Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Update Crashes


  • Please log in to reply
14 replies to this topic

#1 charmee

charmee

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 03 April 2007 - 03:02 PM

Hi,

Windows Update causes Blue Screen crash 0X0000008E
Very slow internet performance
Pop-ups

I have already done AdAware SE, Spybot, and Spyblaster all in safe mode.
I ran HouseCall and installed ZoneAlarm firewall.

I was also getting an ie_updater.exe error on every boot up, but I seem to have fixed it by following the instructions from another thread. I used Vundo and deleted the ie_updater file.

Any help will be so appreciated.


Here's my Hijackthis Log:
Logfile of HijackThis v1.99.1
Scan saved at 12:57:04 AM, on 4/4/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\NETGEAR\WN511T\WN511T.exe
C:\Program Files\ZoneAlarmFirewall\zlclient.exe
C:\Program Files\I8kfanGUI\I8kfanGUI.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r2.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r2.attbi.com
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\kytjx.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,vtbnitc.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {97387E2B-B2FA-4E4A-A607-F3B5C134F71C} - (no file)
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WN511T.exe] C:\Program Files\NETGEAR\WN511T\WN511T.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WindowsHive] C:\WINDOWS\System32\rpcc.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\ZoneAlarmFirewall\zlclient.exe"
O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.Net\PartyPokerNet\RunPF.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\bmftwpc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bmftwpc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bmftwpc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bmftwpc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bmftwpc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bmftwpc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bmftwpc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bmftwpc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bmftwpc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bmftwpc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bmftwpc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bmftwpc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bmftwpc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bmftwpc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bmftwpc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bmftwpc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bmftwpc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bmftwpc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bmftwpc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bmftwpc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bmftwpc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bmftwpc.dll
O16 - DPF: RaptisoftGameLoader - http://www.arcadetown.com/swf/hamsterball/...tgameloader.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125B84} (CR64Loader Object) - http://www.arcadetown.com/swf/cosmicbugs/r64loader.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/R...bGameLoader.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1175379318636
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {B9F3009B-976B-41C4-A992-229DCCF3367C} (CoAxTrack Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.arcadetown.com/swf/feedingfrenz...outLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/gold/UnSkin/gf.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ieupdater22 (Microsoft IEUpdater22) - Unknown owner - C:\Documents and Settings\Linda\ie_updater.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)

 


m

#2 charmee

charmee
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 03 April 2007 - 03:29 PM

I got a message from my ISP (comcast) that my computer was used to send spam, and that I need to remove a virus. They're blocking my e-mail sending until I fix it.

#3 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 09 April 2007 - 01:47 PM

Hi charmee,

I hate to be the bearer of bad new, but your PC is so heavily infected that your best course of action would be to reformat and re-install your operating system. We usually don't like to recommend this, but from the message you got from your ISP, and if you just installed Zone Alarm and the absence of a resident anti-virus, this tells me that you have been running your system without necessary protection and without the latest service pack. This has left you wide open to attack and that openness has been taken advantage of, as you have more than one backdoor running on your system and you computer is being used to spam others. Your computer is now part of a Botnet, under the control of someone else.

You should take this system off the internet immediately and isolate it from any other computers, i.e., disconnect it from any home or other network. If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, that information is likely now in the hands of cyber criminals; please get to a known clean computer and change all passwords where applicable. This includes email, banks, eBay, forums, etc. Do not change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information.

Though some of the backdoor trojans have been identified and can be killed, because of it's backdoor functionality, your PC is so badly compromised that there is no way to be sure your computer can ever again be trusted to be completely clean. We simply can't guarantee that or that all the damage that may have been caused will be corrected--it is essentially like searching for a needle in a haystack.

Please read these articles:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Help: I Got Hacked. Now What Do I Do? Part II

However, if you do not have the resources to reinstall XP and would like me to attempt to clean it, I will give it my best shot, just want you to know there are no guarantees.

Let me know what your decision is. If you decide to continue, I will first need to know if you have access to another computer and what sort of medium you have available to transfer files from a clean computer to the infected one. In other words, the easiest way would be a USB flash type drive, and if you don't have one does the clean computer have a CD or DVD burner or floppy drive that you can use on the infected computer?

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#4 charmee

charmee
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 09 April 2007 - 06:03 PM

Thanks for your response. I'd like you to know I wouldn't be here and waited all this time for you, to just ignore your advice. So, if you're sure, then I'll reformat.

But first, are you sure you aren't over-reacting? My ISP just sent me a canned "customer Security Assurance Notice" warning me a might have a virus. They'll restore my outgoing e-mail with one click. They don't seem as worried as you do!

Charmee

#5 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 09 April 2007 - 08:35 PM

No, I don't give this advice and try to be so persuasive lightly. I know reformatting is a PIA.

Your ISP hasn't seen your log and I believe they expect you to remove any virus before reinstating your email. Even if they do reinstate it, if your machine continues to spew spam that is infecting others, they will likely just cut it off again.

I would be more willing to try and clean you up if you had been running protection and your system was fully up to date. Without the latter you can get reinfected just by visiting the wrong website.

If you do absolutely no financial transactions on the PC we can still try, but as I said, there will be no guarantees that you can completely trust your security status again. These backdoors efficiently glean any kind of personal and other info that can be used for their own financial gain. Some things you wouldn't even think was valuable, such as virtual goods that can be sold on the black market.

It's your decision--I don't really know you, but consider everyone I help to be a friend--so as a friend I would urge you to be responsible and take this computer off the internet. Do read the article on Botnets I linked you to--I'm not making this stuff up. If you reformat, install an antivirus and firewall before going back online so this doesn't happen again. And print out the following article for more prevention measures and where to get free security tools.

Simple and easy ways to keep your computer safe and secure on the Internet


If you dedicde to try to clean, let me know.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#6 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 09 April 2007 - 09:04 PM

Oh, almost forgot--if you do reformat, once you've installed basic security, the first thing you should do is visit Windows Update and apply ALL patches starting with Service Pack 2. You will have to reboot after installing SP2, then go back and get updated until there are no security updates left. You may have to install some others by rebooting, just keep going back til you get them all.

On dialup this will be a long process--even if you are not on dialup. You can cut the time it takes to install SP2 by ordering the SP2 CD that only costs you a nominal shipping fee. Or if you have a friend that has a copy, it can be shared.

I can't stress enough how important it is to be updated before resuming normal surfing activities.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#7 charmee

charmee
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 10 April 2007 - 11:55 PM

Hi,
Thanks again for you advice.

I did what you said and took mine off the net and started preparing to reformat. I've borrowed a laptop from a friend and spent the last 24 hours getting it secured, scanned, and updated. It was a big job, but I needed to feel good about this borrowed pc before I can reformat mine.

I have all of my install discs ready. I'm burning a disc with Zone Alarm firewall, AVG, AdAwareSE, and Spybot to install before I get on the net to install my updates to WinXP (and everything else).

No, I'm not on dial-up. I have cable internet.

My next step and biggest concern is getting my personal files off of my pc. How can I be sure I'm not going to reinfect myself? I also don't know if I can I safely connect these two laptops or if I should just put the files on CDs. Any advice you can give me would be great.

Charmee

#8 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 11 April 2007 - 11:51 AM

No I wouldn't connect the infected machine to any other--the infected one has malware loaded in memory (it is running) so it could infect the "clean" machine, especially if connected to the internet as it will just download more malware and spew out more spam. Back up your files to CD if that is all that is available, those won't run in memory unless you open them.

Your personal files should be OK. Trojans are different than true viruses and don't generally infect legit files, just add files that can be completely deleted. But to be on the safe side, once you get your machine reformatted and secured, before transferring any files, scan the CD with your antivirus.

The only exception I can think of for all this is if you use an email client like Outlook Express. Instead of every email being it's own file, they are stored in database files, so you have to restore the whole thing that may have infected emails--you have to open the email client to deal with the individual emails. Still you will be OK if you don't open any of the emails and there is a scanner you can use to find out if any are infected so they can be deleted.

If you only use webmail, then this won't be a problem. Let me know which fits you and I'll give you more information.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#9 charmee

charmee
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 11 April 2007 - 12:46 PM

Ok, that makes perfect sense and I'm glad I asked. I do use Outlook Express.

#10 charmee

charmee
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 12 April 2007 - 12:47 AM

Hi again,
Ok, I'm all backed up and about ready to take the plunge. Wish me luck!

Charmee

#11 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 12 April 2007 - 12:30 PM

Good luck. :thumbsup:

Sorry I haven't posted back here sooner. I should have helped you a little more with what to back up and reformatting.

When you get your system restored and secured, run this online scanner to check for any possibly infectious emails and other threats--and don't worry about the locked files, those are usually OK and there for informational purposes:

Please perform this online scan: Kaspersky Webscan

Note that you need to run this scan with Internet Explorer for it to work correctly.

1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appear asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat step 1.
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. Wait for the scanner to initialize and update its databases. When the download is complete it will say ready, click "Next"
6. Click "Scan Settings" and check the option to use the EXTENDED DATABASE, then click "OK"
7. Select a target to scan: Click on "My Computer" and the scan will begin.
8. When the scan is complete choose copy the report and paste it into a reply to this thread.

Are you using a standard Windows CD or recovery disks? Some other third party software that most people want to run may be needed and some that come with a default install need to be updated to patch security holes. The first thing you will need to attend to is getting Java up to date and be sure to uninstall any old versions.

Updating Java:
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
    It should have this icon next to it: Posted Image
    Select it and click Remove.
  • Then Download and install the newest version from here: http://www.java.com/en/download/manual.jsp
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Some things like Flash player and Adobe PDF reader you may need to install first--I don't think Secunia will check it if it's not there. I will be compiling a list of some of these apps you will probably want to install and will post it next, but some of it will depend on if you are using recovery CD or a standard Windows disk.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#12 charmee

charmee
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 13 April 2007 - 12:29 AM

Hi,
I had a delay and so I'm only just now about to reformat. I'm using my original Dell Reinstallation CD WinXP SP1 and it's easily 3 years old. There are also bunch of hardware updates I'll need to get.

I'm feeling pretty confident though. You've been great. Thanks.
Charmee

1 User(s) are reading this topic (0 Guests and 0 Anonymous Users)
1 Members: charmee



#13 charmee

charmee
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 13 April 2007 - 12:52 AM

Hi,
Ok, I deleted my old windows partition and created a new partition. It's formatting now. But what about the other 2 tiny partitions? One is just 8mb of unpartitioned space, and the other is necessary, right?
Thanks,
Charmee

#14 charmee

charmee
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 13 April 2007 - 10:39 PM

Success! I'm not entirely done with all the miscellaneous bits, but my system is clean, secure, up to date, and running well. Still a few things to update like DirectX, but I got Java done. It went remarkably well.

I still haven't restored my personal documents but they're all on CDs that I scanned for viruses. And then of course there's all my software and their updates and pathes.

So I'm pretty happy, and tired.

Charmee

#15 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 13 April 2007 - 11:31 PM

Glad to hear it. You've been great about all this too and done a great job. :thumbsup:

Here's the list I mentioned earlier. Along with Java it's what I put on a new system so I can run what I want without having to download it first:

Adobe Reader
Foxit Reader<--alternative PDF Reader
Flash Player
Shockwave Player

You may not necessarily need Shockwave.

Your recovery CD's may already have included all the codecs you may need, but this pack provides most of them and includes QuickTime Alternative and Real Alternative so you don't have to install those media players. Explore the info on this site to decide on what you might need.

Be careful with codecs--a recent trend is is for malware writers to trick people into downloading malicious content by claiming you must have a certain codec to view a certain video. Better to have the codecs you want before hand.

K-Lite Mega Codec Pack

When you get your email restored, run the Kaspersky scanner and post the log back here. I would be interested in seeing a HJT log as well.

I'm very happy that you are happy. :flowers:

The fate of all mankind, I see

Is in the hands of fools

--King Crimson





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users