Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Have virus, can't access Internet; virus protection was disabled


  • This topic is locked This topic is locked
19 replies to this topic

#1 scouter

scouter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 20 July 2009 - 03:24 AM

Hi and thanks in advance for your help!

I have some type of virus on my home computer, but I am not sure what it is or how to remove it. I currently can not access the Internet and my virus protection was disabled after being attacked repeatedly some time ago. I currently do not have this computer connected to the Internet and it does not have a firewall or virus protection on it.

I had posted to BC's "Am I Infected? What do I do" Forum and BC 1st Responder Rigel was helping me with this problem, but after successfully deleting a Trojan after many steps, we still couldn't resolve it. Rigel advised me to post to the HJT forum for further help and to post a link back to the topic so y'all could see what had been done so far. I'm not sure how to post a link, even tho' Rigel gave me instructions, so I hope copying & pasting the web address to that topic is sufficient . :)

http://www.bleepingcomputer.com/forums/t/237160/cant-access-internet-virus-protection-disabled-think-i-have-a-virus/

I have tried to be very "exact" with telling Rigel what was going on with my computer each step of the way since I know next to nothing about computers, so I apologize for the prolific topic posts above . . . and . . . for those ahead. :thumbup2:

I downloaded and ran the DDS Tool successfully on my infected computer. I hope I've been able to attach the Attach.txt file correctly for you. Below is the DDS.txt log.

Thanks again! :)

Scouter

_________________________________________________________

DDS (Ver_09-06-26.01) - NTFSx86
Run by Owner at 1:21:31.48 on Mon 07/20/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.198 [GMT -5:00]


============== Running Processes ===============

C:\WINNT\system32\svchost -k DcomLaunch
svchost.exe
C:\WINNT\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINNT\system32\crypserv.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wscntfy.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Ultra MP4 Converter\groupmanager.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\ituness\iTunesHelper.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uLocal Page = c:\windows\system32\blank.htm
uWindow Title = Microsoft Internet Explorer provided by AcademicPlanet.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
mWinlogon: Userinit=c:\winnt\system32\userinit.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\winnt\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\winnt\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [HotKeysCmds] c:\winnt\system32\hkcmd.exe
mRun: [Keyboard Preload Check] c:\oemdrvrs\keyb\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
mRun: [Lexmark X1100 Series] "c:\program files\lexmark x1100 series\lxbkbmgr.exe"
mRun: [ALUAlert] "c:\program files\symantec\liveupdate\ALuNotify.exe" "/LOWDISKSPACE C"
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [GroupManager] c:\program files\ultra mp4 converter\groupmanager.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\ituness\iTunesHelper.exe"
dRun: [Symantec NetDriver Warning] c:\progra~1\symnet~1\SNDWarn.exe
dRunOnce: [RunNarrator] Narrator.exe
IE: c:\progra~1\common~1\btlink\btlink.dll//iemenu
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\winnt\system32\Shdocvw.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://download.macromedia.com/pub/shockwave/cabs/authorware/awswaxf.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxp://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1202437107562
DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} - hcp://system/RunExeActiveX.CAB
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - hxxp://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Coupons.cab
DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} - hcp://system/StartFirstControl.CAB
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
TCP: NameServer = 85.255.112.7,85.255.112.88
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} -
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\winnt\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 ATMhelpr;ATMhelpr;c:\winnt\system32\drivers\ATMHELPR.SYS [2003-2-9 4064]
R2 Maxtor Sync Service;Maxtor Service;c:\program files\maxtor\sync\SyncServices.exe [2007-9-28 156976]
R2 RioPNP;RioPNP;c:\winnt\system32\drivers\RioPnP.sys [2003-1-10 6736]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
S2 EraserSvc10910;Symantec Eraser Service;"c:\program files\norton internet security\engine\16.5.0.135\ccsvchst.exe" /h cccommon --> c:\program files\norton internet security\engine\16.5.0.135\ccSvcHst.exe [?]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\qctest\pcdoc\pcdrdrv.sys --> c:\atf\qctest\pcdoc\PCDRDRV.sys [?]
S3 rootrepeal;rootrepeal;\??\c:\winnt\system32\drivers\rootrepeal.sys --> c:\winnt\system32\drivers\rootrepeal.sys [?]
S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-12-6 1251720]
S3 xbreader;MaxDrive XBox Driver (xbreader.sys);c:\winnt\system32\drivers\xbreader.sys [2001-1-3 19677]

=============== Created Last 30 ================

2009-07-06 12:08 --d----- c:\winnt\ERUNT
2009-07-06 11:51 --d----- C:\SDFix
2009-06-28 19:26 38,160 a------- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-06-28 19:26 19,096 a------- c:\winnt\system32\drivers\mbam.sys
2009-06-28 19:26 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-28 19:26 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-22 15:36 12,160 a------- c:\winnt\system32\drivers\mouhid.sys
2009-06-22 15:36 12,160 a------- c:\winnt\system32\dllcache\mouhid.sys

==================== Find3M ====================

2006-08-13 19:22 29,784 a------- c:\program files\popcorn Terms.html
2004-04-04 22:55 6,262,872 a------- c:\program files\psa2se_us.exe
2004-01-15 05:04 63,730 a------- c:\program files\viewsonicinstruct_xp.pdf
2003-02-05 11:31 25,899 a------- c:\program files\read1040.wri
2001-07-26 17:58 47 a------- c:\program files\ACMonitor_X73.ini
2001-07-05 13:46 8,116 a------- c:\program files\OSLO3071b2.USB
2001-05-11 12:39 53,248 a------- c:\program files\ACMonitor_X73.exe
2001-05-08 17:36 114,688 a------- c:\program files\lxarscan.dll
2001-04-23 15:22 1,437 a------- c:\program files\gtx73.ini
2001-02-22 10:54 768 a------- c:\program files\x73_lut.dat
2004-08-04 01:56 1,028,096 ---sh--- c:\winnt\system32\mfc42.dll
2004-08-04 01:56 413,696 a--sh--- c:\winnt\system32\msvcp60.dll
2004-08-04 01:56 343,040 a--sh--- c:\winnt\system32\msvcrt.dll
2004-08-04 01:56 83,456 a--sh--- c:\winnt\system32\olepro32.dll
2004-08-04 01:56 11,776 ---sh--- c:\winnt\system32\regsvr32.exe
2008-11-11 19:13 16,384 a--sh--- c:\winnt\temp\cookies\index.dat
2008-11-11 19:13 16,384 a--sh--- c:\winnt\temp\history\history.ie5\index.dat
2008-11-11 19:13 32,768 a--sh--- c:\winnt\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 1:22:32.40 ===============

Attached Files


Edited by Orange Blossom, 21 July 2009 - 11:09 PM.
Activate topic link. ~ OB


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:54 PM

Posted 30 July 2009 - 11:19 AM

Hello and welcome to Bleeping Computer.

My name is Syler, I will be helping you to solve your Malware issues. Whilst I am helping you, I would
be grateful if you would note the following:
  • Please do not run other tools or scans unless I ask you to and follow all the steps I give you, in order.
  • Copy and paste all logs requested in you reply, Do not attach them unless asked too.
  • If you don't know or understand something, please don't hesitate to say or ask before you proceed with my instructions.
  • Please continue to work with me, until I tell you your machine appears to be clean. Absence of symptoms does not mean that everything is clear.
  • If I do not hear back from you within 5 days of my last post, then this topic will be closed.

Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Then please post back here with the following:
  • MBAM log
  • log.txt
  • info.txt
Thanks

unite.jpg


#3 scouter

scouter
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 30 July 2009 - 12:06 PM

Hi Syler. I am so happy to have your assistance. Thank you, Thank you, Thank you!

I've unsuccessfully attempted to run Malwarebytes' Anti-Malware three times as instructed by BC's Rigel and now by you, but the infection is still blocking it.

Unfortunately, when I attempted to run RSIT, I got the following message:

C:\Documents and Settings\Owner\Desktop\RSIT.exe is not a valid Win32 application.

Thanks!

Scouter


#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:54 PM

Posted 30 July 2009 - 12:19 PM

Hi scouter,

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

unite.jpg


#5 scouter

scouter
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 30 July 2009 - 01:42 PM

Hey Syler,

I ran into a problem running ComboFix. When I get to the screen where it says "This machines does not have the 'Mcirosoft Windows recovery console' installed. Click 'Yes' to have ComboFix download/install it. NOTE: this requires an active internet connection."

Okay, I can't access the Internet with this computer as the infection is blocking Internet access. Also, I DO NOT currently have virus protection installed on this computer (the Symantec tech had me uninstall Norton Internet Security 2009 & then I was supposed to have my ISP company reset the internet connection & get back with Symantec at that point for further assistance. However, the ISP tech said I had a virus after doing some type of ping pong technique so I haven't gotten back with Symantec yet as NIS 2009 wasn't working due to the virus in the first place.) Anyway, I currently don't have a Firewall turned on, virus protection installed, nor Internet access on this computer. The computer is currently disconnected from the Internet as a further safety precaution.

I have to use an old laptop to download the programs to a CD & then load the programs on the infected computer at that point to try & run them to follow your instructions. Is there a way perhaps that I can use this technique to get the Microsoft Windows recovery console and load it on my infected computer and then at that point run ComboFix?

Help!

Sorry for the further problems.

Thanks!

Scouter


#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:54 PM

Posted 30 July 2009 - 01:48 PM

Hi scouter

Its no problem at all.


Download the tools needed to a flash drive or other removable media, and transfer them to the infected computer.

***************************************************

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System

Posted Image


Download the file & save it as it's originally named.


---------------------------------------------------------------------

Transfer the file you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Posted Image

  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


    Posted Image


  • At the next prompt, click 'Yes' to run the full ComboFix scan.

  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.

unite.jpg


#7 scouter

scouter
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 30 July 2009 - 04:48 PM

Syler,

Yikes! I am a big fraidy-cat! :) Regarding the Windows Recovery Console, please verify for me that I did download the correct file before I go any further with adding it to my infected computer. I just don't want to accidently "reformat" my computer or something by installing the wrong file. (I have Windows XP Home Edition version 5.1.2600 with Service Pack 2.0 installed on this infected computer.)

This is the file I downloaded WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

(By the way, if it helps, I do have the original Windows XP Service pack 2 CD that I ordered from Microsoft way back when.)

I do appreciate your patience with my "fraidy-catness" and my general computer illiteracy. :thumbup2:
  • Also, you had originally instructed me to "Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system." Obviously, I am not familiar with the ComboFix program, but I have used the HijackThis program in the past when I was receiving previous assistance from Bleeping Computers. From that era, circa 2005-2006, I have an older version of HijackThis (version 1.99.0.1) still on my infected computer and that version of HijackThis WILL NOT run.
  • I assume the infection is also blocking this program.
  • Where do I download an updated version of HijackThis from? OR
  • Do you want me to just hold off on HijackThis until later since the older version currently won't run?
Thanks so much!

Scouter


#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:54 PM

Posted 30 July 2009 - 05:08 PM

I can confirm that you have downloaded the correct file :thumbup2:

Their is no problem at all with you asking questions, I would preffer you to ask about something if you are unsure, rather than
go ahead and do something wrong. You asked a good question about Hijackthis, I actually meant to remove that bit from my
speech as I don't really need a Hijackthis log at this point, a combofix log will do, as you correctly pointed out you have an older
version of Hijackthis, since this is no longer of any use you can uninstall this.


Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

HijackThis 1.99.0.1

Additional instructions can be found Add or Remove programs.

unite.jpg


#9 scouter

scouter
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 30 July 2009 - 08:32 PM

First, thank you so much for your graciousness in general, and specifically for making me feel better about my ineptness with computers. I have truly learned so much from the Bleeping Computer experts over the years, but still I feel bad about say for example that it takes me soooo long to figure out how to perform the steps you've given me to do. Then sometimes, I just still don't understand how to do something, even after asking for further clarification. For example I couldn't figure out how to "post a link back to the topic" when I first posted in the HJT forum so you could see what Rigel had already had me try to do to solve my computer problem. (Fortunately, Moderator Orange Blossom took care of that for me.) I guess the important thing for me to remember is that just like in all walks of life, people are usually more than happy to help you, if you just ask. Right? Please do know though that I am extremely, extremely grateful to you and all of the BC experts for taking the time to provide assistance. You are WONDERFUL!

Second, after I ran the ComboFix program, I went to Add & Remove & deleted the old version of HijackThis 1.99.0.1 per your instructions, but I got a message that said "HijackThis.exe must be deleted manually." I went to Program Files & deleted the HijackThis.exe file from there.

Third, regarding the second entry on the ComboFix.txt file "c:\program files\popcorn Terms.html" I wrote the following note in a previous post when BC 1st Responder Rigel was helping me before he referred me to the HJT forum and on into your most capable hands.
  • I should also tell you that under my Program Files there is a file called "popcornTerms.html" left over from a previous virus/spyware (?) infection circa 2006, that Bleeping Computers expert Buckeye Sam helped me with. If I try & delete that file, it loads whichever virus or spyware again that was associated with it. Whatever problem that I was having with my computer at the time, did not reappear, [at least I don't think it did] so I haven't messed with the file since that time. [I would really like to get rid of it though because it just doesn't feel right to have a file such as that on my computer you know!?!]
Finally, below is the ComboFix.txt file. (P. S. I am SO EXCITED :thumbup2: that ComboFix worked after having so many programs not run because of that stupid infection!!!)

Again, thanks very much!

Scouter

_____________________________________________________________

ComboFix 09-07-29.04 - Owner 07/30/2009 18:38.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.305 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\~WRD3317.tmp
c:\program files\popcorn Terms.html
c:\winnt\Downloaded Program Files\temp
c:\winnt\system32\_000008_.tmp.dll
c:\winnt\system32\drivers\MSIVXabhnhcnlrwlhhoqsbafuedxetejwpwvl.sys
c:\winnt\system32\MSIVXbtslpugvnodlelkumixlccodymtupetr.dll
c:\winnt\system32\MSIVXcount
c:\winnt\system32\MSIVXjarfigvxylhrkqbigpfqnmthqwvlhcki.dll
c:\winnt\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
G:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MSIVXserv.sys


((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-30 )))))))))))))))))))))))))))))))
.

2100-02-23 20:35 . 2001-02-22 15:54 768 ----a-w- c:\program files\x73_lut.dat
2100-02-08 22:03 . 2001-05-11 17:39 53248 ----a-w- c:\program files\ACMonitor_X73.exe
2009-07-06 17:08 . 2009-07-06 17:08 -------- d-----w- c:\winnt\ERUNT
2009-07-06 16:51 . 2009-07-06 18:24 -------- d-----w- C:\SDFix

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-09 07:55 . 2006-01-13 02:58 -------- d-----w- c:\documents and settings\Owner\Application Data\Canon
2009-07-07 03:41 . 2009-06-29 00:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-30 18:31 . 2009-06-08 19:32 -------- d-----w- c:\program files\DivX
2009-06-29 21:41 . 2009-05-13 01:41 -------- d-----w- c:\program files\Bonjour
2009-06-29 05:38 . 2003-10-06 03:54 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-29 00:26 . 2009-06-29 00:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-17 16:27 . 2009-06-29 00:26 38160 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-06-17 16:27 . 2009-06-29 00:26 19096 ----a-w- c:\winnt\system32\drivers\mbam.sys
2009-06-16 23:23 . 2003-01-18 00:45 -------- d-----w- c:\documents and settings\Owner\Application Data\MSN6
2009-06-16 22:12 . 2009-02-15 10:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-06-12 03:13 . 2009-02-15 10:05 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-06-09 16:23 . 2009-04-05 22:45 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-06-08 19:36 . 2009-06-08 19:36 -------- d-----w- c:\documents and settings\Owner\Application Data\DivX
2009-06-02 20:23 . 2003-02-18 02:43 197496 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-31 02:13 . 2009-05-31 02:13 73516 ----a-w- c:\winnt\Fonts\Boop000.ttf
2009-05-13 01:55 . 2009-05-13 01:55 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2004-04-05 03:55 . 2004-04-05 03:19 6262872 ----a-w- c:\program files\psa2se_us.exe
2004-01-15 10:04 . 2004-08-22 16:55 63730 ----a-w- c:\program files\viewsonicinstruct_xp.pdf
2003-02-05 16:31 . 2003-02-22 00:45 25899 ----a-w- c:\program files\read1040.wri
2001-07-26 22:58 . 2000-01-11 18:50 47 ----a-w- c:\program files\ACMonitor_X73.ini
2001-07-05 18:46 . 2001-07-20 16:48 8116 ----a-w- c:\program files\OSLO3071b2.USB
2001-05-08 22:36 . 2000-12-05 21:56 114688 ----a-w- c:\program files\lxarscan.dll
2001-04-23 20:22 . 2100-02-08 21:53 1437 ----a-w- c:\program files\gtx73.ini
2004-08-04 06:56 . 1980-01-01 06:00 1028096 --sh--w- c:\winnt\system32\mfc42.dll
2004-08-04 06:56 . 1980-01-01 06:00 413696 --sha-w- c:\winnt\system32\msvcp60.dll
2004-08-04 06:56 . 1980-01-01 06:00 343040 --sha-w- c:\winnt\system32\msvcrt.dll
2004-08-04 06:56 . 1980-01-01 06:00 83456 --sha-w- c:\winnt\system32\olepro32.dll
2004-08-04 06:56 . 1980-01-01 06:00 11776 --sh--w- c:\winnt\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-03 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\winnt\System32\hkcmd.exe" [2003-07-10 114688]
"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 57344]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 169264]
"GroupManager"="c:\program files\Ultra MP4 Converter\groupmanager.exe" [2009-02-20 32256]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\ituness\iTunesHelper.exe" [2009-04-02 342312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\winnt\system32\narrator.exe [2004-08-04 53760]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk
backup=c:\winnt\pss\Event Reminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\winnt\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\ituness\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 ATMhelpr;ATMhelpr;c:\winnt\system32\drivers\ATMHELPR.SYS [2/9/2003 2:25 AM 4064]
R2 RioPNP;RioPNP;c:\winnt\system32\drivers\RioPnP.sys [1/10/2003 6:53 PM 6736]
S2 EraserSvc10910;Symantec Eraser Service;"c:\program files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe" /h ccCommon --> c:\program files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe [?]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\Qctest\PCDoc\PCDRDRV.sys --> c:\atf\Qctest\PCDoc\PCDRDRV.sys [?]
S3 xbreader;MaxDrive XBox Driver (xbreader.sys);c:\winnt\system32\drivers\xbreader.sys [1/3/2001 12:53 AM 19677]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NMSCFG
*NewlyCreated* - NMSSVC

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\winnt\system32\rundll32.exe" "c:\winnt\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-21 c:\winnt\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Keyboard Preload Check - c:\oemdrvrs\KEYB\Preload.exe
HKLM-Run-ALUAlert - c:\program files\Symantec\LiveUpdate\ALuNotify.exe
HKU-Default-Run-Symantec NetDriver Warning - c:\progra~1\SYMNET~1\SNDWarn.exe
SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard


.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: c:\progra~1\COMMON~1\BTLINK\btlink.dll//iemenu
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-30 18:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-606792199-3588779736-1344124677-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-07-30 18:52
ComboFix-quarantined-files.txt 2009-07-30 23:51
ComboFix2.txt 2006-08-24 03:08

Pre-Run: 6,055,833,600 bytes free
Post-Run: 6,055,567,360 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

158 --- E O F --- 2009-06-16 17:40

#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:54 PM

Posted 31 July 2009 - 02:11 PM

Hi scouter,

Unfortunatley Combofix shows that you had a Rootkit on your machine, which is what I suspected, so I have to give you this warning about Rootkit's
and the option to format, however if you decide to go on cleaning that is no problem. The first thing we need to do if you decide to go on cleaning is
get an Anti-Virus installed then we can run a scan with MBAM which should be able to run now.

One or more of the identified infections is a backdoor trojan/Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide you want to proceed with trying to clean your machine please follow these next steps.

I don't see an Anti Virus Program running on your machine
  • Download and install an antivirus program, and make sure that you keep it updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
Two good antivirus programs free for non-commercial home use are Avast! and Antivir
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

Next

Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next

Download and Run FlashDisinfector
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

Next

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
Then please post back here with the following:
  • MBAM log
  • OTListIt.txt
  • Extra.txt
Thanks

unite.jpg


#11 scouter

scouter
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 02 August 2009 - 02:05 PM

Hi Syler,

Ooo I am so sorry to hear that. :) I know I have some questions I need answers to before I can make the decision to reformat or . . . not . . . but I have to leave the house almost immediately today, and I don't have time to sit and think about those very same questions in order for me to ask them of you. (Sorry--I am a very sloooow thinker. :) )

Reformatting to me is a BIG deal just because of all the many years of volunteer work I have stored on this computer. I do have a 1 TB external hard drive (Maxor OneTouch 4Plus) that I recently bought (well a couple of months ago anyway) and attempted to back up all my files on; however, I am not certain it was backed up properly nor do I know exactly when I got the backdoor trojan and whether or not it would be on the backed files. (??) We have a lot of family photos on this computer of things such as my son's Philmont Boy Scout trip, his Eagle project work and my daughter's Girl Scout Gold Award project, etc. that are priceless. These photos have been backed up to CD's thank goodness. But still, the amount of work I've done in the past to be potentially lost and the further loss of the original pictures is just mind-boggling for me.

In any case, we have 2 kids going off to college later this month, and we are busy shopping for furniture for them today.

Can I get back with you tomorrow to ask those questions concerning reformatting please?

Thanks again for your continued patience. I really appreciate you & your extensive knowledge!! :thumbup2:

Scouter

#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:54 PM

Posted 02 August 2009 - 05:03 PM

Hi scouter,

Sorry to be the bearer of bad news on that :thumbup2: I will await your questions and I will do my best to answer them and help you make
the correct decision for you. If you decide to format, I don't think you are going to have to lose any of your photos, documents,
etc, since you have big enough hard drive to back up your data, I don't think that you are likely to have backed up the backdoor files
onto your external HD, unless you were backing up data from your system folders.

Regards
Syler

unite.jpg


#13 scouter

scouter
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 06 August 2009 - 03:33 AM

Hi Syler,

I do apologize for the delay in my reply—I had a Dr’s appt. where I had a persistent wart frozen yet again on my finger and it was difficult to type for a few days.

Sooo . . . to reiterate—this computer is NOT currently hooked up to the Internet nor do I have the firewall currently turned on. I removed my virus protection, Norton Internet Security 2009, at the direction of a Symantec tech so that is why there is no virus protection currently installed. Symantec told me to contact my Internet Service Provider and then contact Symantec to reinstall NIS after I had my Internet connection re-set. When I called my ISP, they attempted to reset the internet connection and had me do a lot of steps to check my computer and something called “Ping” pong & said something about only half of my Internet Connection was getting through which meant I had a virus. I haven’t contacted Symantec yet because of the malware problem.

I debated about which type of antivirus protection to purchase this year. I had originally purchased AVG, but it didn’t specify “2009” on it, so I was worried about it being the most up to date version. I exchanged it for NIS 2009 since that is what I had installed in the past. Obviously NIS 2009 let the backdoor Trojan through, so do you recommend that I get a different virus protection?

This computer has never been used for financial matters such as online banking. I normally use PayPal for any online purchases I’ve made, although I know my kids have purchased a few items in the past using my credit card when PayPal wasn’t available. But, I can’t remember if I had any credit card information or other personal information like that stored in the NIS 2009 function of “securely stores & manages your login and personal information.” I know I did with the previous version of NIS I had, but I just can’t remember whether I did with this one or not or if it would be compromised within NIS. I’m assuming that would be possible too since the malware was able to disable my virus protection in the first place.

For a bit of background on my computer . . . copying a note from my first post . . .

My computer is a very old, very “full” one running Windows XP Home Edition version 5.1.2600 with Service Pack 2.0. About 6 months ago, my computer quit working, and I had a new hard drive put in, but the technician partitioned it. I am very computer illiterate, so I’ve just been managing with the part of the hard drive that had my files on it so my Drive C has an error message of “Low Disk Space” flashing on the lower right of my desktop. I also have a 1 TB Maxtor External Hard Drive which we just got a couple of months ago. We attempted to back up my computer to the external hard drive right after we got it, but I’m not sure we did it successfully.


Okay, so my hard drive is partitioned into Drives C & E on my computer, but Drive E is not formatted. As I keep saying—“I don’t know ‘nuthin’ about computers” so I’ve just left Drive E alone and have been “limping” along with my very full, very slow Drive C (total drive is 58.5 GB but only has 5.67 GB free space). I finally, finally, finally deleted enough files that I no longer have the “Low Disk Space” error message flashing on Drive C. I had originally hoped to be able to have the computer tech who installed my new hard drive to go back and un-partition the hard drive for me once summer came around, but I didn’t get the chance to do that due to the infection.

I had hoped to then set up the 1 TB “Maxtor OneTouch 4 Plus” external hard drive to back up my data nightly. My husband loaded the software for the Maxtor and attempted to back up my files for me several months ago. He said “he could only back up a small amount of data at a time due to not having enough free disk space”. The Maxtor box states “Maxtor ‘SafetyDrill’ software actually prepares, boots, and recovers your PC’s entire boot drive contents in the event of a system failure, virus, or spyware infection.” So, I’m not sure what files are actually backed up currently on it as to whether I would have backed up the Trojan or not. I know under Drive G—the Maxtor drive—there is a file labeled "Maxtor backup" with “My Documents” listed, and then there are other files that pertain I guess to the Maxtor software. Under something called the “Active Plan: OurBackup” it says “Scheduled Backup is turned ON for backing up ALL file types, daily at 10:30 PM”. I looked at “View Back Up Log”-which had a date of 8-5-09 as the last time it was backed up. The files listed were all from “My Documents” so I guess that means there were no system files backed up. Eeek now I’m pretty confused!! :)

First off, I thought when you re-formatted a computer, you lost everything which was what was scaring me. I didn’t think about being able to back the files up first. I guess I figured that you “might” back up the malware along with any of your files including Word documents, etc. So thanks for clearing that up a little for me.

Since I have the unique situation of having a partitioned hard drive with one of the partitions (Drive E) not being formatted does this affect re-formatting Drive C?

Speaking of the unformatted Drive E—I keep asking computer savvy people the following question, but I haven’t gotten an answer yet. Can’t I just say “YES” to the message “The disk in drive E is not formatted. Do you want to format it now?” and that would take care of formatting it? Then I could actually use that extra space I paid for :cool: to transfer My Pictures files to it in order to free of Drive C—right?

  • Is there a tutorial that would help me in backing up my files to prepare for re-formatting the computer?
  • I would also need to back up my email messages due to my work for the last 8 years as the volunteer Service Unit Manager for Girl Scouts in my area. Is there a tutorial for how to back up your email messages too?
  • Then, I know there was a note on “When should I re-format “on one of the links you included in your last message, but is there a tutorial that walks you through the steps of re-formatting your computer?


I do have the CD’s that came with my computer and the Windows XP Service Pack 2 CD. I can also probably find any other CD’s for other information that I would need to re-install on the computer.

So based on what I’ve reported regarding my computer, do you still advise reformatting?

This is how I feel--you are the expert of course :thumbup2: and I’ll try and follow your advice. (:) Although I'm shaking in my boots!) Otherwise, why waste your valuable time asking for help?

Thanks so much,

Scouter

#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:54 PM

Posted 07 August 2009 - 10:59 AM

Hi Scouter,

Ok lets try and answer your questions the best I can. My suggestion to reformat still stands, although it is up to you if you want to go ahead with it.

I had hoped to then set up the 1 TB “Maxtor OneTouch 4 Plus” external hard drive to back up my data nightly. My husband loaded the software for the Maxtor and attempted to back up my files for me several months ago. He said “he could only back up a small amount of data at a time due to not having enough free disk space”


You have a 1TB HD and that's not enough!, are you sure? If you can backup all you data on to your external maxtor HD, do you really to have two partitions
on you internal HD? When you format you will get the option to delete both partitions and just create one drive, would this suit you?

1. Is there a tutorial that would help me in backing up my files to prepare for re-formatting the computer?


Their are plenty of tutorials on how to do this, which I will point you in the direction of, once you have decide what you want to do. As you said you Maxtor
HD has a built in feature for backing up, I don't no how this work, but im sure you would have got a manual with it that explains this?

2. I would also need to back up my email messages due to my work for the last 8 years as the volunteer Service Unit Manager for Girl Scouts in my area. Is there a tutorial for how to back up your email messages too?


Yes their are tutorials for this, is it Outlook Express you want to back up from?

3. Then, I know there was a note on “When should I re-format “on one of the links you included in your last message, but is there a tutorial that walks you through the steps of re-formatting your computer?


Thier are plenty of guides out their that will explain how to format.

I do have the CD’s that came with my computer and the Windows XP Service Pack 2 CD. I can also probably find any other CD’s for other information that I would need to re-install on the computer.


You should also have a "drivers" CD which you will need when reformatting, if you cant find it, you will need to find the drivers you will need on the internet.

I hope this helps, let me no how you want to proceed in your next reply.

Regards
Syler

unite.jpg


#15 scouter

scouter
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 11 August 2009 - 01:24 AM

Hi Syler, sorry for the late reply—I was away for the weekend. As I said previously—you are the expert, so if you recommend reformatting, then that's exactly what I will “tremblingly” do. I’m not about to WASTE your time and generosity by not following your most excellent advice!!

Let me explain just a bit further about my "silly" computer issues—and yes, they get even more complicated.

In July 2008, I had maxed out my previous hard drive and kept getting the “Low Disk Space” error message flashing. Finally, the computer quit working entirely one day—and to my way of thinking—just crashed. My husband works in an engineering solutions group that handles a chemical plant's "process control hardware" computer repair work. While he is excellent with the big computers (my description—not his), home computers are not his specialty. When my computer initially quit, my husband took it to work to “Nick”, who is a guy that is a computer engineer, and who works as a contractor for the same engineering solutions group my husband does. Nick took a look at it to see if he could both save all my files and fix the computer as a favor to my husband.

To my extreme happiness, Nick was indeed able to do both. He put a "new” hard drive in which fixed my problem. However, instead of it being a “new-new” hard drive, it was actually "Nick's personal brand-new hard drive" that he took out of his own computerand put into mine just to see if it would fix the problem. Since it did fix the problem, we paid Nick for the hard drive, and he just left it in my computer and bought another hard drive to replace his. So the hard drive was already partitioned into two equal size drives according to Nick's preference—not mine and that is how he left it. Nick initially told my husband that he left the drive partitioned because of some type of “issues” my computer had with the new hard drive. What ever that meant--??

Unfortunately after Nick recovered all my files and reinstalled them on my new hard drive C, I again started to receive the “Low Disk Space” error message flashing again because the “new” hard drive C was partitioned to exactly the same size as the old drive C. In addition the other part of the drive—drive E was unformatted, so I couldn’t use it at all to help free up drive space on C.

After MUCH prompting and--okay--pleading from me, some four months later, my husband asked Nick if he would un-partition the drive for me. Nick said yes he would do that for me because it was pretty complicated--Now I'm not sure if he meant because of the "issues he said my computer had with the new hard drive" or just because the un-partitioning step itself was complicated. BUT, I had to wait until my Girl Scout duties were over in May/June 2009 before I could release my computer long enough for Nick to work on it because I use my computer so much for my volunteer work. [In the meantime, I got the malware/backdoor Trojan issue on my computer that you have been helping me with.]

After again much prompting and pleading, several months ago, I talked my husband into getting the super big Maxtor 1 TB external hard drive to use to just back up all my data each night. I don’t ever want to have to be scared of losing my data again. So that’s the purpose behind the huge external hard drive.

To be honest, I am sooo tired of all my computer issues which I’ve been dealing with for over a year with the “Low Disk Space” error messages, the computer crash, etc. and of course now the malware. Remember I know nothing about computers so I have had no idea how to fix what was wrong. Our personal life has been so incredibly, hectically busy between my husband working, our volunteer work in both Boy Scouts & Girl Scouts & school, supporting our son through his senior year in high school on the swim team/his swim meets, and all the committees for Project Graduation, running back & forth to our daughter’s college town to support her, etc. that when I look back over the past year, I truly don’t know exactly how we all lived through it. It was wild!

So to answer your queries:
  • Yes I would like to have just one drive rather than a partitioned drive. I want to just be able to use my computer on “one drive” the way I had been used to using it in the past before the initial hard drive crashed.
  • There was not a paper manual with the Maxtor external hard drive, although I am sure there would have had to be some type of manual either on the set up CD or perhaps online that my husband used to set it up initially.
  • Outlook Express is the email program that I use that I would need to back up my emails from.
  • Regarding all the tutorials I was asking about—I was hoping that there would be Bleeping Computer tutorials to explain what I need to do as the BC tutorials I’ve used in the past when I’ve been doing whatever step the tech asked me to do have all been excellent with screen shots and easy to follow instructions. (You guys really rock!)
  • I do have the CD with the (Gateway) Drivers and the Windows XP Home Edition Operating System CD in addition to the Windows Service Pack 2 CD I mentioned before. I also found the original paper “Gateway Computer User’s Guide” that came with my computer, but there is not much information in it on re-formatting.
What’s next please?

Thanks,

Scouter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users