computer help??

tony_important

Damn, I am so bad at this, but I have no idea what the hell is going on.

I am trying to help my cousin bring his computer back from death by virus, and when I open up the list of running processes, I see "cmd.exe" running 19 times. Any idea why this is? 'services.exe' is also open a bunch as well.

I was going to reformat, but without a windows install disc, I'm unable to do so.

If it's any help, I've run virus scan about 9 times and went from some 400 nasty objects to 1 or 2.

Any advice, even if it's general, would be welcome!

urahonky

First things first: What Operating System, and what virus scan did you use?

Make sure to run your virus scan in Safe Mode (Press F8 when the computer is booting... Normally I say just mash the F8 button until you get the prompt). Make sure you run an anti-spyware as well (Google search Super Anti-Spyware, great program) in safe mode.

e: Also, if you go to Start-> Run, and type "msconfig" then go to the startup tab and uncheck everything, that helps a little.

tony_important

urahonky wrote: »

First things first: What Operating System, and what virus scan did you use?

Make sure to run your virus scan in Safe Mode (Press F8 when the computer is booting... Normally I say just mash the F8 button until you get the prompt). Make sure you run an anti-spyware as well (Google search Super Anti-Spyware, great program) in safe mode.

e: Also, if you go to Start-> Run, and type "msconfig" then go to the startup tab and uncheck everything, that helps a little.

sorry, forgot the important stuff.

running xp, SP3
mcafee
downloaded ad-aware and updated it

I'm going to try the msconfig, I completly forgot about that.

tony_important

So, things are getting a bit blurry for me, as I'm too tired, I'm going to take a swing at this tomorrow, thanks for the help so far

underdonk

Blast off and nuke it from orbit, it's the only way to be sure.

In all seriousness, that's just about the truth. Rebuilding a system after it's been infected with malware is really the only way to return it to a "trusted" environment. I certainly would inform your cousin to not to use it until it's been rebuilt - and for the sake of the Intarwebernets, leave it unplugged. There's a high chance it's part of a botnet or participating in some such nasty activity.

DrFrylock

Multiple services.exe are normal. These are "container processes" for background services in Windows (the actual services are run inside them). If you want to actually see which services are running in which services.exe, you can use Process Explorer.

19 copies of cmd.exe is pretty fishy. That's the command-prompt window. Do you have 19 command prompt windows open? If not, it could be a malware file in a different directory called 'cmd.exe'. Process Explorer should also be able to show you which cmd.exe on your hard drive is the one running.

McAfee is probably fine against traditional viruses, but it seems to be rather ineffective against the new malware/spyware systems out there (same for, example, Symantec/Norton).

If you want to really find out what's running on bootup, you want to run HijackThis, not msconfig. HijackThis will show you all the little hidden registry locations that cause things to run on startup, all your browser helper objects that cause things to run when you start your browser, and so on. Msconfig will show you none of this. If you post a HijackThis log in this thread, I'll check it later and see if there's anything weird in there. HijackThis can also stop things from running on startup, but clever malware will often find a way to readd itself anyway, so your best bet is to run a real anti-malware tool, which brings us to...

The best simple malware scanner is MalwareBytes Anti-Malware (MBAM). It works just like a virus scanner except it doesn't sit around in the background (well, the pay version will, but just grab the free one). Do a full scan with this tool and see what it finds.

I've been able to de-malware a couple of machines just using MBAM. Some of the nastier infections require more aggressive tools, but you don't want to use those unless you've exhausted the alternative.

I always see the "nuke it from orbit" option as a last resort. It's always available, but it's often painful and you risk losing data, settings, and programs that are otherwise important.

tony_important

I'll be posting that log up in a bit once I get home and start back at the computer.
Thanks for the help, I'm a bit lost at this.

I really don't want to reformat because I have nothing to start with in terms of reinstall. data/programs are not really an issue on this lappy, but without any direction I don't want to start nuking the bastard either.

Smurph

Is it a consumer laptop? Most modern Dells and other brands will usually have a partition with an image of the factory-state on there and a program what will allow you to revert to it. I would check that option out.