Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winbluesoft


  • Please log in to reply
11 replies to this topic

#1 tapley54

tapley54

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 29 May 2009 - 02:27 PM

I've read a couple topics on this virus, and found that my symptoms differ, so I decided to make a new post.


System:

Dell XPS 400 with Windows XP 2002 SP3
AVG antivirus - last update/scan <1 week ago
ZoneAlarm firewall
Spybot S&D - last update/scan <1 week ago


Symptoms:

Winbluesoft running in tray on startup.
Winbluesoft "scanning" my computer for viruses on startup (no prompts).
Ran AVG scan (logged in on secondary user's profile - my wife was the one that discovered the virus), which found 4 files, removed 2, and said restart was required to remove the others. Upon restart, windows freezes at the signin screen and had to be hard reset. (3 attempts and couldn't sign on that profile.)
Logged in on administrator profile, found that Winbluesoft is also running on admin profile! (Wife's profile doesn't have admin privileges.)
Firefox attempts to redirect web browsing (i.e. when I googled "winbluesoft" and clicked the link to come to this website, it redirected me to http: //101.coolberg.com/xtr_new?q=winbluesoft&enc=WwEemPOE6rzu2szFEZh3gBUxAJAMI4Zc0+hqGQbEug==, which redirects me to http: //www.cs102175.com/click.php?s=1&k=422678427, which redirects me to http: //smartbizsearch.com/search.php?q=winbluesoft&sa=1&sid=2096909279&p=2) -- spaces inserted to prevent links from appearing in my post). To get here I had to manually enter the URL shown on google.
Spybot S&D won't launch from any shortcut.

Actions taken:

Using Task Manager, ended process WinBlueSoft.exe.
Read entire thread found here.
Downloaded MBAM, had to use random renaming utility to get it to run, and scanned PC.

Log:
Malwarebytes' Anti-Malware 1.37
Database version: 2182
Windows 5.1.2600 Service Pack 3

5/29/2009 12:24:35 PM
mbam-log-2009-05-29 (12-24-35).txt

Scan type: Full Scan (C:\|)
Objects scanned: 253541
Time elapsed: 49 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 8
Folders Infected: 2
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ExpressVids (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WUSN.1 (Adware.WhenUSave) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.25,85.255.112.165 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{54ea3428-8718-42e3-b3dd-f30e5690ff8a}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.25,85.255.112.165 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.25,85.255.112.165 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{54ea3428-8718-42e3-b3dd-f30e5690ff8a}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.25,85.255.112.165 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.25,85.255.112.165 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{54ea3428-8718-42e3-b3dd-f30e5690ff8a}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.25,85.255.112.165 -> Quarantined and deleted successfully.

Folders Infected:
c:\documents and settings\Teia\Start Menu\Programs\ExpressVids (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Program Files\ExpressVids (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\Teia\start menu\Programs\expressvids\Uninstall.lnk (Trojan.DNSChanger) -> Quarantined and deleted successfully.
c:\program files\expressvids\Uninstall.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\autorun.inf (Trojan.Agent) -> Quarantined and deleted successfully.
c:\RECYCLER\S-1-1-70-100022087-100001703-100028065-8929.com (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\tempo-9679656.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\tempo-9718531.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.


It's now saying I need to restart in order to complete the process. If I don't get locked out, I'll be sure to post my results or if I have any further issues.

Edited by tapley54, 29 May 2009 - 02:37 PM.


BC AdBot (Login to Remove)

 


#2 tapley54

tapley54
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 29 May 2009 - 02:47 PM

Successfully rebooted, and logged in.

Immediately upon logging in (my picture and userID were still showing on the blue login screen) I heard the tone for windows error. The screen stalled for about 45 seconds, then loaded windows, showing the following error on the screen:

C:\Program
Windows cannot find 'C:\Prgram'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then Search. (Only option is "OK".)

As Windows continued loading, I got another error (I'm pretty sure this occurred as soon as WinBlueSoft appeared in the tray):

Error
A Runtime Error has occurred.
Do you wish to debug?
Line: 4348
Error: 'vsifree' is null or not an object.
(I chose not to debug.)

After all my startup programs were loaded, I got this alert from my firewall software:

ZoneAlarm
WinBlueSoft.exe is trying to access the internet.
Destination IP: 192.168.1.254:DNS
(I chose to deny access.)

I went into the task manager, and ended the WinBlueSoft.exe process.

I'll be following the steps in the other thread. First I've updated MBAM (before the last scan it didn't update), and am running a quick scan. Next I'll be running SmitfraudFix.

I'll continue to work through those steps; please post if you have any other advice. Thanks in advance.

Edited by tapley54, 29 May 2009 - 02:52 PM.


#3 tapley54

tapley54
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 29 May 2009 - 04:00 PM

Update: Did scans out of order, decided to let MBAM remove the 4 threats found and reboot. On reboot, system stalled on a blank, black screen (cursor visible/moveable) before showing the logon screen. Hard reset, logged on in safe mode, MBAM scan showed no threats. Shut down and restarted in normal mode; WinBlueSoft.exe ran on startup... Performing Smit & MBAM in proper order:

SmitFraudFix v2.417

Scan done at 13:41:06.56, Fri 05/29/2009
Run from C:\Documents and Settings\David\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\David\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\setup2.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\David


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\David\LOCALS~1\Temp


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\David\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\David\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="blocker.dll"
"LoadAppInit_DLLs"=dword:00000001


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

»»»»»»»»»»»»»»»»»»»»»»»» RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""




»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel® PRO/1000 PL Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.254

HKLM\SYSTEM\CCS\Services\Tcpip\..\{54EA3428-8718-42E3-B3DD-F30E5690FF8A}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\..\{54EA3428-8718-42E3-B3DD-F30E5690FF8A}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\..\{54EA3428-8718-42E3-B3DD-F30E5690FF8A}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


MBAM found NOTHING?! (WinBlueSoft.exe ran on startup; ended process as fast as I could through the Task Manager menu... maybe it didn't get a chance to run and replace all the stuff I cleaned last scan?)

Malwarebytes' Anti-Malware 1.37
Database version: 2193
Windows 5.1.2600 Service Pack 3

5/29/2009 1:56:23 PM
mbam-log-2009-05-29 (13-56-23).txt

Scan type: Quick Scan
Objects scanned: 144610
Time elapsed: 13 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Going to run a full scan to see if maybe the quick scan just didn't catch it... will post results in ~50min.

Edited by tapley54, 29 May 2009 - 04:01 PM.


#4 tapley54

tapley54
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 29 May 2009 - 05:02 PM

MBAM full scan found 1 threat that the quick scan did not.

Malwarebytes' Anti-Malware 1.37
Database version: 2193
Windows 5.1.2600 Service Pack 3

5/29/2009 3:00:23 PM
mbam-log-2009-05-29 (15-00-23).txt

Scan type: Full Scan (C:\|)
Objects scanned: 254117
Time elapsed: 46 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Teia\my documents\my pictures\wow\flashcodec.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.


Will reboot and report my results.

#5 TallyHo

TallyHo

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:OZTRALIA
  • Local time:12:00 PM

Posted 29 May 2009 - 06:06 PM

hi.
might also try this.

Go to your Services
Start - Run - Services.msc - Enter
Scroll down to DNS Client
Double-Click on DNS Client, then select to change the status to Start. (Its OK to leave it as Manual, if that is the current setting, but you will have to repeat this procedure in the future if you elect to flush your dns cache again)

Now you can run your - ipconfig /flushdns

clear your ipconfig and renew your ipconfig at this same time

start - Run - (type)ipconfig /releaseall
start - Run - (type)ipconfig /renew

may be an idea to flush your system restore points too.

#6 tapley54

tapley54
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 29 May 2009 - 08:56 PM

What impacts would flushing my DNS cache have? I don't really understand DNS caching; just want to make sure I know what I'm getting myself into before I go down that path.

#7 tapley54

tapley54
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 29 May 2009 - 09:02 PM

Another update:

Rebooted in Safe Mode and ran DrWeb. 3-1/2 hours later, it had found about 10 infections, including in some of the files I just installed (e.g. it flagged a couple files used by SmitFraudFix).

Rebooted to normal mode; PC stalls just after I click the login button. Hard reset. Login succeeds; WinBlueSoft.exe is still running on startup. Ended process through Task Manager.

I'm going to try more of the software suggested in the other thread, but would greatly appreciate any help I can get.

SmitFraudFix log (sorry it's not easy on the eyes... that's how it came out in the csv file):

S_m_i_t_f_r_a_u_d_F_i_x.exe\SmitfraudFix\Process.exe;C:\Documents and Settings\David\Desktop\S_m_i_t_f_r_a_u_d_F_i_x.exe;Tool.Prockill;;
S_m_i_t_f_r_a_u_d_F_i_x.exe\SmitfraudFix\restart.exe;C:\Documents and Settings\David\Desktop\S_m_i_t_f_r_a_u_d_F_i_x.exe;Tool.ShutDown.14;;
S_m_i_t_f_r_a_u_d_F_i_x.exe;C:\Documents and Settings\David\Desktop;Archive contains infected objects;Moved.;
Process.exe;C:\Documents and Settings\David\Desktop\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Documents and Settings\David\Desktop\SmitfraudFix;Tool.ShutDown.14;Incurable.Moved.;
63329BDCd01\SmitfraudFix\Process.exe;C:\Documents and Settings\David\Local Settings\Application Data\Mozilla\Firefox\Profiles\99c0mntt.default\Cache\63329BDCd01;Tool.Prockill;;
63329BDCd01\SmitfraudFix\restart.exe;C:\Documents and Settings\David\Local Settings\Application Data\Mozilla\Firefox\Profiles\99c0mntt.default\Cache\63329BDCd01;Tool.ShutDown.14;;
63329BDCd01;C:\Documents and Settings\David\Local Settings\Application Data\Mozilla\Firefox\Profiles\99c0mntt.default\Cache;Archive contains infected objects;Moved.;
CFD.exe;C:\Program Files\BroadJump\Client Foundation;Adware.Cfd;Incurable.Moved.;
A0125397.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP936;Trojan.Packed.365;Incurable.Moved.;
A0125469.com;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP937;BackDoor.Tdss.119;Deleted.;
524187.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.119;Deleted.;

#8 tapley54

tapley54
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 30 May 2009 - 12:06 AM

Rebooted to Safe Mode; ran ATF and SAS as advised in the aforementioned thread. Then ran MBAM, which found 0 threats. Rebooted to normal mode... no change.

I'm starting to think I may just need to reformat... someone please help!

If I reformat, is there any way to save copies of documents on my PC without worrying they might be infected? I haven't had any way to back up most of the info, and some of it would be pretty difficult to replace.

#9 tapley54

tapley54
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 31 May 2009 - 05:09 PM

After trying everything I could think of, and following the advice found in other threads, I finally just decided to reformat my hard drive.

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,905 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:00 PM

Posted 01 June 2009 - 08:12 AM

I was going to advise that you did not follow all the instructions for using Smitfruadfix. The rapport.txt you posted indicates that you only ran option #1 while in normal mode but never completed the next step. However, even doing that would not resolve all your issues with this infection.

Anyway, sometimes a reformat or a factory restore is the best solution. In some instance the malware may leave so many remnants behind that security tools cannot find them and your system cannot be completely cleaned, repaired or trusted. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore with a vendor-specific Recovery Disk or Recovery Partition removes everything and is the safest action.

Reformatting a hard disk deletes all data. Should you decide to reformat,
you can back up all your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, and .html) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executable files inside them as some types of malware can penetrate and infect .exe files within compressed files too. Other types of malware may even disguise itself by adding and hiding its extension to the existing extension of file(s) so be sure you look closely at the full file name. After reformatting, scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

Should you decide to reformat and you're not sure how to do that or need help, please review:These links include step-by-step instructions with screenshots:Don't forget you will have to go to Microsoft Update and apply all Windows security patches after reformatting.
Also see How to keep your Windows XP activation after clean install.

Note: If you're using an IBM, Sony, HP, Compaq or Dell machine, you may not have an original XP CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. See Technology Advisory Recovery Media.

If you need additional assistance with reformatting or have questions about multiple hard drives, you can start a new topic in the Windows XP Home and Professional forum.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 tapley54

tapley54
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 02 June 2009 - 05:47 AM

Thanks for the advice. I actually did the reformat over the weekend, before reading your post.

The virus prevented me from writing CDs, so I had to use a flash drive. I scanned the drive with 4 programs before copying any files back onto my hard drive, so hopefully that won't be an issue.

Interestingly, the virus also attempted to prevent me from reformatting. I would get started on installing from the factory CD, and it would suddenly tell me my CD drive was malfunctioning. A friend provided a an XP Pro (I was running Home ed) install disc, and had the same issue. Fortunately, Windows 7 installed successfully (though it took several tries to get to the point where I could reformat).

So, if anybody else has trouble reformatting, it seems Windows 7 might be a work-around, and is a free download. If you don't want to run Windows 7 you could then try running your other OS discs. I think Windows 7 is pretty good, so I'll probably keep it. The biggest issue I've had with 7 is finding drivers for some of my devices.

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,905 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:00 PM

Posted 02 June 2009 - 07:21 AM

You're welcome.

Tips to protect yourself against malware and reduce the potential for re-infection:Keep Windows and Internet Explorer current with all critical updates from Microsoft which will patch many of the security holes through which attackers can gain access to your computer. If you're not sure how to do this, see Microsoft Update helps keep your computer current.

Avoid gaming sites, porn sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Malicious worms, backdoor Trojans IRCBots, and rootkits spread across P2P file sharing networks, gaming, porn and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans, and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.Keeping Autorun enabled on USB (pen, thumb, jump) and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:Many security experts recommend you disable Autorun asap as a method of prevention. Microsoft recommends doing the same.

...Disabling Autorun functionality can help protect customers from attack vectors that involve the execution of arbitrary code by Autorun when inserting a CD-ROM device, USB device, network shares, or other media containing a file system with an Autorun.inf file...

Microsoft Security Advisory (967940): Update for Windows Autorun
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users