sick, sick computer

I have a Compaq desktop s5200cl. it is a real sick unit. I know it has many spyware programs and alot of infection from viruses.  I just don't know where to start to clean it up.  I can always just reformat, but I would rathe not do that cause I'll lose some very important files, however, infection is so bad I am unable to even dump those files to CD to preserve them. Can any one give me help?
dennis7280Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
SheharyaarSaahilConnect With a Mentor Commented:
Hello dennis7280 =)

First of all goto Start>Run>msconfig>Startup
and untick all applications exept ur Antivirus and Firewall entries !!

Then Download these tools and install them:
========================================================
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
SpySweeper >> http://www.spychecker.com/program/spysweeper.html
SpywareBlaster >> http://www.spychecker.com/program/spywareblaster.html
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html
Stinger >> http://vil.nai.com/vil/stinger
========================================================

Then Disable ur Messenger Service if its running >> http://www.itc.virginia.edu/desktop/docs/messagepopup/
After that Follow these Instructions:

1. Restart ur machine in safemode and Login as Administrator
2. Run the AntiVirus tool and delete all viruses it found
3. Run the Spyware Removal tools and delete everything they detect
4. Then goto My Computer>Tools>Folder Options>View and turn on the feature of Show Hidden Files
5. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temp and delete all files present here
6. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temporary Internet Files, and delete the folder of ContentIE
7. Goto C:\Documents and Settings\ur usernmae\Cookies, and delete all cookies present here.
8. Goto C:\Windows\Temp and delete all files present here
9. Reboot back in Normal Mode and check if problems are gone or not
0
 
ZylochCommented:
Hi dennis7280,

Ok. Do the usual things.

1) Download Adaware (http://www.lavasoftusa.com/) and Spybot S&D (http://www.safer-networking.org/en/index.html) or other spyware sweepers if you want). Run both of them and delete what they find. You can click Immunize on S&D to help have constant protection.
2) Run your antivirus.
3) Go to Start->Run->%TEMP% and delete all
4) Go to Start->Run->sfc /scannow
5) Right click Local Disk C and select chkdsk.
6) Download Hijackthis and post your log here after running it.

Regards,
Zyloch
0
 
ZylochCommented:
Oh bother, I was hoping to get it in before you this time lmao. Maybe another time then.

Regards...
0
Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

 
SheharyaarSaahilCommented:
Post back ur results and remaining problems, and we will move further from there !!

one more thing,,,, after u finish the above cleaning process, in the end Download HijackThis v1.98.2 from here, run it and Save the LOG file:
http://www.spychecker.com/program/hijackthis.html

Then Post it at this site >> http://www.hijackthis.de/index.php?langselect=english
Check if it reports anything Nasty or not ??
0
 
SheharyaarSaahilCommented:
>> Oh bother, I was hoping to get it in before you this time lmao. Maybe another time then.

lol... I was offline the whole today,,,so its time to do some hardwork here ;-)
0
 
dennis7280Author Commented:
wow! knew this was going to be fun.:) Thanks I'll do what you sugest and see what happens.
Thx very much
D-Man
0
 
SheharyaarSaahilCommented:
>> wow! knew this was going to be fun.:)

sure,,, those nasty malwares are fun to mess with :D
0
 
ZylochCommented:
Fun =) My computer was really messed up. Downloaded Adaware and Spybot and deleted 2000 files at once. Never felt better in my life.
0
 
dennis7280Author Commented:
Ha, Ha. You guys/gals are the best.
thx
0
 
dennis7280Author Commented:
OH! Did I mention that all this stuff has prevented me from getting on the net? I run through a cable modem. I keep getting a DNS error when I try the access the internet.
0
 
ZylochCommented:
Hmm... that's happened to me before with spyware. Try the steps above that don't need spyware first, i.e. deleting files in the TEMP folder and running antivirus or sfc /scannow etc.

Is it possible you can get on with dialup? Do you have AOL, for instance?
0
 
SheharyaarSaahilCommented:
>> I keep getting a DNS error when I try the access the internet.

ok then do one thing first.... if this error os due to proxy hijack, then it can be corrected by using hijakcthis,,,, so first use hijakchtis and have it analysed on that site !!

Fix the Nasty entries that it mentions and then check if any progress ??
If NO then Try running this Winsock Repair for XP:
http://www.spychecker.com/program/winsockxpfix.html
0
 
ZylochCommented:
Wait... how are you talking to use if you're not on the net? I knew I was missing something lmao
0
 
SheharyaarSaahilCommented:
after u get the connection u can download and update the above products to run them :)

and if by chance u cannot manage to get the internet in either way, then u can use the system from where u are typing to download the above tools and then can transfer then to the infected system to use them =)
0
 
dennis7280Author Commented:
I have three computers and this is my super computer. It is very clean.
0
 
ZylochCommented:
If what SheharyaarSaahil said about the winsock and proxy error fix don't do anything, the spyware sweep should fix it. Just some added info because I'm bored :) The only other new question I could answer was a simple Javascript one on escaping quotes. Ah well, gotta go eat dinner soon
0
 
SheharyaarSaahilCommented:
>> because I'm bored :)

yeah its weekend,,, not much work today =)
0
 
dennis7280Author Commented:
Duh!! Never thought of that, how stupid of me.
Well, looks like I'm in for some work so I'll get to it and let you guys know if my computer found the trash can.:)
0
 
SheharyaarSaahilCommented:
>> Well, looks like I'm in for some work

sure u have, so wish u good luck from us :)
0
 
ZylochCommented:
Good luck, heh. If you need any help, just post. I'm probably going off to fool around with Macromedia Director, bbl ;)
0
 
dennis7280Author Commented:
Well, right from the start I have a problem , Start>Run>msconfig>Startup, produced nothing, meaning the popup window never opens. NEXT?
0
 
SheharyaarSaahilCommented:
Dont tell me u are using Win2000 ??  =\
0
 
SheharyaarSaahilCommented:
ok okkkk.... what are u doing dude,,,, u have to hit Start button and choose Run
type msconfig (hit enter)
and then goto Startup section !!  :D
0
 
dennis7280Author Commented:
No, using win xp sp1, and I know how to do it , but the popup window that is susposed to come up  DOESN'T POPUP, start>run>msconfig> then click OK , and nothing, just a desktop. Checked "task Manager" and no apps. running However there are 60 Process, the system I'm typing on only runs 29.  Should I just get out my sledgehammer and make some minor repairs:)
0
 
SheharyaarSaahilCommented:
hmmmmmmm it shud be present in C:\WINDOWS\PCHealth\HelpCtr\Binaries
if its not there, then get it from here >> http://www.perfectdrivers.com/howto/msconfig.html

Now u can use it and can put it also in the above location :)
0
 
dennis7280Author Commented:
Ok. Went there. the popup window opens for about 1\2 a second and then closes.
0
 
SheharyaarSaahilCommented:
ok so that means u are having one of those viruses which are mentioned here =\

Task Manager, MSCONFIG, or REGEDIT disappears while opening:
http://www.mvps.org/sramesh2k/ToolsQuit.htm
( site credit goes to Ramesh >> http://www.experts-exchange.com/M_926622.html :)
0
 
dennis7280Author Commented:
Among others, yes that is one of them.  I check the link and see whats up.
thnx
0
 
SheharyaarSaahilCommented:
ok so now the situation has gone a more bad =\

so do this,,,, first of all boot into safemode, and run all those tools there Plus ur AV software !!
in this way atleast some of them will be deleted, and we will have less items to work with.... what do u think :-?
0
 
ZylochCommented:
Back. Pretty complex, looking at those threads...
0
 
dennis7280Author Commented:
Well, I checked the link you sent. Renamed the msconfig ex file and now I get the popup window. soooooooo I will proceed with you prior instructions and see what happens.
0
 
darkdragoCommented:
just something that you can try for the virus's
http://www.ultimatebootcd.com/ has a couple virus scanners on their cd so you can download it on your clean computer burn the cd and then scan your other computer getting rid of most of the viruses
0
 
dennis7280Author Commented:
Ok, I'm still working on my problem and ran into a group of files with the extension of ".RBO" can anyone tell me what this is?
0
 
ZylochCommented:
0
 
dennis7280Author Commented:
Tried to pull up the link that Zyloch sent and got a DNS even on the good computer, so that doesn't work.  But wait, I tried again and it came up, what luck, I think:) It said that I need, "magb_dis.zip". Said to unzip and run it.

Magistr.b disinfection
 ----------------------

The virus uses ComputerName as key to encrypt victim file data. To disinfect
such files we need to get ComputerName. From database (from disinfection
routine) we can't use Win32 API function GetComputerNameA to do that.


Solved. Solution will be sent to AVP_Files list.

1. Run DISINF.EXE file.  It will create DISINF.INI file with different data in
it, including ComputerName.

2. Scan DISINF.INI file.  A routine in database will get computer name from
DISINF.INI file.

3. Scan machine and disinfect Magistr.  The disinfection routine will use
ComputerName from 2.


Note: the virus _does_not_ use ComputerName to encrypt files in two cases:

 if file length < 20000h
 if file is infected on remote machine.

Ok, I did exactly what it said, now a stupid question, sorry, how do I get it to scan my "C" drive? I mean it says to scan machine but HOW?
0
 
ZylochCommented:
That was as vague as it gets. I would recommend pulling up this page:

http://www.sophos.com/support/disinfection/magbremove.html

on your good machine. It says to download the thing on your good machine and read the instructions. Dunno, but give it a try.
0
 
dennis7280Author Commented:
I'll give it a try thanks, and yes I thought it was pretty vague also.  It also said it was the worse virus to date, but didn't give a date :)
0
 
SheharyaarSaahilCommented:
dennis are u sure these are .rbo files and not .rb0

coz .rb0 are the antivirus backup files, which it creates before fixing the infected files >> http://filext.com/detaillist.php?extdetail=RB0

I thought it coz surely u had viruses, and can be possible that when u ran av tools, they created these backups !!  :)
0
 
Dale MaySecurityCommented:
DNS stands for Domain
         Name System, and that is what converts www.lockergnome.com to an II’ addre~
         that the computer can understand. That would explain why the Internet would n
         work, but what about e-mail you ask? Well, unless you put the IP address in the
         mail server address field, then it is running off DNS too. The best way to see if
         your DNS is causing the problem is to try going to Google.com the next time yc
         start having trouble. If that doesn’t work, then try typing Google’s IP address o
         216.239.51.101 in the address field. If that works, then you just aren’t getting ti
         address of your ISPs DNS server. You can work around a DNS problem two
         different ways. One way is to call up your ISP and ask them to talk you though
         manually entering their DNS information. The second way depends on your
         version of Windows. If you are running Windows 9x or ME, (1) click the Start
         button, (2) click Run, (3) type “winipcfg” (sans quotes), (4) and press OK (mak
         sure you are dialed up to your ISP first). If you click “More Info” on the
         Winipcfg windows, you will see where it says “DNS Servers.” Just write down
         those numbers. To do the same thing in Windows 2000 or XP, just type in “cm
         (sans quotes) in the “Run” dialog box and click OK. At the command line, type
         “ipconfg/all” (sans quotes) and hit Enter on your keyboard. Write down the Dt’
         server JP addresses listed to the right of
         DNS.
         
         So now you have your DNS addresses, how do you apply that to your dial-up
         connection? In Windows 9x or ME, just double-click My Computer and then
         Dial-up Networking, Right-click your ISP and choose Properties. You should si
         a Server Types tab and next to TCP/IP you need to click Setting. Put the IP
         addresses in the DNS fields and click OK to get out of the windows. To do the
         same thing in Windows 2000 or XP, go to Start I Control Panel 11 Network and
         Dial-up Connections. If you right-click the icon for your dial-up connection and
         choose Properties, you will see where you can click on the Networking tab. Clü
         on Internet Protocol (TCP/IP) and then Properties. On the General tab, click
         “Use the following DNS server addresses” and then type in the DNS server P
         addresses. Click OK to get out of all of the windows and then reboot. You
         



Dale May:)
       
0
 
dennis7280Author Commented:
Thanks Dale, but I am on a cable modem not dialup.  I have managed to access the net on my infected computer.  I went to "Trend's" site and ran the free scan, and these are the viruses it say's I have; "malware.bkdr", "berbew.I worm", "korgo worm", "agobot-5", "pe-bagle.t.o", "bobax.c worm", pe-begle 1.t", "w/32begle.q". I can not get rid of "PE-BAGLE.T.O", plus, when I think I am making progress, I reboot and everything is back. I am almost bald now, so can anybody help me.

I did run the programs SheharyaarSaahil recomended and they cleaned allot of crap off, but I still have the viruses. :(
0
 
dennis7280Author Commented:
SheharyaarSaahil, you were right about RBO virsus RB0, I discovered that. Thanks.
0
 
bigwave2Commented:
I would suggest putting the "infected" hard drive into another computer as a secondary drive, make sure it won't boot from it otherwise you will just spread the infection. As it is not the boot drive nothing on it will be run.

Then it should just be a case of copying the required files over.

Then you can fdisk the old drive and start from scratch.
0
 
SheharyaarSaahilCommented:
>> when I think I am making progress, I reboot and everything is back

dennis dont tell me,,,, that ur System Restore is turned on !!!  =\
0
 
dennis7280Author Commented:
No. System restore is off.  Putting the hard drive in my other computer is a very good idea, wish I would have thought of it.  Thanks allot:) Back to work.............
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.