Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Reformatting And Reinstalling Windows


  • Please log in to reply
12 replies to this topic

#1 shelkd

shelkd

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 07 January 2008 - 03:03 PM

Hi, I need some help with reformatting the system partition and reinstalling windows. I have been referred to this forum by a member of Bleeping Computers that was helping me with removing a backdoor trojan. I was originally looking for help removing the Starsdoor popup. According to the team member, it looked like I must have a backdoor trojan. He said that in order to be 100% certain that my system would no longer be effected, I should think about reformatting the partition and reinstalling windows, but that, if I wanted, he could walk me through getting rid of the malware. I asked if I would lose everything on the infected computer, because it is my daughter's and she has a lot of pictures, ipod music and school projects saved on it and she would "freak" if it was all wiped out. He said that it could be backed up. I then chose to go ahead with the reformatting and reinstallation of windows, as long as he could walk me through backing up all her necessary files, doing the reformat and reinstallation and then putting all of her necessary files back on the computer. At that point, he referred me to this forum for help with all of that, since he was only there to help get rid of malware. Does this all sound clear enough an are you able to help me? The computer I will be doing this to is a Dell Dimension 2400 and runs windows XP. Let me know if you need any further information before we begin. Thanks for your help!

Shelley

BC AdBot (Login to Remove)

 


#2 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:06:30 AM

Posted 07 January 2008 - 10:49 PM

Why didn't you go through with the HJT ? That would have been the best solution. If you back up you files to a removable storage device you stand the possibility of transferring the infection with it. The only way to be 100% sure is to wipe the hdd, not reformat. It sounds like there was a miss communication between you and the HJT team member trying to help, you should be able to get this cleaned without worry of still being infected.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#3 shelkd

shelkd
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 07 January 2008 - 11:28 PM

Here is exactly what I was told. I will paste it in right after I explain why I made my decision. You will notice he gives me two options, but says that only one would be 100% effective. Since I have been dealing with this computer for a long time now, I decided to go for the 100% option, especially because he assured me all could be backed up. Let me know what you think. Thanks.

Hi, thanks for your patient

Your computer appears to have been infected by a backdoor trojan. These programs have the ability to steal passwords and other information from your system. I recommend you take the following steps immediately:
Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
Consider what other private information could possibly have been taken from your computer and take appropriate steps
This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

If you wish to reformat then please let me know in your next response, I'll now continue with instructions for cleaning.

Next,

To be entirely safe you should update your system to Service Pack 2, but this should only be done, once your system is clean.

NOTE: Please do not install Windows XP Service Pack 2 yet, because this can cause troubles if installed on an infected PC.

Some security programs with active monitoring processes are known to interfere with automatic scanners and can actually prevent HJT fixes from taking effect.

Please turn off or disable Spybot-S&D for the duration of your malware cleanup. It may be the case that this program will automatically restart upon reboot; it will be necessary to repeat these disabling steps as required. Once we have successfully removed all of the malware in your system, it is important that you re-enable it once again to prevent future reinfection.
Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.
Next

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download SDFix by AndyManchesta and save it to your desktop.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
Double click SDFix.exe and it will extract the files to %systemdrive%
(this is the drive that contains the Windows Directory, typically C:\SDFix).
DO NOT use it just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Copy and paste the contents of the results file Report.txt in your next replyalong with a new HijackThis log.
-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe

#4 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:30 AM

Posted 08 January 2008 - 10:23 PM

You didn't say what brand of computer you are driving. Dell or HP or a white box?

Each one has their own method for Recovery. Some have recovery disks while others put them onto your hard drive in a special partition made just for that purpose.

Typically, you would go into BIOS and change the boot order to CD-Rom first. Then insert the Install CD and follow the prompts to do a complete new install. In your case, you would first delete the primary partition and then create a new one for the new install.

So, what do you have for a computer?

DR

#5 shelkd

shelkd
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 08 January 2008 - 10:31 PM

Thanks for responding. You must have missed it, as I'm sure you read so many of these that you must have to skim and get the gist. But, anyhow, I did put it at the end of my first post on this topic. I will tell you now though, that it is a Dell Dimension 2400. Thanks for any help you can give me.

Shelley

#6 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:30 AM

Posted 09 January 2008 - 07:01 AM

Ah yes, I see. A Dell Dimension 2400.

Dell's often came with a Recovery Disk that is very simple to use. First, do you have those disks? If so, we can proceed from there.
To check if there is a recovery partition, Right-Click My Computer, Left Click Manage. Select Disk Management and you should see, on the right hand side, whether there are any partitions where the recovery software is kept.

You may want to remove any files you will want to keep. If you have a CD Burner, create a CD of all the files you wish to keep. You can scan this CD for bugs after you are finished installing your new OS and before you return them to your new installation.

You might also want to go to Dell and download any drivers you may need, before you start. (I usually download the Ethernet driver and then go get the rest)
Go to Dell, then Support and then Downloads and insert your machine number and type and they will list the drivers as well as having a manual.

So, first please tell us if you have disks or a recovery partition?

DR

#7 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:30 AM

Posted 09 January 2008 - 12:03 PM

Hi everyone :thumbsup:.

shelkd are infected by a backdoor trojan, in this case we recommend the reformat like an option, shelkd choose to reformat, so we need respect the decision. I was analyzed this case here:

http://www.bleepingcomputer.com/forums/ind...mp;#entry703802
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#8 shelkd

shelkd
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 09 January 2008 - 01:35 PM

Okay, well, I looked over the disks that they gave me with the computer. The ones I have are Operating System Reinstallation CD Windows XP Home Edition w/ Service Pack 1;Applicaations already installeed on Computer contents: Antivirus , Support, Multimedia, Internet software;Drivers and utilities with device drivers, diagnostics and utilities, computer documentation; Dell E773c color monitor user docs and drivers; and Application for reinstalling Roxio Easy CD creator. Then I went to the Computer Management, but I am not sure exactly what I am looking for there. Could you explain what I should see? THanks so much.

Shelley

#9 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:30 AM

Posted 09 January 2008 - 03:53 PM

OK well since you have a Restore CD, there is no point in going into Computer Management to look for a restore partition.

OK, the Restore CD is the one you need to use. The one with the OS on it. :huh:

The Applications CD has a few things but nothing of major importance, unless there is Office on it. I would put that aside and not worry about that one for now. :huh:

The Drivers CD is to be used AFTER you reinstall the OS. I believe it is web-based (opens a web page) and checks your system for the drivers you need and lists them all for you. You will need to install them 1 at a time.

I usually install the Chipset Drivers first, then the Ethernet. If you don't see any Chipset drivers, don't worry. The motherboard might not need that.

check out this link for some screen shots of the installation process.

http://www.microsoft.com/windowsxp/using/s...xp/install.mspx

Good luck. :thumbsup:


DR

#10 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:30 AM

Posted 09 January 2008 - 03:56 PM

BTW, because you are reinstalling, you will have an extra step between steps 5 and 6 of the link I just sent you.

You will first need to Delete The Primary Partition. Just follow the prompts.

THEN you can create the partition, like it says in step 6.


DR


PS: You can also skip steps 22 to 24. I never register with Microsoft.

Edited by rigacci, 09 January 2008 - 03:59 PM.


#11 shelkd

shelkd
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 09 January 2008 - 05:46 PM

Thanks. I do have a question, before continuing, that I want to make sure I get answered. My daughter REALLY doesn't want to lose her pictures, school projects and ITunes with all of her Ipod music on it. I know you mentioned backing up these things on CD, but she has quite a few pictures and a huge amount of songs (at least 400). How would I fit all of that onto CDs? Is there a way to compact it and make it all fit or what do you suggest? Also, how am I sure after I get the computer clean whether or not those programs are infected? I would hate to ruin what we fixed. I appreciate all of your patience and guidance.

Shelley

#12 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:30 AM

Posted 09 January 2008 - 06:44 PM

Pictures are easy to save because you can create (and burn) a CD a few at a time. Maybe she already has them in folders, so you burn 10 out of 20 folders onto one CD and the rest onto another.

As far as infections. Jpegs and other picture files generally do NOT carry viruses. Lately though it has shown that it is changing. But I think she could probably transfer the pictures without and problem, folder by folder.

I would not transfer any "Programs" to a CD. Programs can carry viruses aplenty. You are best to reinstall any applications.

If you had an External DVD burner, you could burn up to 8GB or more, depending on the burner (Dual Layer). But a CD burner will only hold about 700MB or so (maybe 740?). Close enough though. You get my point, no?

So first, let her take all her stuff off and then proceed with the reinstall.

:thumbsup:

DR

#13 shelkd

shelkd
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 09 January 2008 - 07:48 PM

Okay, we will get on this and let you know how it goes. I will probably try to work on it while she is at school tomorrow.

Thanks,
Shelley




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users