Re: Infected with something - need some hekp please

Urbane Tiger wrote:
On Fri, 18 Apr 2008 13:46:56 -0700, Malke <malke@xxxxxxxxxxxxxxx> wrote:

Urbane Tiger wrote:

I have several symptoms that make me think I have an infected system, it
is a stand alone single user Intel 6600 on a
Gigabyte P965-S3 motherword - 3G Ram, 2x 250G disks, ADSL2+ connection to
'net. System is administered by me, its
owner, XP/Home-SP3, WU is on, Firewall is On, Defender & AVG Free
is/was/are my malware shields. Full system scans are run every day and
internet functions in AVG and Defender are on.

Symptoms are as follows

1. Task Manager has been disabled in the Taskbar context menu - have
tried to reinstate via services.msc in normal and
safe mode to no avail, also cannot load Task Manager with Ctl/AltDel. Ran
ProcessExplorer and made it my Task Manager, it can be invoked via
keyboard but not via Taskbar.

2. I run Windows Live Mail (WLM) as my desktop mail client, when WLM
starts I get a dialogue box telling me I should
compress the Outlook Express folders, this is spurious. I recently
reformatted by hard disk and reinstalled Windows XP, as part of the
install process I disabled/uninstalled Outlook Express and Messenger as I
knew I would be using the
equivalent Windows Live compenets. To date I have answer responded to
this by clicking the Cancel button. Another reason I think the dialogue
box is spurious is that it also "pops up" when I run the Belarc system
info program.

3. I dont use IE much - Firefox is my preferred browser. I cannot close
Tabs in IE7, I'm sure I would have noticed
that had it always been so, sometimes IE spins when loading a page and the
cancel (red diagonal cross) button wont cease the transmission and cannot
close IE itself, it must be killed via process explorer.

AVG found a downloader Trojan which I vaulted, Defender has not reported any problems.

I had already made the decision to upgrade this freeware collection of
malware sheilds with a commercial product, after some research I had more
or less settled on the product from the Kapersky (K) - so I escalated the
decision to get K Internet Suite Version 7 (KIS7) which I've done.

I ran a full scan and KIS7 found 2 instances of the win32.Monder trojan
which are in quarantine.

The various symptoms are still extant.

There were a couple of issues I wanted to raise in the support forum, K's
forum requires that one a) installs SysInternals GetSystemInfo, b) runs it
and c) sends output with forum posting.

So I downloaded GetSysInfo, unxipped it, put it where all the other
SysInternals programs are and ran it. It crashed,
not just the SysiInfernals program but the whole enchilada, XP blackout,
kaputski. On restart XP sent a crash report to MS it then tried to do
something which also crashed, although get itself, this sent me into the
"Apollo13 has a problem, Houston process, I answered its questions - it
suggested that I down load something to do with memory testing which I'd
need to burn into a CD as a bootable image and boot from that CD. I have
NOT done that, a) I dont have an blank CD's b) I dont know how to burn an
ordinary CD let alone a bootable one - and how do I know this is not
another manfestatin of the virus.

I'm thinking of rebuilding system, but would obviously prefer that I dont
have to do that.
And you're getting all this *after* you've done a clean install of Windows
because of previous infection? I must be misunderstanding your post. You
must have downloaded something bad, perhaps some dodgy codecs so you could
watch something maybe?

I don't understand your penultimate paragraph; you seem pretty
computer-savvy and yet you say you don't know how to burn a CD? If you just
mean you don't know how to burn a CD on an infected system, you wouldn't do
that anyway. You always get all tools, updates, etc. on a known-clean
computer that isn't connected to the infected one in any way.

I'll give you my standard malware removal steps, but as "FromTheRafters"
said you may just want to flatten and rebuild. Make really sure you aren't
installing something that is malware and just reinfecting yourself. Or you
may want a professional to take a look. Having someone who knows what
they're doing take a look at the system always has the possibility of being
more efficient and accurate than getting input from people who can't
actually see the computer. That said, here you go:

Go through these general malware removal steps systematically -
http://www.elephantboycomputers.com/page2.html#Removing_Malware

Include scanning with David Lipman's Multi_AV and follow instructions to do
all scans in Safe Mode.

http://www.elephantboycomputers.com/page2.html#Multi-AV - instructions
http://tinyurl.com/yoeru3 - download link and more instructions

You can also check to see if there are targeted removal steps for your
malware here:
Bleeping Computer removal how-to's -
http://www.bleepingcomputer.com/forums/forum55.html

When all else fails, get guided help. Choose one of the specialty forums
listed at the first link. Register and read its posting FAQ. You will
generally be asked to:

1. Download and execute HiJack This! (HJT) -
http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe

2. Disable Notepad's word wrap - In Notepad.exe; Format --> uncheck; "Word
wrap"

3. Download/run Deckard's System Scanner -
http://www.techsupportforum.com/sectools/Deckard/dss.exe

4. Save the scan results (Main.txt and Extra.txt)

5. And then post the contents of Main.txt and Extra.txt in your post at the
forum you chose. DO NOT POST LOGS IN THE MS NEWSGROUPS.

Standard disclaimer: I can't see and test your computer myself, so these are
just suggestions based on many years of being a professional computer tech;
suggestions based on what you've written. You should not take my
suggestions as a definitive diagnosis. If you can't do the work yourself
(and there is no shame in admitting this isn't your cup of tea), take the
machine to a professional computer repair shop (not your local equivalent
of BigComputerStore/GeekSquad). Please be aware that not all local shops
are skilled at removing malware and even if they are, your computer may be
so infested that Windows will need to be clean-installed. If possible, have
all your data backed up before you take the machine into a shop.

Malke


Thanks for this - I'll follow your suggestions, I've already run HJT

Yes I'm fairly savvy, got first job in IT in '68 at Control Data writing Fortran, got first "personal" computer in late
'70's (PDP8), got first used internet connect in early '80s, just after I got my very own XT in '83. Got Windows 2,1
when it came out, you can probably guess the rest. I have never, to my uncertain knowledge, been infected with anything
prior to this week. Until recently I only used text based mail, I've never had MS Office and I am careful with respect
web browsing, no online shopping etc. I think I know where the download trojans came from - foolishly clicked on a
flash video (I run FF with Flashblock) on a site I thought I could trust - should have checked first.

The previous rebuild was initiated by significant system upgrade - more memory, more disk (two now, two more in the
wings so that I can stripe & mirror) and a new tube. Also I wasn't happy with my folder structure, ie the rebuild was
not due to infection.

I am sure I could create the CD, its just that I've not done so. I'm an ardent iconoclast, both visually and audially -
so I dont watch movies, videos, look at pictures or listen to recorded music - if its not the living flesh then as far
as I'm concerned it doesn't exist, hence CD's are not something I use, except as a media from which to install sofware.

But as you and "FromThe Rafters" have said the safest thing is to rebuild and that's what I'll probably do. However
I'll go through the process you've outlined first. I'm sure it will educate me on an aspect of computing that, until
now, I have thankfully avoided, and at times I've even wondered if it was all just I 'con.

Oh I found another problem. The Display Properties->Screen Saver keeps getting reset to None, and Display
Properties->Desktop Tab wedges, sometimes the exit button will work, other times I have to get Process Explorer out in
order to kill the rundll32 instance in which Display Properties is running.

CDC!

Colossus:The Forbin Project.

Used a CDC 469E in PHALANX CIWS.
.

Quantcast