Jump to content


  • Content Count

  • Joined

  • Last visited

About sdiggory

  • Rank
  1. I have successfully reformatted my hard drive and re-installed Windows XP on my infected laptop. It wasn't too painful, and now that I have done it, it won't be so intimidating if I have to do it in the future. Hopefully I can keep my system locked down so I am never infected again. Thank you for all your help. Shawn
  2. I'm going to reformat. My wife is tired of me moping around about my laptop. The only challenges I saw in reading the tutorials that you provided was getting all of the drivers and downloading XP SP2 when I can't stay on the Internet with the infected laptop. I get kicked off my router after a few minutes. I guess I could order the SP2 CD from Microsoft, but that will take a while.
  3. Good morning, Phil. I don't know what I did, but now my poor laptop won't stay on the internet, turns off Windows Firewall, and is behaving badly in general. And "ntos.exe" is back in the the windows\system32 folder. It was not present when I followed your last batch of instructions. On reboot, I got a message that my virtual memory is too small, that "cmd.exe" won't load, and that Windows Firewall is turned off. When I attempt to turn on the firewall, I get a message that a required service "SharedAccess" is not running, do I want to start it? I click "yes" and it comes back with a
  4. Search found 4 files with "ntos.exe" in the file name. One was "ntos.exe" in the Spybot Search and Destroy recovery folder. One was "ntos.exe" in the SDFix\backups\catchme.zip folder. The other was "ntos.exe.1" in the same SDFix folder, and the last was in Windows\Prefetch called "ntos.exe-1A029211.pf" Are the executables in Spybot and SDFix folders quarantined? I went ahead and deleted them. I will contact McAfee about the issues with it. I'm concerned that I can't turn on VirusScan, but would the deleted malware have corrupted McAfee and need to be uninstalled and reinstalled anyway?
  5. I followed your instructions, with notes below 1) all files and folders visible 2) Stopped aawservice Couldn't stop SrV-AOLv3 or sys_sm-service in services.msc. I did it in Task Manager, then came back to services and disabled 3)checked the first item on your list, but none of the other three were listed 4) c:\windows\system32\ntos.exe was NOT present I deleted the other files, EXCEPT there were 8 files in the TMP folder that wouldn't delete. They have names like "mcafee_aegawgawjjegpiaweg" 5) Ran ATF cleaner Upon restart, McAfee announced that I was not protected becaus
  6. Word Wrap is off now: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:11:04 AM, on 1/3/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe
  7. Followed your instructions. I couldn't delete some of the files in the Temp folder. It said they were in use by another program. Should I go into Safe mode to try to delete them? Also, in HJT, I see that one of the items that you told me to check (F2...\ntos.exe) is still there in the new log file. Are we making progress, or is this just confirmation of your original diagnosis and I have a C:\ re-format in my future? Kaspersky Scanned file: smrs.exe - Infected smrs.exe - infected by Backdoor.Win32.SdBot.aad Scanned file: rsvp.exe - Clean S
  8. SDFix Log and HJT Log follow. Thank you for your efforts. SDFix: Version 1.122 Run by cust on Wed 01/02/2008 at 07:43 AM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Name: smtpdrv Path: System32\DRIVERS\smtpdrv.sys smtpdrv - Deleted Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting... Normal Mode: Checking Files: Trojan Files Found: C:\13.TMP - Deleted C:\3.TMP - Deleted C:\5.TMP - Deleted C:\C.TMP - Deleted C:\E.TMP - Deleted C:\E8.TMP
  9. Happy New Year! Sorry, it was not clear to me how to post without quoting the previous message in its entirety. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:09:35 PM, on 1/1/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\
  10. Aarrgh. That is unfortunate. And I thought that I was running a pretty tight ship here at my house. I would prefer to try to kill these first, as I'm behind a router and firewalled, which should minimize some of the risks. The other issue would be backing up files safely from the laptop before a re-format. I have my XP disk, but I don't relish the thought of rebuilding the laptop from scratch, finding installation keys for downloaded programs, etc. Let's try to get rid of the invaders.
  11. I am having a serious problem with my Dell D600 laptop. It appears that "winlogon.exe" is really a virus that sucks up all of my system resources until the laptop grinds to a halt. In addition, it appears that McAfee has been compromised in some way. I can't run McAfee in Safe Mode. The McAfee Email Proxy agent goes crazy and also grinds the laptop to a halt. I have run Spybot S&D, AdAware, and McAfee. All acknowledge the infection, but none can remove it. Here is my log from HijackThis. Any help you can recommend is appreciated! Shawn =========================================
  • Create New...