Could use some help here guys, friend of mine just brought over his Compaq Presario 6000 telling me he can't go to the net all of a sudden and he's getting virus messages. I powered up his pc and immediately see virus warnings. Looking in the System Tray, I am seeing two separate programs called "Spyware Quake" and "System Doctor" and they appear at startup and report "hundreds" of errors and ask you to "register" so they are both trial versions. I have encountered viruses in the past and I usually know when a pc has a virus, this pc does not show any symptoms of having a virus and works smooth and quick.

I don't wish to test the "not going to the net" issue right now in case it should have a virus and it goes on our network, I think I should tackle the virus issue first, my first thought is to uninstall or disable those 2 programs he mentioned above then run a scan using a dedicated virus software but since I don't want to risk placing this pc on my network I can't get an online scan.

How would you guys start with this please? Thanks.

If you google "System Doctor" all you seem to get is removal instructions etc.. so that doesn't look good. Seems to be adware at best??

"Spyware Quake" is on the list of "Rogue" antispyware programs at:

Spyware Warrior (http://www.spywarewarrior.com/rogue_anti-spyware.htm#products)

Quote from site:
aggressive/deceptive advertising, stealth installs (1, 2); uses inadequate scan/detection scheme;

You really need to try to get a Hijackthis log to post for the guys here to see.

Also, please do this:

Please download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.zip) (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm (http://www.beyondlogic.org/consulting/processutil/processutil.htm)

I don't wish to place that pc on my network in case it should have a virus and it goes on our network? I am thinking of looking for a way to get a free AV program on a cd so I can load and scan without placing that pc on my network, I will try out the Smitfraudfix though, afterwards, thanks.

I don't wish to place that pc on my network in case it should have a virus and it goes on our network? I am thinking of looking for a way to get a free AV program on a cd so I can load and scan without placing that pc on my network, I will try out the Smitfraudfix though, afterwards, thanks.

You could get Portable ClamWin Antivirus and transfer it via usb pen drive?
Download from here (http://www.clamwin.com/content/view/118/89/).

Same with the SmitfraudFix Budfred suggested above as it's only a 585k download.

Might get you to a place where you are confident enough to connect direct to get the neccessary fixes which Budfred will provide.
(He's the expert so I'll leave you in his care)..:D:D

I'll just "Look & Learn"..:p :p

Good luck.

I am afraid you will find the AV program will not deal with this, so you will need SmitfraudFix and probably some others to deal with it... Won't hurt to try though... Most of the tools you need initially, SmitfraudFix and HJT primarily, can be transferred on a floppy disk...

Don't have floppies anymore Budfred, can't I save the Smitfraud to cd?

Don't have floppies anymore Budfred, can't I save the Smitfraud to cd?

You can save it to CD, to a Flash Drive, to an external hard drive, to a DVD or to any other media you can think including an IPod... My point was more that they are small enough to fit on a floppy, not that they need to be...

Just to be sure I know what I am doing here, should I uninstall those 2 programs [Spyware Quake and System Doctor] first or disable them and then install and run Smitfraud from a cd?

ok, I disabled both softwares and ran the smitfraud, it found a bunch of stuff, problem is how can I post it's finding here? The only way I see is to put that pc on the net but should I take the risk of infecting my other pc's on the network?

I used the smithfraud's option to "clean" what it found and will soon run an online scan to see what I end up with.

I would run the SmitfraudFix scan first and then worry about those other 2 since they are unlikely to go peacefully without SmitfraudFix... It appears you proceeded anyway, so I am not sure what the next step needs to be.... You can port the scans for SmitfraudFix with any of the methods mentioned earlier or you can get back online and post them here... Either way, I need to see them and a fresh HJT log to know what to do next...

Too many problems guys, downloaded AVG on a cd, loaded and scanned the pc and it reported a Trojan and 45 infected files so I decided to do a recovery.

Now this bites, I did the recovery then ran a scan with AVG and after 20 minutes it shows 4 infected objects, I stopped the scan there, how is this possible that can still be viruses after the recovery?

What do you mean by "recovery"... If you mean you wiped the drive and started fresh, there are a few ways that you could have been infected again... If you mean you did a System Restore or Repair Install, there is a good chance that you restored and/or strengthened the infections... The trojan that AVG fixed is probably the one we have been going after... If you want help, please post the logs requested and follow directions...

Apparently, I had not done a "full" recovery, only a standard, did the full, ran the scan and now everything's ok but for future purposes I still have this "posting the log" issue? I don't wish to place an infected pc on my network so I don't see how I can post a log here so how do you guys do this?

That depends on your connection and how the Compaq connects also.

One suggestion, if you are using a router or broadband/cable modem is to disconnect all of your network and only attach the Compaq. Post the log, run scans if needed, remove from network, reattach your own. No risk of infection to your own this way.

Well, hopefully you won't need a future reference if you set up good protections and are careful surfing... If you do, the HJT and the log are both small enough to fit easily on a floppy disk, so you simply download HJT on another computer, port it to the infected computer with a floppy (or some other means) and install... Run it and produce the log, then port it back to the computer online and post it... As I said earlier, you can also use a CD, DVD, flashdrive, external harddrive, zip disk, digital camera, IPod or just about any other means of storing and moving data... If you anticipate getting infected again, it might be a good idea to download HJT now and keep in on that computer...

By the way... I don't know what a "standard" or "full" recovery means... If you mean you wiped the drive completely, then you are probably okay... If you mean you did a reinstall over an old install, you may not be clean...

One suggestion, if you are using a router or broadband/cable modem is to disconnect all of your network and only attach the Compaq. Post the log, run scans if needed, remove from network, reattach your own. No risk of infection to your own this way.

Good point, yes but I thought that malware can remain in the line anywhere between the pc and the net's server? Are you saying that malware can only exist IN a pc and not in the cables or router e.t.c?


Budfred wrote
so you simply download HJT on another computer, port it to the infected computer with a floppy (or some other means) and install... Run it and produce the log, then port it back to the computer online and post it...


I had asked this very question on another forum just last week, can a virus reside indefintely on a floppy or cd? The answer I was given was "Yes", what say you to this?

BTW, the pc is question is not mine, I don't get viruses on my pc becuase I am aware of how to protect my pc fro the most part. Also, regarding your question of a "full" recovery, on my friend's pc, XP has 2 options for Recovery, full and Standard, standard gives a recovery of system files without reformatting, the opposite with Full.

Yes, floppies are one of the first carriers of infections from one pc to another and still are applicable to this date. To do this as Budfred suggests, install from the clean pc to the infected one then destroy the floppy or format it with a magnet :eek:

The infections cannot be kept on wiring or routers as they contain no memory per-se other than BIOS info on routers and modems for configuration only. The servers you relay through such as your isp (internet service providers) more than likely use Linux based computers immune to infections and the likely hood of their ability to transfer them is limited to pass-through such as emails and other transfer means of their service.

Yes, floppies are one of the first carriers of infections from one pc to another and still are applicable to this date. To do this as Budfred suggests, install from the clean pc to the infected one then destroy the floppy or format it with a magnet :eek:

This I don't understand, when I install HJT on an infected pc, I will be sending the log to the floppy on that pc so how can I prevent that floppy from receving an infected log file or any other malware?

In short, you can't.

This is why I have mentioned how to upload it to here (pcguide) with the infected pc while your network is not involved or connected physically. If the Compaq already has a dial-up account, use that but do not connect any of your networked pc's to it.

It is not likely that the infection would be transferred unless permissions were installed to let the pc's communicate together but an ounce of prevention goes a long way. So to be safe,,,

Use the floppy to go from one of your clean pc's to the infected one with the zip file of HJT or any other program you desire but not in reverse or you risk infecting one of your clean pc's and or the network.

so if the infected pc has problems connecting to the net the you can't do anything to post a log, correct?

so if the infected pc has problems connecting to the net the you can't do anything to post a log, correct?

As has been said many times before, the only way to be 100% safe is to disconnect your computer from the internet, wipe the drive a few time, place it at the center of several tons of concrete and forget about it...

Meanwhile, being realistic, it is extremely unlikely that transfering a HJT log to a floppy and then to your clean PC will infect that clean PC... If you have resident protections set up on that clean PC, it is likely that any infection that might have tried to hitch a ride would be caught... I have worked with lots of people who have had to port the log to another PC and I have yet to hear of a case where the clean PC got infected... Don't make it harder than it needs to be...

BTW, the pc is question is not mine, I don't get viruses on my pc becuase I am aware of how to protect my pc fro the most part. Also, regarding your question of a "full" recovery, on my friend's pc, XP has 2 options for Recovery, full and Standard, standard gives a recovery of system files without reformatting, the opposite with Full.That may be true with a manufacturer's recovery disks, it is not true with the basic Windows XP disk. It is possible to use the WinXP disks to wipe and then reinstall, but that is two procedures, not just one option...

Another way, use a Linux Live CD...like Knoppix. Boot one of your clean PCs with it and then use the floppy while in Knoppix.

By default, Knoppix will detect and configure your network connection and allow to get online. Also, by default, there is absolutely NO write access between any of your partitions and Knoppix (if you want to save something to disk, while in Knoppix, you need to enable a 'writable' partition). So even if an infected file did transfer to the floppy it couldn't get on your machine, because it can't run under Linux (it would have to be a self executing DOS or Windows file...usually they are 'fixed' system files/dlls that are required by Windows) or even if it could execute, it can't write to 'locked' partitions...it would be extremely UNLIKELY to have Admin privileges in a Linux world.

Of course, we are talking about adware/spyware and fairly modern trojans that seek to steal personal info...not older MS Office macro viruses that were designed to cause maximum mayhem. Nor are we talking about a bootsector virus designed to wipe a hard drive or worse (some versions of CIH/Chernobyl were designed to attempt to flash the BIOS)...most of the stuff (99.99%) of what you would encounter can't execute on its own and it would need to in some kind of executable file. Since the HJT log is a plain text file, not executable...

Meanwhile, being realistic, it is extremely unlikely that transfering a HJT log to a floppy and then to your clean PC will infect that clean PC... If you have resident protections set up on that clean PC, it is likely that any infection that might have tried to hitch a ride would be caught
..

This makes sense now when I think of it, if there are infections on the floppy then the clean pc's AV software should detect it, ok thanks.


That may be true with a manufacturer's recovery disks, it is not true with the basic Windows XP disk.

In this case, there aren't any disks at all involved, his pc has the recovery options at bootup, I didn't have to place any disk into the cd-rom, everything is done from within the pc, it was really a very nice feature to have, don't understand why most pc's don't have this?

@mjc
thanks for the alternative, will keep it on file!

In this case, there aren't any disks at all involved, his pc has the recovery options at bootup, I didn't have to place any disk into the cd-rom, everything is done from within the pc, it was really a very nice feature to have, don't understand why most pc's don't have this?Because if the computer is badly infected, that partition will also be badly infected and you will need to truly wipe the drive to kill... Once you have done that, you won't have Windows unless you order disks (at your expense) from the manufacturer... I HATE it when computers have that partition and consider that to be sufficient...

You usually have the option to make your own restore disks from those partitions... Assuming that it hasn't already been contaminated, I suggest doing that now so your friend has a backup if needed in the future...

Also, you can set up your own partition to install Windows with older versions, I am not sure that is still true with XP due to the anti-piracy features...