Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SystemBoot\System32\config\software missing, need help & data recovery


  • Please log in to reply
16 replies to this topic

#1 jumpy109

jumpy109

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 29 March 2009 - 09:22 PM

Hello Experts, really hope someone is able to help me.

I am new to your site and greatly admire your work.

I am from South Africa & based in West Africa. My laptop is my life.

The poor machine is dead, on startup I get the following message on a blue background:

The registry cannot load the hive (file) \SystemBoot\System32\config\software or its log or alternate.
It is corrupt, absent, or not writable.
Beginning dump of physical memory. Physical dump complete.
Consult with your system admin or tech support.

The machine will then attempt to re-boot for as long as I leave it on and continues in this loop.

I have the Window Xp Pro recovery cd that came with the machine.
Its XP SP2 (Build 2600)

At the beginning of February I picked a virus/trojan that disabled my Bitdefender Internet Security.
It got to the point where Bitdefender couldn't put up its Firewall or Update.

I tried various programs to get rid of the Malware & after contacting Bitdefender I was able to fix the problem with their product.
Because of your Malware forums I was able to use MBAM & Superantispyware to get the machine to an acceptable state.

I considered posting at one point but the problem seemed to finalised.
As suggetsed in one of the other forum posts I attemtped to Specific File Checker and even with the XP cd in the drive it still would not root out all the problems.

The machine seemed to operate ok, but would sometimes not recognise one of the USB ports or would be very slow on startup.

On Friday I was watching some avi clips when I got the battery low indication, I shut the machine down and had this problem the next morning.

I either still have the virus or it caused some serious damage before it was removed.

I need help to get the machine running again but I also need to recover some priceless pics & files.

I don't want to re-install XP at this point if those files will be overwritten.
How can I extract these files? (My wedding pics are on there, only copies, my wife will kill me)
Thanks for taking a look at this, you time is appreciated

BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 55,244 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:02:02 PM

Posted 30 March 2009 - 08:32 AM

Hi :thumbsup:.

IMO, it is not uncommon for some of the adverse effects of malware...to remain on the system after specific malware items have been removed. I liken it to someone being shot with a poison arrow...removing the arrow. The poison remains in the system, the invisible impact of the apparent problem (the arrow).

You say that you have a recovery CD...I'm afraid that I don't know any procedures that will allow what I believe needs to be done (either a repair install of XP or a clean install of XP)...using recovery CDs of any sort. All the system repair procedures I know depend on the user having a Microsoft XP install CD.

I suggest that you await further input from others.

<<How can I extract these files?>>

One method (there are several possible) would involve removing the hard drive and inserting it in a USB 2.0 enclosure...and then attaching that to another known good, protected system. You would then be able move any data files, but no system files or installed programs.

Examples of USB 2.0 enclosures accommodating 2.5" drives: http://www.newegg.com/Product/ProductList.....5%27+enclosure

Louis

#3 jumpy109

jumpy109
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 30 March 2009 - 09:52 AM

Hi Louis,

Thanks for the reply.

I figured that I would be forced to physically remove drive then remove files needed.
I did a bit of a search on the net and the error seems to be forced when the machine doesn't shut down properly.

I can try get my hands on an XP cd. If I could what steps would I follow?

One of the options on the recovery CD is a full install of XP SP2, does that help?

I am also not sure what the legality of using someone else's XP cd is, can I use just to recover my machine then use my disc for the re-installation after I have recovered my data.
The other option is to purchase a copy of XP when I get back home in about 2 weeks.

I already have one of the enclosures you suggested. Just to confirm, I will have to find a techie, remove my drive plug it into the enclosure and remove data that I need? This really is a last resort but will have to do it no other option.

Thanks again, beginning to see light at the end of the tunnel.
Really appreciated

Cheers

#4 hamluis

hamluis

    Moderator


  • Moderator
  • 55,244 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:02:02 PM

Posted 30 March 2009 - 10:41 AM

No problem...people respond in these forums...because they like to try to help others :thumbsup:.

First of all...I suggest moving your data to a safe place. None of the attempted repair steps is guaranteed to work, but moving your data files will allow you to go forward with less stresss.

<<I can try get my hands on an XP cd. If I could what steps would I follow?>>

If you can do so, I suggest trying a repair install.

How to perform a repair installation of Windows XP if Internet Explorer 7 is installed - http://support.microsoft.com/?kbid=917964

How to Perform a Windows XP Repair Install (Stevens) - http://www.michaelstevenstech.com/XPrepairinstall.htm

Bear in mind that, in order to do a repair install...the CD must reflect at least the same level of SP included...as the system currently reflects. If you have SP2 installed on your system, the CD must contain either SP2 or SP3 (if you like). If you have SP3 installed, the CD must reflect SP3 inclusion.

<<One of the options on the recovery CD is a full install of XP SP2, does that help?>>

I have no experience with recovery CDs or recovery partitions...but I would try it, feeling that it cannot do anything harmful to the system as it is. But, again, move your data files from the drive first...as much as we know about systems and projected procedures, it's good to realize that life experience says that "Nothing Ever Goes As Planned" (song by Styx) and it's wise to accept that as truth, IMO :flowers:.

<<I am also not sure what the legality of using someone else's XP cd is, can I use just to recover my machine then use my disc for the re-installation after I have recovered my data.>>

Re legality...nonissue. You need to use your license to do a repair install (which is valid) and anything short of either a repair install or clean install...does not involve potential licensing/activation issues. The CD just is a convenient way to put all the files together in one location and the CD is useless without a valid license to use XP, which is why activation exists.

You could also pursue the route you outlined, although I've never tried to repair one system from another. I don't think tht would work, but I've been wrong before.

<<The other option is to purchase a copy of XP when I get back home in about 2 weeks.>>

No reason at all to do that, if you have a valid license to install XP. There are many easier ways of getting a valid copy of an XP install CD...and there are only so many ways of acquiring a valid license to install an XP install CD.

Louis

#5 jumpy109

jumpy109
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 30 March 2009 - 12:02 PM

Hi Louis,

Thanks again for the quick reply.

I will do as you suggested and pull the drive and pop it into an external enclosure and use another computer to extract the files I need from it. Once the back up is complete I will then re-install XP as outlined.

The data is more important than the risk involved in toying around in a domain where the outcome is unexpected at best. I am a complete novice and need to learn on the fly. Backup first, fixing later! :thumbsup:

"You could also pursue the route you outlined, although I've never tried to repair one system from another. I don't think tht would work, but I've been wrong before." I wasn't actually suggesting repairing from one system to another as much as trying to understand how I would go about recovering my lost data. Is it really as simple as removing the drive, putting in the enclosure and pulling off what I need?

"Nothing Ever Goes As Planned", never a truer word was spoken.

I thank you for your time and effort. Its not what I expected or hoped for but it seems to be the best way to ensure data integrity.

Be well, thanks again. You are a good man. :flowers:

Hope I can learn enough about computers to one day to be of equal use to someone else.
Cheers

#6 jumpy109

jumpy109
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 30 March 2009 - 12:06 PM

Hi Louis,

not that I'm gonna try this but this is the problem that I have and possible solutions I found scouring the net.

This probably means more to you than me.

http://www.dslreports.com/faq/3546

http://forums.pcworld.co.nz/archive/index.php/t-94466.html


Will do as you advised and can only complete backup when home in about 2 weeks. Will let you know how it went.

Thanks again

#7 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,549 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 PM

Posted 30 March 2009 - 01:09 PM

Hi jumpy109,
If I might jump in here I might be of some assistance to both you and Louis. I had the same problem you describe and I also have a prebuilt system with Recovery CD. The corrupted registry is a serious problem and I was not able to recover from it. So Louis is completely correct that the first thing you should do is get the important data off of the system by making backups.

The DSL article is a nice find and gives the two ways to recover your system--without reinstalling Windows. Let me stop right here and address something you've asked about--I've added emphasis to what I'm keying on.

I am also not sure what the legality of using someone else's XP cd is, can I use just to recover my machine then use my disc for the re-installation after I have recovered my data.
The other option is to purchase a copy of XP when I get back home in about 2 weeks.

If you are going to use your disk to reinstall Windows then you don't need to try to repair it first. Which means you don't need to waste time on borrowing or purchasing an XP CD. So if you don't trust that your system is clean after the malware problem, which is completely understandable, and want to start fresh, you can save yourself some time and go ahead and run your recovery CD after transferring your data. On my system, running the recovery CD first reformats the system, which wipes out all the old data on the entire hard drive, then reinstalls Windows and whatever else that came with the system when you got it from the factory. I noticed a Norton Ghost logo when I did mine, so I'm assuming it was just a drive image/clone, just like Acronis True Image and other similar programs.

But if you want to try to recover your system to how it was just before the corrupt registry problem, then you will likely need a standard Windows CD.

The first, easy option cited in the dslreports article usually doesn't work because people will have tried rebooting several times before doing that. If you had tried it the very first time the error came up it might have worked.

The second method mentioned is what Louis has in mind for you. It involves using the Recovery Console, which means you need a XP CD unless you installed RC beforehand. On my system, I had RC installed already, but unfortunately it did not allow me to make the necessary repairs, so I had to use the Recovery CD.

Best of luck to you and hope you get it straightened one way or another.

BTW, I recently found an article on how to recover files that might interest you:
http://thecomputerparamedic.com/index.php?...r&Itemid=29

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#8 hamluis

hamluis

    Moderator


  • Moderator
  • 55,244 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:02:02 PM

Posted 30 March 2009 - 02:41 PM

...and I'll just add a note that I (also) have had that error message indicating a corrupt registry. I tried a couple of easy things but quickly decided that a clean install would be easier/better for me.

I don't mind doing those, even though I always have disk images that I could use to restore the system to its near-former state. I maintain backups primarily for all the data files I have and don't really consider reinstalling XP a chore (as some do).

Louis

#9 jumpy109

jumpy109
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 31 March 2009 - 05:29 PM

Hi Louis and Papakid,

Thank for the help. Will follow your advice and take it from there.

Just another quick couple questions if I may:

1) How complicated a task is it to remove a laptop hard drive? Is is a specialised task? Could I do it? i have an enclosure handy to slot it into to recover the data.

2)Once the drive is in the enclosure do I just hook it up to another computer via USB and use it that way? Any specialised programs needed?

3) After recovering what I need from the drive I intend to format the drive and re-install windows. How would I do something like that?
How do I clean the drive to a virgin state?
I plan on leaving this machine with my wife and she has already had another laptop stolen from her. In South Africa they sometimes try recover data from stolen laptops to steal passwords to accounts using various types of software.
I use my laptop for personal business and don't need someone trying to hack my accounts.

Thank you so very much for all your advice.

Its fantastic that there is a greater community of people out there willing to help strangers just because they can.
Your help is much appreciated.

Be well
Thanks again

#10 hamluis

hamluis

    Moderator


  • Moderator
  • 55,244 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:02:02 PM

Posted 31 March 2009 - 05:58 PM

<<1) How complicated a task is it to remove a laptop hard drive? Is is a specialised task? Could I do it?>>

It's usually pretty simple...there is a compartment which opens and the drive slides/fits in that and connects to the system connectors. Your laptop manual should show the location. One thing I've found is that some laptops use weird screws to fasten everything and you may need a screwdriver (to open the compartment) which is a bit unusual.

<<2)Once the drive is in the enclosure do I just hook it up to another computer via USB and use it that way? Any specialised programs needed?>>

Yes, no :thumbsup:. The attached drive will be just like another partition on the system and will appear in My Computer. You may have difficulty removing files from My Computer or Docs & Settings...the following procedure will allow you to do so.

How to take ownership of a file or folder in Windows XP - http://support.microsoft.com/kb/308421

<<3) After recovering what I need from the drive I intend to format the drive and re-install windows. How would I do something like that?>>

XP Clean Install, Stevens - http://www.michaelstevenstech.com/cleanxpinstall.html

Clean Install Procedure with Illustrative Screen Captures - http://www.theeldergeek.com/xp_home_install_-_graphic.htm

<<How do I clean the drive to a virgin state?>>

Using the MS XP CD...just delete everything on the hard drive (any existing partitions). Then follow the prompts for creating a new partition/formatting/installing. See links above.

<<Its fantastic that there is a greater community of people out there willing to help strangers just because they can.>>

That's the way the human race is...these others (who are unhelpful and full of malice) are just pretenders based on the ability to look (rather than be) human :flowers:.

I believe that it's natural to help others who merit such.

Louis

Edited by hamluis, 31 March 2009 - 05:58 PM.


#11 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,549 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 PM

Posted 31 March 2009 - 07:11 PM

Hi jumpy109 and Louis,
All I've ever messed with are desktops so, Louis, I'm curious about something.

2)Once the drive is in the enclosure do I just hook it up to another computer via USB and use it that way?

Do laptop hard drives use USB connections? I would think it would be IDE ribbons, but I'm not much of a hardware guy. The link I provided in Post #7 gives instructions on how to hook up a hard drive to another computer using IDE and the guy doesn't even use an enclosure--altho it's better to have one so you don't accidentally ground it.

Secondly, jumpy109, the clean install instructions are not going to be exactly what you should do since you are going to use your Recovery CD instead of trying to obtain an XP CD. Exactly how to do that depends on what kind of laptop it is but it should be pretty easy--on mine I basically stuck in the CD and followed the onscreen instructions. What is the make and model of your laptop? Your Recovery CD should have the drivers for your laptop, which would be a lot easier than trying to find drivers after using a standard XP CD. So for instructions you should consult your manual if you still have it and/or go to the manufacturer's website.

And to answer some more of your last question, you should also find out from the manufactuer if running the Recovery Disk will reformat your drive. I am pretty sure that most do--mine did, but you want to be sure that it doesn't just reinstall windows on top of what is already there.

A reformat is going to wipe your drive as clean as you can get it. The only way anyone can get any data off of it is if the FBI--or what is the equivalent of the FBI or Scotland Yard in South Africa? :thumbsup: --forensics team gets ahold of it. Your everyday crook you likely won't have to worry about.

Which leads me to another couple of points.

It's possible your financial information was compromised when you were infected. In the last two, three years malware is designed to make money one way or another and identity theft is steadily on the rise. I hope this was not the case with you but you should be prepared for the possibility. Do you remember what the malware was called? And what antivirus do you use? Keep a close eye on your accounts and your credit report for the next few months. There is a whole underground economy that deals in stolen information--and if yours in there it could lie on the shelf a for a period of time before it's sold or used--in various ways.

So before you reinstall Windows, you should copy the setup files of your antivirus to whatever medium you used to backup your data and install that before you get back online for any length of time. You can go ahead and activate Windows, but then turn on the Windows firewall and install your AV--the page Louis linked to does go into this some as well.

Also essential is to next get Windows fully up to date. I can't stress enough how important this is. It will help prevent you getting infected from just visiting a webpage.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#12 hamluis

hamluis

    Moderator


  • Moderator
  • 55,244 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:02:02 PM

Posted 31 March 2009 - 08:26 PM

The USB 2.0 enclosures...are designed to allow users to connect a hard drive (2.5" for laptop, 3.5" for desktops) to any USB port on any system. The drive is viewed as an additional partition/drive which has become attached to the system.

Enclosures vary...some will only accommodate laptop drives, some will only accommodate desktop drives...and some will accommodate either, as well as optical drives.

Thanks for reminding me about recovery CDs...the manner in which they function will have to be documented by the manufacturer/issuer (I've never had any, only have MS Windows CDs).

To confuse things even more :thumbsup:...there are also converter appliances, in addition to USB 2.0 enclosures, http://www.newegg.com/Product/Product.aspx...N82E16812156017

The net value of all these things is that it allows users to access files on a hard drive...which might not otherwise be accessible if the system cannot boot (for whatever reason).

Louis

#13 jumpy109

jumpy109
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 31 March 2009 - 10:29 PM

HI Louis & Papakid,

Louis,
Thanks for the advise & links. Will print them & follow them to the letter.

I was going to try to remove drive myself & took off the back cover of the machine all the bits just intimidated me, so I think I'll let someone else do that. ( For now. Depends on how frustrated I become I suppose)

I also need to find someone with a decent machine with XP on it, all the guys I work with only have Vista loaded. I tried finding taking ownership files for Vista but no luck.

I looked at the links you shared and their steps are almost exactly what the recovery disc has you go through. I haven't used the disc fully, just tested to see what it does, stopped it short just before formatting partition.

Louis, I like your view on the good and bad of the species. Very enlightening.

I thank you again sir,

Papakid,

I have no idea about the IDE connections you speak of. I have seen them make an enclosure and the inside of the 2.5 inch has a set of pins that the drive slides into. I would assume that the same process would apply to the (2.5 inch???) drive in my laptop.

As regards the use of the recovery cd, as I said to Louis above, it should follow a similar route as laid out in the link he shared. And yes the recovery cd does state that it will format the drive.

As regards your statement about the formatting of the drive. I am a user of computers and not a guru like you guys. I get by I suppose. The reason I am so paranoid is that we have a number of warning in South Africa regarding the theft of laptops to gain access to data (passwords etc) so that accounts could be hacked. Some business people have been targeted with that very purpose in mind.

I don't know what formatting does in terms of data recovery but I attended an interesting demo at one SA's telecoms providers.
They had an employee suspected of some really bad things and were able to recover data even after it was formatted and used it to secure a confession.
Even some of the Financial Houses are able to do the same thing. Our privacy laws aren't what they should be and as we have learnt so painfully in our country, corruption penetrates all levels.
So if someone has the capacity to recover that sort of data legally, some felonious characters will have capacity too. The bulk of all our crime has some sort of insider connection at some point.
Interesting note, the presenter at the demo indicated that if the accused had used a commercial wipe program that cleans the drive, they would not have been able to recover any data.
Too complex for me. Guess ordinary formatting should be enough. Paranoia on my part I suppose. Just that cyber crime in SA is like a growth industry on some levels.

As for what you said about my details already being out there, I couldn't agree more! Good news is that I didn't access any site that required any such info. The machine wouldn't update the anti virus and that's when I stopped using it for all financial stuff altogether. I will change all passwords, pins etc as soon I get home.

I was using Bitdefender Internet security and remember that whatever the problem was it wouldn't allow the antivirus to update and would disable the firewall.
It took nearly a month of trying to get machine clean. Should just have posted I guess.
I used various free programs to get infection removed one step at a time, not at the same time of course.
Various scanners, Spywaredoctor, Removeit pro 7, showed that Bitdefender itself was infected. Even MBAM couldn't function at one point. Bitdefender and Kaspersky's online scanners did the bulk of the cleaning and Avast finished the job. I was then able to re-install BDIS, MBAM and Superantispyware. Between the 3 all seemed to be working ok.

Before machine got cleaned olhrwef, urretnd, nmgdfds, txmlutil, ahnrpta files were also found and classed as risks.
Avast found Local settings\Temp\nmf.43.tmp infected win32:Trojan-gen[other] AND KAVOS Trojan
Bitdefender online scanner found Trojan.PWS.Onlinegames.KBQE

After machine got cleaned only Removeit found anything and the last logs I have before it was uninstalled are:

10:20:18 PM: Infected file (Sys32.txmlutil) C:\WINDOWS\system32\txmlutil.dll -> No action taken.
10:21:12 PM: Infected file (Sys32.ahnrpta) C:\WINDOWS\ahnrpta.exe -> No action taken.

I used Revo unistaller to remove all programs not needed and as you correctly state the Windows was and should always be up to date. All programs were up to date till the day the machine died.
An interesting note is that once the machine was infected I could not start in Safe Mode, even after infection was cleaned & after reboot it would often not be able to recognize one of the USB ports.

I also noted that someone on one of the forums had similar files listed as infections & had to clean the entire drive. It was an infection called Virut if memory serves and renders all .exe files infected. Any chance of that? Got loads of .exe files that I need for work related training.

And Papakid your: "Guru at being a Newbie" is an absolute classic. So very true.

Once again, thanks to both for all your help. Hope the long winded reply above is ok but maybe there's info in there that could help someone broaden the knowledge base.

This whole experience has one positive spin in that I have a renewed sense of the goodness in others and that in this global village there exists no excuse not to exert positivity.

I appreciate all the time you gentleman have spent on this problem. It truly is inspiring.

Edited by jumpy109, 31 March 2009 - 11:34 PM.


#14 hamluis

hamluis

    Moderator


  • Moderator
  • 55,244 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:02:02 PM

Posted 01 April 2009 - 08:59 AM

On behalf of PK, glad you solved it...happy computing :thumbsup:.

Louis

#15 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,549 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 PM

Posted 01 April 2009 - 12:32 PM

Thank you Louis. I do still, tho, have a couple more bits of information I think is important and my apologies for being a bit slow to respond.

Hope the long winded reply above is ok but maybe there's info in there that could help someone broaden the knowledge base.

I also consider myself to be long-winded--as a character in one of our American TV shows often states--it's a blessing--and a curse. So obviously it's OK by me. It not only helps to increase the knowledge base, but for the purposes of this thread, helps me to give advice based on the additional informational details.


I also noted that someone on one of the forums had similar files listed as infections & had to clean the entire drive. It was an infection called Virut if memory serves and renders all .exe files infected. Any chance of that? Got loads of .exe files that I need for work related training.

Among the files you mentioned, I didn't see any that were directly related to Virut. However, when you suffer from infections such as what you have had, someone else has complete control over your computer, which means it is certainly possible that any other infection could have been downloaded and installed and any information hanging around your computer could be in the hands of others. I really can't say so with an certainty without looking at some diagnostic logs. But it is a sad fact that it is very common for victims of Virut and its related infections to lose data--the files are either uncleanable or too corrupted after cleaning to be usable. I hope this is not the case with you.

The best you can do is to make sure the computer you use to transfer your data has a strong anti-virus and scan every file. (Before that you should make sure the computer itself is known to be clean.) It might be a good idea to put all the files in one folder and then run Kaspersky's online scanner to check the files. You stated that Kaspersky and Bit Defender did some clean up for you, but, if you are not aware of this already, you should note that Kaspersky online will not clean files--it detects only. For infected files that you wish to recover, it is safer than Bit Defender online and some other scanners that also clean, as the latter are set to delete files if unable to clean--so you would have no chance of recovering those files.

The good news is that if you had Virut, a massive amount of files would have shown up as infected in your previous scans--so it is likely that you didn't have it.The bad news is that you didn't appear to have completely removed the infection you did have. One is an Autorun infector, so you need to take measures that it doesn't spread to the working computer:
http://www.sophos.com/security/analyses/vi...autorunaag.html

These types of infections are usually spread by plugging in infected Flash drive--if Windows is set to AutoRun--which it is by default, it infects the host machine. But it doesn't have to be a Flash drive--any drive will do. More info here:
http://miekiemoes.blogspot.com/2008/11/ple...torun-asap.html

So you need to either follow the links in the blog and disable Autorun on the working computer, or run Flash Disinfector before plugging in the drive--I would recommend the latter or both.
http://experi3nc3.wordpress.com/2007/05/10...fector-by-subs/

Running FD will also disable Autorun by creating a Aurorun.inf folder that is difficult to delete, which also serves to prevent reinfection by preventing creation of another malicious autorun.inf file. So the computer owner needs to be aware of this and that s/he won't be able to stick in a CD and have it play automatically--they will have to go to My Computer to open the drive.

Trojan.PWS.Onlinegames.KBQE and most of the rest of the identifiable files you mentioned serve a very specific purpose--to steal passwords to MMORPG games like World of Warcraft. Why? Because some people will pay real money for the virtual goods and gold legitimately earned by other players. The PWS in Trojan.PWS.Onlinegames.KBQE is an abbreviation of PassWord Stealer. Believe it or not, these trojans usually only target online game passwords, but if they can steal those passwords they can steal others. Changing your passwords and PINs is great--the sooner the better--but in case of identity theft more would need to be done. Let's hope this will be unnecessary for you, and I know it does not apply exactly to a non-US citizen, but the following article might give you some ideas of what recourse you might have in the worst case.
http://www.ftc.gov/bcp/edu/microsites/idth...ers/defend.html

Lastly, I was probably premature in saying that a reformat will get your hard drive as clean as it needs to be--there are in fact disk wiping utilities out there--I am just not familiar with them as I don't use them. There is a tool called Eraser that I've seen recommended often for this purpose, but it is no longer developed and does not list XP as supported.
http://www.tolvanen.com/eraser/

Someone else will have to make recommendations about that. As I understand it, a reformat will overwrite the disk with zero's--a secure eraser or shredder will over write several times.

I know good forensic software can recover deleted data in the hands of whoever--but it still is usually targeted information. In other words the investigator knows or suspects that there is specific info on the drive and that it has been reformatted drive--such as evidence of a crime in the example you cited. That makes it worth their while since such data recovery isn't all that easy. I still think most criminals who steal laptops are looking for what they can quickly get off the system that is installed. Stealing passwords, for example, is fairly easy--there is all kinds of password cracking software out there and the majority of people don't use strong passwords. If they don't know the computer has been reformatted, they won't know there might be something there they want--or don't already have. Even if they did, by the time they get around to trying to recover data on a reformatted drive, they might have used that time to steal other laptops and get easier information.

Anyway its OK to be safer--in certain scenarios someone could possibly stumble across such info, it just isn't all that likely.

I would also like to thank you for being so appreciative. Some people come on forums like this and demand help as if it were a birthright. And never say thank a thank you. That is a disincentive for some people like me to help--we are in malware removal where you already have to deal with the evil people are doing to each other. Dealing with people like you is much more pleasant and we give what help we can gladly. :thumbsup:

The fate of all mankind, I see

Is in the hands of fools

--King Crimson





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users