Solved

sick, sick computer

Posted on 2004-09-18
44
438 Views
Last Modified: 2010-04-11
I have a Compaq desktop s5200cl. it is a real sick unit. I know it has many spyware programs and alot of infection from viruses.  I just don't know where to start to clean it up.  I can always just reformat, but I would rathe not do that cause I'll lose some very important files, however, infection is so bad I am unable to even dump those files to CD to preserve them. Can any one give me help?
0
Comment
Question by:dennis7280
  • 16
  • 15
  • 10
  • +3
44 Comments
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 500 total points
ID: 12093377
Hello dennis7280 =)

First of all goto Start>Run>msconfig>Startup
and untick all applications exept ur Antivirus and Firewall entries !!

Then Download these tools and install them:
========================================================
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
SpySweeper >> http://www.spychecker.com/program/spysweeper.html
SpywareBlaster >> http://www.spychecker.com/program/spywareblaster.html
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html
Stinger >> http://vil.nai.com/vil/stinger
========================================================

Then Disable ur Messenger Service if its running >> http://www.itc.virginia.edu/desktop/docs/messagepopup/
After that Follow these Instructions:

1. Restart ur machine in safemode and Login as Administrator
2. Run the AntiVirus tool and delete all viruses it found
3. Run the Spyware Removal tools and delete everything they detect
4. Then goto My Computer>Tools>Folder Options>View and turn on the feature of Show Hidden Files
5. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temp and delete all files present here
6. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temporary Internet Files, and delete the folder of ContentIE
7. Goto C:\Documents and Settings\ur usernmae\Cookies, and delete all cookies present here.
8. Goto C:\Windows\Temp and delete all files present here
9. Reboot back in Normal Mode and check if problems are gone or not
0
 
LVL 36

Expert Comment

by:Zyloch
ID: 12093384
Hi dennis7280,

Ok. Do the usual things.

1) Download Adaware (http://www.lavasoftusa.com/) and Spybot S&D (http://www.safer-networking.org/en/index.html) or other spyware sweepers if you want). Run both of them and delete what they find. You can click Immunize on S&D to help have constant protection.
2) Run your antivirus.
3) Go to Start->Run->%TEMP% and delete all
4) Go to Start->Run->sfc /scannow
5) Right click Local Disk C and select chkdsk.
6) Download Hijackthis and post your log here after running it.

Regards,
Zyloch
0
 
LVL 36

Expert Comment

by:Zyloch
ID: 12093385
Oh bother, I was hoping to get it in before you this time lmao. Maybe another time then.

Regards...
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12093388
Post back ur results and remaining problems, and we will move further from there !!

one more thing,,,, after u finish the above cleaning process, in the end Download HijackThis v1.98.2 from here, run it and Save the LOG file:
http://www.spychecker.com/program/hijackthis.html

Then Post it at this site >> http://www.hijackthis.de/index.php?langselect=english
Check if it reports anything Nasty or not ??
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12093392
>> Oh bother, I was hoping to get it in before you this time lmao. Maybe another time then.

lol... I was offline the whole today,,,so its time to do some hardwork here ;-)
0
 

Author Comment

by:dennis7280
ID: 12093395
wow! knew this was going to be fun.:) Thanks I'll do what you sugest and see what happens.
Thx very much
D-Man
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12093399
>> wow! knew this was going to be fun.:)

sure,,, those nasty malwares are fun to mess with :D
0
 
LVL 36

Expert Comment

by:Zyloch
ID: 12093400
Fun =) My computer was really messed up. Downloaded Adaware and Spybot and deleted 2000 files at once. Never felt better in my life.
0
 

Author Comment

by:dennis7280
ID: 12093401
Ha, Ha. You guys/gals are the best.
thx
0
 

Author Comment

by:dennis7280
ID: 12093412
OH! Did I mention that all this stuff has prevented me from getting on the net? I run through a cable modem. I keep getting a DNS error when I try the access the internet.
0
 
LVL 36

Expert Comment

by:Zyloch
ID: 12093414
Hmm... that's happened to me before with spyware. Try the steps above that don't need spyware first, i.e. deleting files in the TEMP folder and running antivirus or sfc /scannow etc.

Is it possible you can get on with dialup? Do you have AOL, for instance?
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12093417
>> I keep getting a DNS error when I try the access the internet.

ok then do one thing first.... if this error os due to proxy hijack, then it can be corrected by using hijakcthis,,,, so first use hijakchtis and have it analysed on that site !!

Fix the Nasty entries that it mentions and then check if any progress ??
If NO then Try running this Winsock Repair for XP:
http://www.spychecker.com/program/winsockxpfix.html
0
 
LVL 36

Expert Comment

by:Zyloch
ID: 12093418
Wait... how are you talking to use if you're not on the net? I knew I was missing something lmao
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12093424
after u get the connection u can download and update the above products to run them :)

and if by chance u cannot manage to get the internet in either way, then u can use the system from where u are typing to download the above tools and then can transfer then to the infected system to use them =)
0
 

Author Comment

by:dennis7280
ID: 12093425
I have three computers and this is my super computer. It is very clean.
0
 
LVL 36

Expert Comment

by:Zyloch
ID: 12093429
If what SheharyaarSaahil said about the winsock and proxy error fix don't do anything, the spyware sweep should fix it. Just some added info because I'm bored :) The only other new question I could answer was a simple Javascript one on escaping quotes. Ah well, gotta go eat dinner soon
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12093433
>> because I'm bored :)

yeah its weekend,,, not much work today =)
0
 

Author Comment

by:dennis7280
ID: 12093438
Duh!! Never thought of that, how stupid of me.
Well, looks like I'm in for some work so I'll get to it and let you guys know if my computer found the trash can.:)
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12093443
>> Well, looks like I'm in for some work

sure u have, so wish u good luck from us :)
0
 
LVL 36

Expert Comment

by:Zyloch
ID: 12093448
Good luck, heh. If you need any help, just post. I'm probably going off to fool around with Macromedia Director, bbl ;)
0
 

Author Comment

by:dennis7280
ID: 12093485
Well, right from the start I have a problem , Start>Run>msconfig>Startup, produced nothing, meaning the popup window never opens. NEXT?
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12093489
Dont tell me u are using Win2000 ??  =\
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12093492
ok okkkk.... what are u doing dude,,,, u have to hit Start button and choose Run
type msconfig (hit enter)
and then goto Startup section !!  :D
0
 

Author Comment

by:dennis7280
ID: 12093516
No, using win xp sp1, and I know how to do it , but the popup window that is susposed to come up  DOESN'T POPUP, start>run>msconfig> then click OK , and nothing, just a desktop. Checked "task Manager" and no apps. running However there are 60 Process, the system I'm typing on only runs 29.  Should I just get out my sledgehammer and make some minor repairs:)
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12093524
hmmmmmmm it shud be present in C:\WINDOWS\PCHealth\HelpCtr\Binaries
if its not there, then get it from here >> http://www.perfectdrivers.com/howto/msconfig.html

Now u can use it and can put it also in the above location :)
0
 

Author Comment

by:dennis7280
ID: 12093537
Ok. Went there. the popup window opens for about 1\2 a second and then closes.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12093538
ok so that means u are having one of those viruses which are mentioned here =\

Task Manager, MSCONFIG, or REGEDIT disappears while opening:
http://www.mvps.org/sramesh2k/ToolsQuit.htm
( site credit goes to Ramesh >> http://www.experts-exchange.com/M_926622.html :)
0
 

Author Comment

by:dennis7280
ID: 12093544
Among others, yes that is one of them.  I check the link and see whats up.
thnx
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12093547
ok so now the situation has gone a more bad =\

so do this,,,, first of all boot into safemode, and run all those tools there Plus ur AV software !!
in this way atleast some of them will be deleted, and we will have less items to work with.... what do u think :-?
0
 
LVL 36

Expert Comment

by:Zyloch
ID: 12093567
Back. Pretty complex, looking at those threads...
0
 

Author Comment

by:dennis7280
ID: 12093589
Well, I checked the link you sent. Renamed the msconfig ex file and now I get the popup window. soooooooo I will proceed with you prior instructions and see what happens.
0
 
LVL 1

Expert Comment

by:darkdrago
ID: 12096428
just something that you can try for the virus's
http://www.ultimatebootcd.com/ has a couple virus scanners on their cd so you can download it on your clean computer burn the cd and then scan your other computer getting rid of most of the viruses
0
 

Author Comment

by:dennis7280
ID: 12097567
Ok, I'm still working on my problem and ran into a group of files with the extension of ".RBO" can anyone tell me what this is?
0
 
LVL 36

Expert Comment

by:Zyloch
ID: 12097584
0
 

Author Comment

by:dennis7280
ID: 12099309
Tried to pull up the link that Zyloch sent and got a DNS even on the good computer, so that doesn't work.  But wait, I tried again and it came up, what luck, I think:) It said that I need, "magb_dis.zip". Said to unzip and run it.

Magistr.b disinfection
 ----------------------

The virus uses ComputerName as key to encrypt victim file data. To disinfect
such files we need to get ComputerName. From database (from disinfection
routine) we can't use Win32 API function GetComputerNameA to do that.


Solved. Solution will be sent to AVP_Files list.

1. Run DISINF.EXE file.  It will create DISINF.INI file with different data in
it, including ComputerName.

2. Scan DISINF.INI file.  A routine in database will get computer name from
DISINF.INI file.

3. Scan machine and disinfect Magistr.  The disinfection routine will use
ComputerName from 2.


Note: the virus _does_not_ use ComputerName to encrypt files in two cases:

 if file length < 20000h
 if file is infected on remote machine.

Ok, I did exactly what it said, now a stupid question, sorry, how do I get it to scan my "C" drive? I mean it says to scan machine but HOW?
0
 
LVL 36

Expert Comment

by:Zyloch
ID: 12099358
That was as vague as it gets. I would recommend pulling up this page:

http://www.sophos.com/support/disinfection/magbremove.html

on your good machine. It says to download the thing on your good machine and read the instructions. Dunno, but give it a try.
0
 

Author Comment

by:dennis7280
ID: 12099384
I'll give it a try thanks, and yes I thought it was pretty vague also.  It also said it was the worse virus to date, but didn't give a date :)
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12101498
dennis are u sure these are .rbo files and not .rb0

coz .rb0 are the antivirus backup files, which it creates before fixing the infected files >> http://filext.com/detaillist.php?extdetail=RB0

I thought it coz surely u had viruses, and can be possible that when u ran av tools, they created these backups !!  :)
0
 
LVL 6

Expert Comment

by:d_may
ID: 12108794
DNS stands for Domain
         Name System, and that is what converts www.lockergnome.com to an II’ addre~
         that the computer can understand. That would explain why the Internet would n
         work, but what about e-mail you ask? Well, unless you put the IP address in the
         mail server address field, then it is running off DNS too. The best way to see if
         your DNS is causing the problem is to try going to Google.com the next time yc
         start having trouble. If that doesn’t work, then try typing Google’s IP address o
         216.239.51.101 in the address field. If that works, then you just aren’t getting ti
         address of your ISPs DNS server. You can work around a DNS problem two
         different ways. One way is to call up your ISP and ask them to talk you though
         manually entering their DNS information. The second way depends on your
         version of Windows. If you are running Windows 9x or ME, (1) click the Start
         button, (2) click Run, (3) type “winipcfg” (sans quotes), (4) and press OK (mak
         sure you are dialed up to your ISP first). If you click “More Info” on the
         Winipcfg windows, you will see where it says “DNS Servers.” Just write down
         those numbers. To do the same thing in Windows 2000 or XP, just type in “cm
         (sans quotes) in the “Run” dialog box and click OK. At the command line, type
         “ipconfg/all” (sans quotes) and hit Enter on your keyboard. Write down the Dt’
         server JP addresses listed to the right of
         DNS.
         
         So now you have your DNS addresses, how do you apply that to your dial-up
         connection? In Windows 9x or ME, just double-click My Computer and then
         Dial-up Networking, Right-click your ISP and choose Properties. You should si
         a Server Types tab and next to TCP/IP you need to click Setting. Put the IP
         addresses in the DNS fields and click OK to get out of the windows. To do the
         same thing in Windows 2000 or XP, go to Start I Control Panel 11 Network and
         Dial-up Connections. If you right-click the icon for your dial-up connection and
         choose Properties, you will see where you can click on the Networking tab. Clü
         on Internet Protocol (TCP/IP) and then Properties. On the General tab, click
         “Use the following DNS server addresses” and then type in the DNS server P
         addresses. Click OK to get out of all of the windows and then reboot. You
         



Dale May:)
       
0
 

Author Comment

by:dennis7280
ID: 12110556
Thanks Dale, but I am on a cable modem not dialup.  I have managed to access the net on my infected computer.  I went to "Trend's" site and ran the free scan, and these are the viruses it say's I have; "malware.bkdr", "berbew.I worm", "korgo worm", "agobot-5", "pe-bagle.t.o", "bobax.c worm", pe-begle 1.t", "w/32begle.q". I can not get rid of "PE-BAGLE.T.O", plus, when I think I am making progress, I reboot and everything is back. I am almost bald now, so can anybody help me.

I did run the programs SheharyaarSaahil recomended and they cleaned allot of crap off, but I still have the viruses. :(
0
 

Author Comment

by:dennis7280
ID: 12110592
SheharyaarSaahil, you were right about RBO virsus RB0, I discovered that. Thanks.
0
 
LVL 1

Expert Comment

by:bigwave2
ID: 12112337
I would suggest putting the "infected" hard drive into another computer as a secondary drive, make sure it won't boot from it otherwise you will just spread the infection. As it is not the boot drive nothing on it will be run.

Then it should just be a case of copying the required files over.

Then you can fdisk the old drive and start from scratch.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12114046
>> when I think I am making progress, I reboot and everything is back

dennis dont tell me,,,, that ur System Restore is turned on !!!  =\
0
 

Author Comment

by:dennis7280
ID: 12118007
No. System restore is off.  Putting the hard drive in my other computer is a very good idea, wish I would have thought of it.  Thanks allot:) Back to work.............
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now