01 0 K 0 K n/a Hardware Interrupts and DPCs
System 0 K 32 K 4
csrss.exe 1,632 K 724 K 484 Client Server Runtime Process Microsoft Corporation (No signature was present in the subject) Microsoft Corporation
wscntfy.exe 556 K 36 K 904 Windows Security Center Notification App Microsoft Corporation (Verified) Microsoft Windows Component Publisher
winlogon.exe 6,488 K 340 K 508 Windows NT Logon Application Microsoft Corporation (No signature was present in the subject) Microsoft Corporation
waol.exe 30,176 K 2,792 K 2164 AOL Software AOL Inc. (Verified) AOL Inc.
svchost.exe 13,044 K 2,220 K 844 Generic Host Process for Win32 Services Microsoft Corporation (Verified) Microsoft Windows Component Publisher
svchost.exe 3,016 K 384 K 736 Generic Host Process for Win32 Services Microsoft Corporation (No signature was present in the subject) Microsoft Corporation
svchost.exe 1,788 K 564 K 784 Generic Host Process for Win32 Services Microsoft Corporation (No signature was present in the subject) Microsoft Corporation
svchost.exe 1,308 K 80 K 932 Generic Host Process for Win32 Services Microsoft Corporation (No signature was present in the subject) Microsoft Corporation
svchost.exe 1,560 K 76 K 960 Generic Host Process for Win32 Services Microsoft Corporation (Verified) Microsoft Windows Component Publisher
svchost.exe 1,316 K 52 K 1212 Generic Host Process for Win32 Services Microsoft Corporation (Verified) Microsoft Windows Component Publisher
svchost.exe 5,440 K 36 K 2032 Generic Host Process for Win32 Services Microsoft Corporation (No signature was present in the subject) Microsoft Corporation
spoolsv.exe 3,164 K 40 K 1140 Spooler SubSystem App Microsoft Corporation (Verified) Microsoft Windows Component Publisher
smss.exe 172 K 40 K 436 Windows NT Session Manager Microsoft Corporation (Verified) Microsoft Windows Component Publisher
shellmon.exe 584 K 424 K 2576 waolmon AOL Inc. (Verified) AOL Inc.
services.exe 1,740 K 532 K 552 Services and Controller app Microsoft Corporation (Verified) Microsoft Windows Component Publisher
pctspk.exe 820 K 44 K 1292 PCTSPK.EXE PCtel, Inc. (Verified) Microsoft Windows Component Publisher
nvsvc32.exe 1,916 K 36 K 1276 NVIDIA Driver Helper Service, Version 71.84 NVIDIA Corporation (No signature was present in the subject) NVIDIA Corporation
notepad.exe 1,076 K 412 K 3740 (No signature was present in the subject)
lsass.exe 3,724 K 360 K 564 LSA Shell (Export Version) Microsoft Corporation (No signature was present in the subject) Microsoft Corporation
firefox.exe 110,668 K 58,048 K 3444 Firefox Mozilla Corporation (Verified) Mozilla Corporation
explorer.exe 21,760 K 5,568 K 1624 Windows Explorer Microsoft Corporation (No signature was present in the subject) Microsoft Corporation
ctfmon.exe 952 K 1,032 K 2124 CTF Loader Microsoft Corporation (No signature was present in the subject) Microsoft Corporation
AvastSvc.exe 24,788 K 1,144 K 1028 avast! Service AVAST Software (Verified) AVAST Software a.s.
aoltpsd3.exe 1,924 K 864 K 3216 AOL TopSpeed AOL Inc. (Verified) AOL Inc.
aolsoftware.exe 6,388 K 2,864 K 2080 AOL AOL Inc. (Verified) AOL Inc.
AOLacsd.exe 6,124 K 1,140 K 2420 AOL Connectivity Service AOL LLC (Verified) AOL LLC
alg.exe 1,176 K 64 K 1512 Application Layer Gateway Service Microsoft Corporation (No signature was present in the subject) Microsoft Corporation

=======

Thank you for helping us. We will look for your next direction.
  • 0

#18
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
Run Autoruns again and uncheck the items marked in yellow in the Everything list.

Also uncheck the navlogon.dll entry near the bottom of the Everything list. This is a remnant from Norton/Symantec.

Close Autoruns and reboot.

Process Explorer is looking OK right now. How is the PC running after a reboot?

Spinup time is normally 0 or 1. Yours is showing a much higher number in the Data section.
  • 1

#19
jdnz

jdnz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hello RKinner:

We unchecked the items you listed with autoruns. We will run the system tomorrow and see how it is working and report back to you.

Any recommendation on a backup program?

Thank you for taking the time to assist us.

Edited by jdnz, 08 January 2014 - 08:19 PM.

  • 0

#20
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
See:

http://www.techradar...commend-1137924

(Site seems to be broken in Chrome but works OK in IE)

I actually use two drives. One is a clone of the current drive which I keep offline and reclone every 6 months or so. The other just backs up files on a day to day basis using the software that came with it.

It is important not only that you back up but that you are able to retrieve the files. I had a friend bring me a dead laptop with a backup drive but all of the files were backedup incrementally with serially number names and were .zips. A real pain to go through and find the files that were wanted. It is also important to be able to boot if windows can't. Normally with most PC you are allowed to make a DVD of the original config so you can restore it to factory. This is OK if you have your files backed up but you will need to reinstall all programs and probably 150 MS updates. Better is to have a boot disk ready and know how to use it.
  • 0

#21
jdnz

jdnz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hello RKinner:

We seem to be making progress, very good progress.

After using the system for the last couple of days I think we may need to tweak a few things.

We noticed in 'msconfig' under the 'startup tab' an item is listed as:

HKLM:Run KernelFaultCheck %systemroot%\system32\dumprep 0 -k

'KernelFaultCheck' looks to be a new item listed. What should we do with it?

------

Is there any way to stop the AvastSvc.exe file from loading/running? We tried through 'Task Manager' and 'AutoRuns' to end process, but keep receiving the message...."Unable to Terminate Process: "The operation could not be completed. Access is denied.

**We wanted to see how the computer runs without the A/V program running in the background.** It may also be slowing down the system a bit, but not certain as of yet.

------

We cycled through browsers and with Mozilla Firefox the following message appears: "Warning: Unresponsive Script" - A script on this page may be busy, or it may have stopped responding. You can stop the script right now, or you can continue to see if the script will complete."

How does one correct this 'script issue?' This has happened on nearly all sites.
------

We are reviewing the link for the backup programs you provided us. (Loads in Firefox.) They all look to be very useful. Thank you for the site link. Do you have any preference?

-----

How do we..."create a DVD of the original config so we can restore it to factory..." if needed at a later date?

AND

How do we..."create a boot disk...?"

****Your friend should be oh so very thankful (as are we) to have you help us both.****

We will look for your next direction.

Thank you.
  • 0

#22
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP

'KernelFaultCheck' looks to be a new item listed. What should we do with it?


Just ignore it.

Is there any way to stop the AvastSvc.exe file from loading/running?


Right click on the Avast Ball and select Avast! Shields Control and select Disable Permanently then tell it Yes. The only other way is to just uninstall it.

We cycled through browsers and with Mozilla Firefox the following message appears: "Warning: Unresponsive Script" - A script on this page may be busy, or it may have stopped responding. You can stop the script right now, or you can continue to see if the script will complete."

How does one correct this 'script issue?' This has happened on nearly all sites.


Try Firefox in Safe Mode:

https://support.mozi...using-safe-mode

Do you still get the timeouts? It's probably one of the add-ons causing the problem. I have been getting the same thing in Firefox and IE on gmail so have started using Chrome for gmail.

How do we..."create a DVD of the original config so we can restore it to factory..." if needed at a later date?


This varies with the PC Maker. What make and model is this?

How do we..."create a boot disk...?"


I'm not sure on an XP. See if it's the same procedure as for Win 7.

http://windows.micro...tem-repair-disc

I usually use Hiren's Boot Disk for XP problems
http://www.hirensbootcd.org/download/
This a BIG! Zip File so save it. Then right click on it and Extract all. Put a blank CD in the drive and then double click on BurnToCD.cmd. When it finishes you boot off it and run the MiniXP program. This will give you a fake XP desktop.
  • 0

#23
jdnz

jdnz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hello RKinner:

We are sorry for the delay, we will be back in touch in the next day or so with updates.

Thank you for understanding.
  • 0

#24
jdnz

jdnz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hello RKinner:

We are working through the Firefox steps to see if an add-on is causing the problem. Simply going back and forth through normal and safemode diagnosis (as per the directions.) We do not have many add-ons to being with, so maybe a reset would be the best? We should also mention that a few add-ons were java related, which firefox seemed to disable anyway. Is there something we can run to make certain all java-based items are uninstalled and/or not causing problems? At the moment, we are in safe-mode, however the issue continues to arise from time to time. We will wait until we hear from you.

We are also reviewing the directions for the Windows XP boot disk as a safeguard.

Thank you for your help.
  • 0

#25
jdnz

jdnz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hello RKinner:

We are sorry for the delay. We were working on running Firefox without some of the add-ons disabled and have decided to complete the 'reset' option to see how that is working out. We do not have many customizations so we think it should be alright.

We thank you so much for your assistance and will check back with you in the near future with any update.

Should we also post in the XP Forum to ask about how to create a backup of our XP operating system in case we need to change the drive?

Thank you.

Edited by jdnz, 25 January 2014 - 10:42 AM.

  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP