|
Posted by M on April 22, 2008, 1:01 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Urbane Tiger wrote:
>
>> Urbane Tiger wrote:
>>
>>> I have several symptoms that make me think I have an infected system, it
>>> is a stand alone single user Intel 6600 on a
>>> Gigabyte P965-S3 motherword - 3G Ram, 2x 250G disks, ADSL2+ connection to
>>> 'net. System is administered by me, its
>>> owner, XP/Home-SP3, WU is on, Firewall is On, Defender & AVG Free
>>> is/was/are my malware shields. Full system scans are run every day and
>>> internet functions in AVG and Defender are on.
>>>
>>> Symptoms are as follows
>>>
>>> 1. Task Manager has been disabled in the Taskbar context menu - have
>>> tried to reinstate via services.msc in normal and
>>> safe mode to no avail, also cannot load Task Manager with Ctl/AltDel. Ran
>>> ProcessExplorer and made it my Task Manager, it can be invoked via
>>> keyboard but not via Taskbar.
>>>
>>> 2. I run Windows Live Mail (WLM) as my desktop mail client, when WLM
>>> starts I get a dialogue box telling me I should
>>> compress the Outlook Express folders, this is spurious. I recently
>>> reformatted by hard disk and reinstalled Windows XP, as part of the
>>> install process I disabled/uninstalled Outlook Express and Messenger as I
>>> knew I would be using the
>>> equivalent Windows Live compenets. To date I have answer responded to
>>> this by clicking the Cancel button. Another reason I think the dialogue
>>> box is spurious is that it also "pops up" when I run the Belarc system
>>> info program.
>>>
>>> 3. I dont use IE much - Firefox is my preferred browser. I cannot close
>>> Tabs in IE7, I'm sure I would have noticed
>>> that had it always been so, sometimes IE spins when loading a page and the
>>> cancel (red diagonal cross) button wont cease the transmission and cannot
>>> close IE itself, it must be killed via process explorer.
>>>
>>> AVG found a downloader Trojan which I vaulted, Defender has not reported
>>> any problems.
>>>
>>> I had already made the decision to upgrade this freeware collection of
>>> malware sheilds with a commercial product, after some research I had more
>>> or less settled on the product from the Kapersky (K) - so I escalated the
>>> decision to get K Internet Suite Version 7 (KIS7) which I've done.
>>>
>>> I ran a full scan and KIS7 found 2 instances of the win32.Monder trojan
>>> which are in quarantine.
>>>
>>> The various symptoms are still extant.
>>>
>>> There were a couple of issues I wanted to raise in the support forum, K's
>>> forum requires that one a) installs SysInternals GetSystemInfo, b) runs it
>>> and c) sends output with forum posting.
>>>
>>> So I downloaded GetSysInfo, unxipped it, put it where all the other
>>> SysInternals programs are and ran it. It crashed,
>>> not just the SysiInfernals program but the whole enchilada, XP blackout,
>>> kaputski. On restart XP sent a crash report to MS it then tried to do
>>> something which also crashed, although get itself, this sent me into the
>>> "Apollo13 has a problem, Houston process, I answered its questions - it
>>> suggested that I down load something to do with memory testing which I'd
>>> need to burn into a CD as a bootable image and boot from that CD. I have
>>> NOT done that, a) I dont have an blank CD's b) I dont know how to burn an
>>> ordinary CD let alone a bootable one - and how do I know this is not
>>> another manfestatin of the virus.
>>>
>>> I'm thinking of rebuilding system, but would obviously prefer that I dont
>>> have to do that.
>> And you're getting all this *after* you've done a clean install of Windows
>> because of previous infection? I must be misunderstanding your post. You
>> must have downloaded something bad, perhaps some dodgy codecs so you could
>> watch something maybe?
>>
>> I don't understand your penultimate paragraph; you seem pretty
>> computer-savvy and yet you say you don't know how to burn a CD? If you just
>> mean you don't know how to burn a CD on an infected system, you wouldn't do
>> that anyway. You always get all tools, updates, etc. on a known-clean
>> computer that isn't connected to the infected one in any way.
>>
>> I'll give you my standard malware removal steps, but as "FromTheRafters"
>> said you may just want to flatten and rebuild. Make really sure you aren't
>> installing something that is malware and just reinfecting yourself. Or you
>> may want a professional to take a look. Having someone who knows what
>> they're doing take a look at the system always has the possibility of being
>> more efficient and accurate than getting input from people who can't
>> actually see the computer. That said, here you go:
>>
>> Go through these general malware removal steps systematically -
>> http://www.elephantboycomputers.com/page2.html#Removing_Malware
>>
>> Include scanning with David Lipman's Multi_AV and follow instructions to do
>> all scans in Safe Mode.
>>
>> http://www.elephantboycomputers.com/page2.html#Multi-AV - instructions
>> http://tinyurl.com/yoeru3 - download link and more instructions
>>
>> You can also check to see if there are targeted removal steps for your
>> malware here:
>> Bleeping Computer removal how-to's -
>> http://www.bleepingcomputer.com/forums/forum55.html
>>
>> When all else fails, get guided help. Choose one of the specialty forums
>> listed at the first link. Register and read its posting FAQ. You will
>> generally be asked to:
>>
>> 1. Download and execute HiJack This! (HJT) -
>> http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe
>>
>> 2. Disable Notepad's word wrap - In Notepad.exe; Format --> uncheck; "Word
>> wrap"
>>
>> 3. Download/run Deckard's System Scanner -
>> http://www.techsupportforum.com/sectools/Deckard/dss.exe
>>
>> 4. Save the scan results (Main.txt and Extra.txt)
>>
>> 5. And then post the contents of Main.txt and Extra.txt in your post at the
>> forum you chose. DO NOT POST LOGS IN THE MS NEWSGROUPS.
>>
>> Standard disclaimer: I can't see and test your computer myself, so these are
>> just suggestions based on many years of being a professional computer tech;
>> suggestions based on what you've written. You should not take my
>> suggestions as a definitive diagnosis. If you can't do the work yourself
>> (and there is no shame in admitting this isn't your cup of tea), take the
>> machine to a professional computer repair shop (not your local equivalent
>> of BigComputerStore/GeekSquad). Please be aware that not all local shops
>> are skilled at removing malware and even if they are, your computer may be
>> so infested that Windows will need to be clean-installed. If possible, have
>> all your data backed up before you take the machine into a shop.
>>
>> Malke
>
>
> Thanks for this - I'll follow your suggestions, I've already run HJT
>
> Yes I'm fairly savvy, got first job in IT in '68 at Control Data writing
Fortran, got first "personal" computer in late
> '70's (PDP8), got first used internet connect in early '80s, just after I got
my very own XT in '83. Got Windows 2,1
> when it came out, you can probably guess the rest. I have never, to my
uncertain knowledge, been infected with anything
> prior to this week. Until recently I only used text based mail, I've never
had MS Office and I am careful with respect
> web browsing, no online shopping etc. I think I know where the download
trojans came from - foolishly clicked on a
> flash video (I run FF with Flashblock) on a site I thought I could trust -
should have checked first.
>
> The previous rebuild was initiated by significant system upgrade - more
memory, more disk (two now, two more in the
> wings so that I can stripe & mirror) and a new tube. Also I wasn't happy with
my folder structure, ie the rebuild was
> not due to infection.
>
> I am sure I could create the CD, its just that I've not done so. I'm an
ardent iconoclast, both visually and audially -
> so I dont watch movies, videos, look at pictures or listen to recorded music -
if its not the living flesh then as far
> as I'm concerned it doesn't exist, hence CD's are not something I use, except
as a media from which to install sofware.
>
> But as you and "FromThe Rafters" have said the safest thing is to rebuild and
that's what I'll probably do. However
> I'll go through the process you've outlined first. I'm sure it will educate
me on an aspect of computing that, until
> now, I have thankfully avoided, and at times I've even wondered if it was all
just I 'con.
>
> Oh I found another problem. The Display Properties->Screen Saver keeps
getting reset to None, and Display
> Properties->Desktop Tab wedges, sometimes the exit button will work, other
times I have to get Process Explorer out in
> order to kill the rundll32 instance in which Display Properties is running.
>
CDC!
Colossus:The Forbin Project.
Used a CDC 469E in PHALANX CIWS.
| 
XML site map