need help clearing xrun.exe etc
- Thread starter eedmonds
- Start date
- Status
Malware might have changed some setting and files.
Click \start\run\then type in or copy and paste in
sfc /scannow not the space between c and /
You must be logged on as a member of the Administrators group to run sfc.
If sfc discovers that a protected file has been overwritten, it retrieves the correct version of the file from the
%systemroot%\system32\dllcache folder, and then replaces the incorrect file.
Try this link if you have any trouble.
http://www.updatexp.com/scannow-sfc.html
Click \start\run\then type in or copy and paste in
sfc /scannow not the space between c and /
You must be logged on as a member of the Administrators group to run sfc.
If sfc discovers that a protected file has been overwritten, it retrieves the correct version of the file from the
%systemroot%\system32\dllcache folder, and then replaces the incorrect file.
Try this link if you have any trouble.
http://www.updatexp.com/scannow-sfc.html
Like this not sfc /scannow not sfc \ scannow
Put the space between sfc and / and you must use/ not"\"
there is no space between / and scannow
copy and paste it in if necessary
sfc /scannow
Put the space between sfc and / and you must use/ not"\"
there is no space between / and scannow
copy and paste it in if necessary
sfc /scannow
oh man....
Its not the DLL Cache thing.
Im familiar with the I386 file name because when I first found out I was infected with xrun.exe I did a search for it on the net. I looked for any file names related to xrun.exe. One listed somewhere was mstha.
I then searched files and folders, I found mstha files and one is related to I386. I did not move this to recycle bin because I was not sure which or any mstha files were bad.
Ok. I see 5 mstha files in my computer now, one is MSTHA C:\windows\I386 I have no idea if these are normal files or not.
I also did searches for xpre.exe but am not sure if I found it, seems to me if I did I would have removed it to recycle bin as I did xrun.exe and yazzlesnet. I dont find xpre.exe now
I do not have the Xp disk, this computer was given to me but it may be possible for me to get it.
Here is where I found some info before I spoke to you, But I did not do anything with it, maybe it will help?http://forums.spywareinfo.com/lofiversion/index.php/t103102.html
:spider:
Its not the DLL Cache thing.
Im familiar with the I386 file name because when I first found out I was infected with xrun.exe I did a search for it on the net. I looked for any file names related to xrun.exe. One listed somewhere was mstha.
I then searched files and folders, I found mstha files and one is related to I386. I did not move this to recycle bin because I was not sure which or any mstha files were bad.
Ok. I see 5 mstha files in my computer now, one is MSTHA C:\windows\I386 I have no idea if these are normal files or not.
I also did searches for xpre.exe but am not sure if I found it, seems to me if I did I would have removed it to recycle bin as I did xrun.exe and yazzlesnet. I dont find xpre.exe now
I do not have the Xp disk, this computer was given to me but it may be possible for me to get it.
Here is where I found some info before I spoke to you, But I did not do anything with it, maybe it will help?http://forums.spywareinfo.com/lofiversion/index.php/t103102.html
:spider:
OK I got my "e" key working :crowned:
Also it seams that you are not the only one having truble with the scanner, download seams to be messed up. :sad:
Download and Save blacklight to your desktop.
F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
Double-click blbeta.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found - if found, so don't worry it tells that there were no files found.
In case hidden files were found, Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply.
Sorry youre going to have to look at that page and directions. Your directions dont match the page. I do not like that disclaimer.
I tried Panda again and its like nothing happens when I click on scan now. I do see my firewall icon showing a block. I can not get it to go even by disabling firewall. Same exact thing happened on my other computer too. Allllll started after I install sunbelt. :banghead:
I tried Panda again and its like nothing happens when I click on scan now. I do see my firewall icon showing a block. I can not get it to go even by disabling firewall. Same exact thing happened on my other computer too. Allllll started after I install sunbelt. :banghead:
Have never used that firewall. Have you thought about removing it?
Click start > control panel > user accounts > change the way users log on or off > uncheck fast user switching > restart you computor.
Download, unzip and run 'RootkitRevealer' from Sysinternals:
http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx
Once the program has started, press Scan and let it run.
When the scan is done, use 'File > Save' to place the logfile in a convenient location (such as the desktop). The default filename will be 'RootkitReveal.txt'.
Save your Log File
Copy/Paste the contecnts of that logfile into your next reply
NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !
That way you should have a much simpler and clearer log file in which to pursue and evaluate.
Click start > control panel > user accounts > change the way users log on or off > uncheck fast user switching > restart you computor.
Download, unzip and run 'RootkitRevealer' from Sysinternals:
http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx
Once the program has started, press Scan and let it run.
When the scan is done, use 'File > Save' to place the logfile in a convenient location (such as the desktop). The default filename will be 'RootkitReveal.txt'.
Save your Log File
Copy/Paste the contecnts of that logfile into your next reply
NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !
That way you should have a much simpler and clearer log file in which to pursue and evaluate.
Yes, I am thinking of removing it. What perplexes me is why disabiling it would not work. It is a firewall recommended here. Getting zonealarm is a problem because of the size.
I have a new problem. Started last night. I try to connect to net, nothing will load, it like locks up the internet flow. I try over and over, nothing will load. I finally realize tonight rebooting might work since my internet worked ok this morning. Rebooted, and now Im back online first try no problem. We did the sfc scannow last night.
I will begin to follow your instructions.
I have a new problem. Started last night. I try to connect to net, nothing will load, it like locks up the internet flow. I try over and over, nothing will load. I finally realize tonight rebooting might work since my internet worked ok this morning. Rebooted, and now Im back online first try no problem. We did the sfc scannow last night.
I will begin to follow your instructions.
Had same problem with loading pages after I rebooted, after changing user profile.
Rebooted again, windows firewall (which had not been "on") gave me a message saying it had blocked sunbelt and gave me this info below line. I chose to "block". I disabled sunbelt and turned on Windows firewall for the moment now to do the rootkit. Looked like Sunbelt was trying to connect to net as soon as computer loaded up? I will get rid of Sunbelt no problem, but then I need a firewall. Will try to download zonealarm tonight while I sleep.
Strangely the last two times I rebooted it went smoothly like its supposed to instead of the typical taking 5 minutes to shut down.
---------------------------------------------------------
Understanding when to block a program
When Windows Firewall is turned on and a program on your computer attempts to accept connections from the Internet or a network, the firewall blocks the program from doing this and displays a message giving you the option to unblock the program.
For example, suppose you've set up your computer to play a game with other players over the Internet. Because the firewall prevents the game from accepting connections from the Internet, the game will not be able to receive the information from other players that it needs to work correctly. A message will appear, asking what actions you'd like to take.
When you get this message, choose:
Keep Blocking to prevent the program from ever accepting connections without your permission.
Unblock only if you know why the program is asking to accept connections to your computer, or if you know that the program is trustworthy. (In the game example above, this is the option you would choose.)
Ask Me Later if you don't know whether to permanently block or unblock the program. This option keeps the program blocked (for greater security), and you will get this message again the next time that you start the program.
If you choose to unblock the program, Windows Firewall creates an exception for that program to allow it to communicate through the firewall. The firewall won't notify you when that program wants to receive connections in the future. When you close the program, the temporary opening in your firewall is also closed.
Notes
These choices apply to every user who logs on to this computer.
For some games (DirectX games), the message might be hidden behind the program. To see the message, minimize or close the program.
These messages can be disabled by using Windows Firewall, netsh.exe, or Group Policy. To disable these messages in Windows Firewall, on the Exceptions tab, clear the Display a notification when Windows Firewall blocks a program check box. However, we recommend that you keep these messages enabled to help monitor the security of your computer.
If Don't allow exceptions is selected on the General tab, you will not receive this message because the firewall will not allow any communications regardless of other settings you might have made.
Rebooted again, windows firewall (which had not been "on") gave me a message saying it had blocked sunbelt and gave me this info below line. I chose to "block". I disabled sunbelt and turned on Windows firewall for the moment now to do the rootkit. Looked like Sunbelt was trying to connect to net as soon as computer loaded up? I will get rid of Sunbelt no problem, but then I need a firewall. Will try to download zonealarm tonight while I sleep.
Strangely the last two times I rebooted it went smoothly like its supposed to instead of the typical taking 5 minutes to shut down.
---------------------------------------------------------
Understanding when to block a program
When Windows Firewall is turned on and a program on your computer attempts to accept connections from the Internet or a network, the firewall blocks the program from doing this and displays a message giving you the option to unblock the program.
For example, suppose you've set up your computer to play a game with other players over the Internet. Because the firewall prevents the game from accepting connections from the Internet, the game will not be able to receive the information from other players that it needs to work correctly. A message will appear, asking what actions you'd like to take.
When you get this message, choose:
Keep Blocking to prevent the program from ever accepting connections without your permission.
Unblock only if you know why the program is asking to accept connections to your computer, or if you know that the program is trustworthy. (In the game example above, this is the option you would choose.)
Ask Me Later if you don't know whether to permanently block or unblock the program. This option keeps the program blocked (for greater security), and you will get this message again the next time that you start the program.
If you choose to unblock the program, Windows Firewall creates an exception for that program to allow it to communicate through the firewall. The firewall won't notify you when that program wants to receive connections in the future. When you close the program, the temporary opening in your firewall is also closed.
Notes
These choices apply to every user who logs on to this computer.
For some games (DirectX games), the message might be hidden behind the program. To see the message, minimize or close the program.
These messages can be disabled by using Windows Firewall, netsh.exe, or Group Policy. To disable these messages in Windows Firewall, on the Exceptions tab, clear the Display a notification when Windows Firewall blocks a program check box. However, we recommend that you keep these messages enabled to help monitor the security of your computer.
If Don't allow exceptions is selected on the General tab, you will not receive this message because the firewall will not allow any communications regardless of other settings you might have made.
Re: Rootkit
When I go to save a txt file, and I click on the arrow to change to desktop it says in error
"Save rootkit revealer output (top in blue)
C:\documents and settings\local service\desktop refers to a location that is not available.It could be on a hard drive on this computer, or a network. Check to make sure the disk is properly inserted, or that you are connected to the internet or to your network, then try again. If it still cannot be located the information may have been moved to another location."
It gives me this error anytime I try to press anything after Im on save page. I can press ok and move on.
It says its saved on desktop but I do not have a txt of it on desktop as I should have.
4 discrepencies are found. Ill keep trying to get the txt file out of it. Sorry for all the info, hope it helps.
When I go to save a txt file, and I click on the arrow to change to desktop it says in error
"Save rootkit revealer output (top in blue)
C:\documents and settings\local service\desktop refers to a location that is not available.It could be on a hard drive on this computer, or a network. Check to make sure the disk is properly inserted, or that you are connected to the internet or to your network, then try again. If it still cannot be located the information may have been moved to another location."
It gives me this error anytime I try to press anything after Im on save page. I can press ok and move on.
It says its saved on desktop but I do not have a txt of it on desktop as I should have.
4 discrepencies are found. Ill keep trying to get the txt file out of it. Sorry for all the info, hope it helps.
Do a search for the file.
RootkitReveal.txt
RootkitReveal.txt
Looks like it only would save into C:\windows\System32 - Um also its in documents and settings...
HKLM\SECURITY\Policy\Secrets\SAC* 8/26/2004 4:18 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 8/26/2004 4:18 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\webcal\URL Protocol 11/1/2004 1:26 PM 13 bytes Data mismatch between Windows API and raw hive data.
D: 0 bytes Error mounting volume
HKLM\SECURITY\Policy\Secrets\SAC* 8/26/2004 4:18 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 8/26/2004 4:18 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\webcal\URL Protocol 11/1/2004 1:26 PM 13 bytes Data mismatch between Windows API and raw hive data.
D: 0 bytes Error mounting volume
Panda
Ok I read around a bit about that rootkit scan. Everyones saying those are normal. One person I saw said those readings went away after a worm removal. Dont know but....
I managed a panda scan and it still came up with a rootkit
Not sure how I managed to get spyware when I have spybot and spyblaster going. I also ran spybot once today already. Will try to get the spyware out. And get zonealarm.
Sleep well cya tomorrow.
Incident Status Location
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Owner\Cookies\owner@azjmp[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Owner\Cookies\owner@perf.overture[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt
Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Program Files\Trend Micro\HijackThis\backups\backup-20070919-225432-140-PowerReg Scheduler.exe
Ok I read around a bit about that rootkit scan. Everyones saying those are normal. One person I saw said those readings went away after a worm removal. Dont know but....
I managed a panda scan and it still came up with a rootkit
Not sure how I managed to get spyware when I have spybot and spyblaster going. I also ran spybot once today already. Will try to get the spyware out. And get zonealarm.
Sleep well cya tomorrow.
Incident Status Location
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Owner\Cookies\owner@azjmp[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Owner\Cookies\owner@perf.overture[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt
Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Program Files\Trend Micro\HijackThis\backups\backup-20070919-225432-140-PowerReg Scheduler.exe
- Status