Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows XP Restore malware


  • Please log in to reply
9 replies to this topic

#1 Striper

Striper

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dutchess County, NY
  • Local time:06:53 AM

Posted 19 June 2011 - 09:25 PM

Hey guys! Self-proclaimed noob here with my first post. First, I have to say, as a member of several self-help forum websites, this is hands down THE BEST one. Everyone here...moderators and members...are always willing to help - and always in an understanding and non-judgemental way (at least that I've seen so far!)- a refreshing change!

So I come before you, on my knees, hat in hand, begging you to part the waters before me and show me the way.

My machine: older HP Pavillion a800n - if needed I can figure out the detailed specs, but it's the standard set up.
Windows XP Pro
5 Windows accounts (and this is kinda significant):

Mine
Wife
Kid 1
Kid 2
Kid 3

My problem: A couple of weeks ago, the wife told me "our computer's dead." I logged in to my account, and all appeared fine - sluggish as always - but otherwise normal. Logged in to her account, and YIKES! Teal-green screen, then black screen, then the dreaded Windows XP Restore screen and it's associated nonsense (probably not necessary to describe, you've all seen it). Of course it went on to it's shenanigans...hiding icons and files (on all 5 accounts), etc.

Did some Googling (unfortunately, didn't find this site right away...rats!), and decided to try Spybot and a couple of anti-spyware fixes...none of which worked.

Over the next week or so, I finally found this wonderful site...and the clouds began to part. Poured over (almost) everything in here to "get smart" on Restore. Did the best I could (with my limited computer knowledge) to follow the uninstall self-help guide:

- Rkill (iexplore version): didn't stop anything...but from what I read, that's OK, just means there was nothing to stop.
- MBAM full scan: found about 7 or 8 things (none of which I could attribute to Restore, but oh well). Removed what it found.
--- Also ran Spybot: also found a few items - removed them as well.
- Unhide: yahoo! Brought back all my icons (on my desktop...see below).

Logged in again to Wife's account...much better: Restore doesn't come up (hooray!). However, still have some issues:

- Her desktop is a aqua-blue screen, with NO icons. Also, unable to save anything to the desktop (either click-and-drag, or "send to"). Almost as if it's locked/blocked somehow. Tried changing display settings at Control Panel, no joy. Can only run stuff from the Start menu.
- Tried doing some updates (Windows, Java, etc)...will start to install, then freeze.
- Unable to bring up Task Manager in her account - she was an "Administrator", could Restore have changed this?
- There's probably other issues I haven't found yet.

NOTE: so far, I haven't done anything from the Safe mode...mostly 'cause I couldn't get into it...hmmmm. Also, originally tried to restore to a earlier setpoint...would not allow me to do so.

I have a feeling these are all left-over damage from the Restore madness - but I have no idea how to recover from them.

I realize this is a long, rambling post, and I'm certain I've left out some details you'll need.

So ask any questions necessary, and I'll do my best to get the info. Just trying to get back to a point that I can start using the rest of the wealth of info you have to offer to make this a great machine again.

Thanx!!!

BC AdBot (Login to Remove)

 


#2 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:07:53 AM

Posted 25 June 2011 - 08:01 PM

Hi Striper,

:welcome: to BleepingComputer! Sorry for the delay.

Malware sometimes likes to install itself in the profile of a user, likely why you see the infection on your wife's account and not yours.

:step1: Let's double check that Malwarebytes' has found all that it can:
Log into your wife's account, open Malwarebytes. Select the Update tab, and click on Check for Updates.
  • The program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform full scan" option is selected (this will scan all user accounts, and may take a while to complete.)
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes' when done.
Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.

:step2: Next run Superantisypware (SAS):

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from http://www.superantispyware.com/downloads/SASDEFINITIONS.EXE (copy and paste that website address) and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.

:step3: Attempt to repair desktop on wife's account.
  • Open SUPERAntiSpyware (in wife's account).
  • Click on the Preferences button.
  • Click on the Repairs tab.
  • Scroll down and select Remove/Reset Windows Desktop Background/Wallpaper and click the Perform Repair button. Select Yes when prompted with "Are you sure you wish to perform the selected repair?" Select "No" when prompted with the Restart message (we'll restart after one more repair).
  • Select Reset Desktop Policies and click the Perform Repair button. Again, select "Yes" when prompted with "Are you sure you wish to perform the selected repair?" Again, select "No" when prompted to restart (we'll restart after the next step).
  • Still on your wife's account, download and run http://download.bleepingcomputer.com/grinler/unhide.exe After it is complete, restart the computer.

In your next reply, please include:
  • Malwarebytes' log file
  • SUPERantispyware log file
  • How's the computer running now? Please include a detailed description of anything out of the ordinary, including any error messages.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#3 Striper

Striper
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dutchess County, NY
  • Local time:06:53 AM

Posted 28 June 2011 - 09:30 PM

Sorry it took so long for me to reply. Honestly, I kinda gave up and stopped checking on this...oh well.

Good news - bad news:
Good news: SAS Repair of her desktop seems to have worked - all the icons are back (Yay!!)
Bad news: My computer now seems to do a restart whenever it darn well pleases, for no apparent reason (yipee! a new problem). Unfortunately, it did it twice while trying to do the MBAM Full Scan. Ran for close to 2 hours...then bloop! Restart. I gave up and ran a Quick Scan - hope that suffices. I don't think the restart issue has anything to do with the scan, because it also did it yesterday while I was just on the internet. Hmmm...

Machine in general seems to be running OK, still kinda sluggish on Windows startup, and most programs take 30-45 seconds to start (SAS really takes a while).

2 other issues I've found: 1. The original infection completely wiped our our email setups (Outlook Express) (and I should mention we have broadband service thru Time Warner Cable). and 2. When I click on Search in the Start menu, I get an error "A file that is required to run Search Companion cannot be found. You may need to run setup." I'm not sure what 'setup' it's talking about.

Anyway, here's the scan logs. Thanx for your help!!

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6967

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

6/28/2011 4:21:22 PM
mbam-log-2011-06-28 (16-21-22).txt

Scan type: Quick scan
Objects scanned: 315261
Time elapsed: 1 hour(s), 12 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 3
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EAB-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4D7B-9389-0F166788785A} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4B18DD50-C996-44FC-AC52-0FECFF82ED58} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Value: {07B18EA9-A523-4961-B6BB-170DE4475CCA} -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Value: {07B18EA9-A523-4961-B6BB-170DE4475CCA} -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> Value: (default) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/28/2011 at 09:58 PM

Application Version : 4.54.1000

Core Rules Database Version : 7313
Trace Rules Database Version: 5125

Scan type : Complete Scan
Total Scan Time : 05:25:16

Memory items scanned : 510
Memory threats detected : 0
Registry items scanned : 7458
Registry threats detected : 3
File items scanned : 215747
File threats detected : 20

Adware.WhenU
HKU\S-1-5-21-2052111302-1532298954-839522115-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BA2325ED-F9EB-4830-8FCE-0BC35B16969B}
HKCR\CLSID\{BA2325ED-F9EB-4830-8FCE-0BC35B16969B}

Adware.Tracking Cookie
C:\Documents and Settings\Wendy\Cookies\wendy@doubleclick[2].txt
C:\Documents and Settings\Wendy\Cookies\wendy@ad.wsod[2].txt
C:\Documents and Settings\Wendy\Cookies\wendy@atdmt[3].txt
C:\Documents and Settings\Wendy\Cookies\wendy@burstnet[1].txt
C:\Documents and Settings\Wendy\Cookies\wendy@ads.shutterfly[2].txt
C:\Documents and Settings\Wendy\Cookies\wendy@bs.serving-sys[1].txt
C:\Documents and Settings\Wendy\Cookies\wendy@www.accountonline[5].txt
C:\Documents and Settings\Wendy\Cookies\wendy@specificmedia[4].txt
C:\Documents and Settings\Wendy\Cookies\wendy@serving-sys[2].txt
C:\Documents and Settings\Wendy\Cookies\wendy@imrworldwide[9].txt
C:\Documents and Settings\Wendy\Cookies\wendy@CARCF63H.txt
C:\Documents and Settings\Wendy\Cookies\wendy@apmebf[1].txt
C:\Documents and Settings\Wendy\Cookies\wendy@msnportal.112.2o7[1].txt
C:\Documents and Settings\Wendy\Cookies\wendy@entrepreneur[1].txt
C:\Documents and Settings\Wendy\Cookies\wendy@mediaplex[3].txt
ads2.msads.net [ C:\Documents and Settings\Matt\Application Data\Macromedia\Flash Player\#SharedObjects\RNJKN4EZ ]
C:\Documents and Settings\Matt\Cookies\matt@www.googleadservices[1].txt
ads2.msads.net [ C:\Documents and Settings\Wendy\Application Data\Macromedia\Flash Player\#SharedObjects\5L59LUXM ]
msnbcmedia.msn.com [ C:\Documents and Settings\Wendy\Application Data\Macromedia\Flash Player\#SharedObjects\5L59LUXM ]

Adware.MyWebSearch/FunWebProducts
HKU\S-1-5-21-2052111302-1532298954-839522115-1007\SOFTWARE\FunWebProducts

Adware.Gamevance
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6DE37BB6-8BE2-407B-AC40-F64B13199A61}\RP1895\A0765020.EXE

Edited by Striper, 28 June 2011 - 09:32 PM.


#4 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:07:53 AM

Posted 29 June 2011 - 01:03 PM

Striper,

Sorry it took so long for me to reply. Honestly, I kinda gave up and stopped checking on this...oh well.


No problem. Hopefully, we can get all of your issues resolved. :)

Good news - bad news:
Good news: SAS Repair of her desktop seems to have worked - all the icons are back (Yay!!)
Bad news: My computer now seems to do a restart whenever it darn well pleases, for no apparent reason (yipee! a new problem). Unfortunately, it did it twice while trying to do the MBAM Full Scan. Ran for close to 2 hours...then bloop! Restart. I gave up and ran a Quick Scan - hope that suffices. I don't think the restart issue has anything to do with the scan, because it also did it yesterday while I was just on the internet. Hmmm...


I agree, I don't think the restart has anything to do with the Malwarebytes' scan. Computers tend to randomly restart (or shutdown) if they overheat as a built-in safety measure. Though random restarting can also be malware-related.

Machine in general seems to be running OK, still kinda sluggish on Windows startup, and most programs take 30-45 seconds to start (SAS really takes a while).


You mentioned in your previous post your computer has been sluggish for a while. How long has this gone on? The sluggishness may not be malware related.

2 other issues I've found: 1. The original infection completely wiped our our email setups (Outlook Express) (and I should mention we have broadband service thru Time Warner Cable). and 2. When I click on Search in the Start menu, I get an error "A file that is required to run Search Companion cannot be found. You may need to run setup." I'm not sure what 'setup' it's talking about.


1. To fix the email, you'll have to contact Time Warner to reconfigure your email settings (if you don't already know this information).

2. To fix the Search error, try installing this Hotfix: http://www.microsoft.com/download/en/details.aspx?DisplayLang=en&id=23787


:step1: Please perform the following after your computer has been on for a while, so that we can get the exact specs of your computer. This will better assist us in helping you more. It'll tell us whether your sluggishness is hardware-related, and it'll also confirm if your computer is running too hot so we can figure out if that's what's causing it to randomly reboot (this is why I asked you to run it after your computer has been on for a while, so it has enough time to get hot.)

Publish a Snapshot using Speccy

The below is for those who cannot get online
Please take caution when attaching a text file to your post if you cannot copy/paste the link to your post, you will need to edit it to make sure that your Windows Key is not present.

:step2: I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

:step3:Security Check
Download Security Check by screen317 from here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.


In your next reply, please include:
  • Speccy snapshot
  • ESET log file
  • Secrity Check log file
  • How's the computer running now? Please include a detailed description of anything out of the ordinary, including any error messages.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#5 Striper

Striper
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dutchess County, NY
  • Local time:06:53 AM

Posted 29 June 2011 - 07:52 PM

You mentioned in your previous post your computer has been sluggish for a while. How long has this gone on? The sluggishness may not be malware related.

It's been sluggish for quite a while - but with 5 users (including 3 teenagers), I'm not surprised...it's had more than it's share of junk downloaded/installed on it. I've been working on the Autoruns process, but, as you know, that's a time-consuming process (looking up each process, etc)...oh well.

1. To fix the email, you'll have to contact Time Warner to reconfigure your email settings (if you don't already know this information).

Yup...no problem.

2. To fix the Search error, try installing this Hotfix: http://www.microsoft.com/download/en/details.aspx?DisplayLang=en&id=23787

I have to lower my voice and whisper...it's a bootlegged copy of XP (shhhhhh...) and unfortunately, won't pass the Windows Genuine Authentification. No big deal.

Scan logs:

Speccy snapshot:

http://speccy.piriform.com/results/bIeBrlesA34aMjFCgFfuebW

ESET Log file:

C:\Documents and Settings\Becky\Local Settings\Temporary Internet Files\Content.IE5\UD7NZU6X\135[1] Win32/Adware.Antivirus2008 application cleaned by deleting - quarantined
C:\Documents and Settings\Becky\Local Settings\Temporary Internet Files\Content.IE5\YUAWZNKJ\133[2] Win32/Adware.Antivirus2008 application cleaned by deleting - quarantined
C:\Documents and Settings\Danny\Local Settings\Temporary Internet Files\Content.IE5\94EVBB4L\133[2] Win32/Adware.Antivirus2008 application cleaned by deleting - quarantined
C:\Documents and Settings\Danny\Local Settings\Temporary Internet Files\Content.IE5\H9J51GQC\135[1] Win32/Adware.Antivirus2008 application cleaned by deleting - quarantined

Security Check log file:

Results of screen317's Security Check version 0.99.17
Windows XP Service Pack 2
Out of date service pack!!
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
avast! Free Antivirus
ESET Online Scanner v3
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

MVPS Hosts File
Malwarebytes' Anti-Malware
CCleaner
Java™ 6 Update 20
Java™ 6 Update 3
Out of date Java installed!
Adobe Flash Player 10.3.181.26
Mozilla Firefox (x86 en-GB..)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Comodo Firewall cmdagent.exe
Comodo Firewall cfp.exe
AVAST Software Avast AvastSvc.exe
AVAST Software Avast avastUI.exe
Mozilla Firefox AvastUI.exe -?-
``````````End of Log````````````


Thanx again!

#6 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:07:53 AM

Posted 29 June 2011 - 09:14 PM

Hi Striper,

Besides general sluggishness, are you noticing anything else out of the ordinary on any user account?

As a formality, the following is one of the forum rules, please read it:

No subject matter will be allowed whose purpose is to defeat existing copyright or security measures. If a user persists and/or the activity is obviously illegal the staff reserves the right to remove such content and/or ban the user. This would also mean encouraging the use or continued use of pirated software is not permitted, and subject to the same consequences.

As such, I'm not sure if the following Step 1 will work:

:step1: Your Microsoft Windows installation is out of date. The latest Service Pack for Windows XP is Service Pack 3 (you have Service Pack 2 installed). Using unpatched Windows systems on the Internet are a security risk to everyone. When there are insecure computers connected to the Internet, malware spreads faster and more extensively, distributed denial-of-service attacks are easier to launch, and spammers have more platforms from which to send e-mail. Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your computer. Keeping up-to-date with all these security patches will help prevent malware from reinfecting your machine. If you are not sure how to do this, see How to use Microsoft Update.

For additional information, be sure to read "Windows Xp Service Pack 3 (sp3) Information".

Then go here to check for & install updates to Microsoft applications.
Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.

Please reboot and repeat the update process until there are no more updates to install.

:step2: Run TFC by OT (Temp File Cleaner)
Please download TFC by Old Timer and save it to your desktop.
alternate download link

Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean. It is not necessary to run Temp File Cleaner on all user accounts, as it will clean the temp files from all user accounts when run once.

:step3: Update Malwarebytes' definitions and run a quick scan on each computer account, since the Full Scan likely causes the hard drive to get too hot, and then your computer reboots (see more in Step 5, below). If Malwarebytes' prompts you to restart, restart the computer and log back into the same user account you were just running the scan in. Don't move on to another account until Malwarebytes' doesn't find anything on that account. In short, you want to be able to run a quick scan on all user accounts and have Malwarebytes' not find anything on any user account. Double check that Malwarebytes' is up to date before running each scan (Malwarebytes is updated several times per day, and if each scan takes an hour or more, it is likely you'll end up updating Malwarebytes' definitions at some point.)

:step4: Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Microsoft: ‘Unprecedented Wave of Java Exploitation’
Drive-by Trojan preying on out-of-date Java installations
Ghosts of Java Haunt UsersPlease follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows" (32-bit) or "Windows x64" (64-bit).
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "I agree to the Java SE...License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u24-windows-i586.exe to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.

:step5: To improve system performance:
The Speccy report showed a system temperature of 55°C, or 131°F and hard drive temperature of 48°C or 118°F! These are quite warm, and possibly the cause of the random rebooting. I suggest reading Slow Computer/browser? Check Here First: It May Not Be Malware, particularly the section on When was the last time you cleaned the inside of your computer? Also, the Adding More RAM section is worth considering. Speccy shows you have 1 512MB stick of RAM, yet two available slots. You'd likely notice a speed improvement if you purchased and installed more RAM. This RAM would work in your system.

:step6: Tips to protect yourself against malware and reduce the potential for re-infection:Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#7 Striper

Striper
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dutchess County, NY
  • Local time:06:53 AM

Posted 01 July 2011 - 05:37 PM

Hey Jason - sorry for the delay, wasn't able to reply from work computer, and got busy at home yesterday.

First some housekeeping:

Illegal XP: I'm only partly at fault :wink: This actually isn't the original hard drive. The original crapped out - luckily it did it about a week before the BestBuy warranty expired. Took forever to get them to replace it, but when I finally got it...this was on it (i.e. I didn't install it) :unsure: . Was never really an issue...till now that is. I'm seriously considering getting a legal copy and doing a wipe. But now I'd feel guilty about all the work you've done to get the machine back on track.

Speaking of all your work...the computer is actually working pretty good :thumbsup: . I have a 32g flash drive, and am in the process of moving all the misc pictures, etc. on to it. Then, I'll take the case apart, and do a thorough cleaning. Also, the kids have their own computers now. so I'll probably blow away their accounts (easier to manage).

Even if I do a wipe and install a legal OS, I think all the things you've done, plus all that I've learned, will keep it running like a Swiss watch :cool: .

2 final questions:

1. (This may need to be it's own thread topic) The computer has always had an annoying quirk of momentarily "freezing", i.e. cursor will freeze, hard drive stops spinning...freezing is the only word I can think of to describe it. Lasts for approx 5 seconds, then frees up. It's been doing it for as long as I can remember (bought the computer in '03, and I think it was doing it since we bought it). No apparent trigger for it, and it does it maybe every 15 minutes or so. Your thoughts? (and again, I can certainly start a new thread elsewhere for this).

2. Any advice on doing a wipe / install? Or is it as easy as loading the disk.

Thanx again!

#8 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:07:53 AM

Posted 01 July 2011 - 06:27 PM

Hi Striper,

BestBuy gave you a replacement hard drive with an illegal copy of XP on it?

The freezing has been going on regardless of whether you had the old hard drive or the new one from BestBuy?

While doing a wipe/reinstall might initially solve your freezing/sluggishness issues, I'm not sure if that will completely solve these issues in the long run. Hard drives (specifically older ones that have physical moving parts, not the new solid state drives), tend to wear out after a while.

I suggest you do the following and see if you get any errors:
  • Click on Start
  • Click on Run
  • Type in CMD and click OK
  • Type in chkdsk /r and hit Enter
  • A message will come up asking you if you want to run disk check at the next startup. Type in Y (for yes) and hit enter
  • Restart your computer
  • As your computer is starting back up, Windows XP's built-in disk check utility will run. It will attempt to fix any errors it finds.

My rule of thumb: if check disk finds a whole bunch of errors (such as unread sector counts), the hard drive could possibly be failing. Reformatting and installing a new operating system on it would just add insult to injury.

Reformatting (in my experience) usually is as easy as loading the disk, as you had asked (assuming you've transferred all the files you want to keep off your hard drive.) If installing Windows, you'll need a valid product key (which would come with the installation disk).

Edited by jntkwx, 01 July 2011 - 06:28 PM.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#9 Striper

Striper
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dutchess County, NY
  • Local time:06:53 AM

Posted 02 July 2011 - 09:30 AM

BestBuy gave you a replacement hard drive with an illegal copy of XP on it?

- Yup. Initially, they insisted on installing ALL of the usual pre-loaded software (TrendMicro security stuff, etc) - I told them 'No' - all I wanted was XP, I would install the rest on my own. This haggling back and forth was the reason it took so long to get replaced.

The freezing has been going on regardless of whether you had the old hard drive or the new one from BestBuy?

- I'd have to look at my notes to be sure, but I believe the HD was replaced in '06 (was a 3 year warranty). I seem to remember commenting to the Wife that it was "still" doing the freezing thing. All I can say is it's been doing it for as long as I can remember.

While doing a wipe/reinstall might initially solve your freezing/sluggishness issues, I'm not sure if that will completely solve these issues in the long run. Hard drives (specifically older ones that have physical moving parts, not the new solid state drives), tend to wear out after a while.

- I suppose you're right. But at least a wipe/reinstall will allow me to properly update XP. With all that you and the rest of this website have taught me, I'll bet I can get a few more years out of it.

My rule of thumb: if check disk finds a whole bunch of errors (such as unread sector counts), the hard drive could possibly be failing. Reformatting and installing a new operating system on it would just add insult to injury.

- Tried to run CHKDSK, both from normal mode and Safe mode - said it needed access to programs that were running, and to "schedule" it for the next restart, which I did. CHKDSK ran, then went straight to the Windows sign in screen, so I presume disk checked OK.

Reformatting (in my experience) usually is as easy as loading the disk, as you had asked (assuming you've transferred all the files you want to keep off your hard drive.) If installing Windows, you'll need a valid product key (which would come with the installation disk).
[/quote]

The more I think about this, it seems like the right thing to do. Again, I'm very grateful for all that you've done, both regarding the XP Restore malware issue, and just getting the computer tuned up. Thanx again to you and all of the BC experts!

#10 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:07:53 AM

Posted 02 July 2011 - 09:57 AM

Glad I could help. :thumbup2:
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users