Solved

My computer is dead meat:  I think I have many viruses

Posted on 2004-09-21
26
786 Views
Last Modified: 2013-11-16
Okay, this is a very sick patient.  

Some symptoms:
IE has been operating slowly/intermittently.
Outlook is virtually nonusable.
My firewall keeps telling me that various applications, some of which I've never heard of, are trying to contact various IP addresses.
My office applications are trying to contact the outside world.
I can't even access certain internet pages with my firewall turned on, so I have to turn it off.  
When my computer is within infra-red range of another computer, it transfers sinister-sounding files to the other computer.

I have no anti-virus or anti-anything software on my machine.

Question:
Is there a way out of this mess that does not involve reformatting my hard drive?

If I do have to reformat my hard drive (a *very* time-consuming proposition to get set up again with so much software), then I will back up all my data files.  But how do I know that my data files don't carry viruses themselves?

Can someone give me a step by step process for getting my computer healthy again, hopefull one that doesn't cost too much money?


0
Comment
Question by:searcherguy
  • 10
  • 8
  • 5
  • +2
26 Comments
 

Author Comment

by:searcherguy
ID: 12117592
Operating system:  XP Pro (I don't think I have an installation CD for XP Pro;  I think it came pre-installed from IBM, but I will check)
IBM Thinkpad A30p.
0
 

Author Comment

by:searcherguy
ID: 12117600
Is there a service I can pay to have someone fix my computer? Perhaps located in the SF Bay Area?
0
 
LVL 65

Assisted Solution

by:SheharyaarSaahil
SheharyaarSaahil earned 100 total points
ID: 12117626
Hello searcherguy =)

>> Is there a way out of this mess that does not involve reformatting my hard drive?

hmmmmmmmmmmmmmmmm we can try,,,, but there is no guarantee that ur system will not get reinfected by looking at the Mess its having right now.... so what is the use of spending days to set it up, and it will reinfect again after one or two days..... so... ??  :)

>> But how do I know that my data files don't carry viruses themselves?

Its simple, install an AV software, scan these files, and if they are clean, back them up, and if they are infected, first clean them and then backup them !!  :)

So its Highly recommended that u DO a Format and Fresh Install,,,, and then after installing, before connecting to internet install good firewall and antivirus sostwares, and install Adaware and Spybot and turn on their Auto Protect feature !!
Then connect to internet and download Windows Updates to update ur machine.... im sure u will feel very better than now ;-)

Good Luck ^_^
0
 
LVL 6

Accepted Solution

by:
knoxj81 earned 400 total points
ID: 12118278
The service you have paid is here, on the points you bought to post this question. I feel the only way you should award the points, is if we can clean your system without you having to format.

First go here: http://housecall.trendmicro.com/    - and perform a full system scan. see what you come up with.

Next we're going to have you download HIJACK THIS and some other tools to remove the nonsense.

Goto:
http://www.majorgeeks.com/downloads31.html

and locate and download the following files in this order:

Ad-Aware SE Personal
download and install this, run the update then perform a SMART SCAN. when finished make sure to SELECT ALL on your findings and click next to remove and quarintine the files.

CWShredder
install this and just run it. It will automatically remove any of the CWS varients it finds.

HijackThis
Install this, and perform a scan, it will generate a list, copy all the list and post it in here for me to view and I'll inform you what to remove.

BHODemon
Install this, and update it. This will sit in your systray and inform you of any BHO's that try to load invisably and give you the option to remove them, or just to find more info on the BHO file selected.




HERE is a list of things to do once your system is repair and clean!:

Antivirus:
Kaspersky Antivirus 5.0 (version just released this month) http://www.kaspersky.com/personal
This program is the best by far. It updates every 3 hours, scans web browser scripts also.
I've tested many other virus scanners through the years.

AVG is also a great virus scanner( more for home user) not to mention they have a wonderful FREE edtion.
http://www.grisoft.com/us/us_dwnl_free.php

Firewall:
Sygate Personal Firewall Pro - Compared to ZoneAlarm or Nortons which both have tons of exploits to drop their service like a fly. Sygate is the choice for a software firewall.

Sygate has a home editon for free as well.  www.sygate.com
 

Spyware/Adware/Malware/Dataware:
AD-AWARE - www.lavasoftusa.com
If you can afford it by the PRO version, the extra feature AD-WATCH is well worth it for it monitors your registry and notifies you of any changes made allowing you to ALLOW or REJECT the request on the fly.


BHO Demon - www.majorgeeks.com/download3550.html  (mirrored)
This is a must now-a-days if your running Internet Explorer! BHO is used in a lot of the recent IE exploits as well as keyloggers. This is a must for Home and Corporate users.


IDS ( Intrusion Detection System ): - snort.org  * ADVANCED USERS ONLY*
I was reading my Windows & .NET Magazine, and it has a great article on SNORT. Setting it up and everything. Page 51! Or you can buy the book SNORT 2.1 Second Edition. This program is absolutly promising, this is for extreme paranoid home users.

References:
http://isc.sans.org/index.php?off=diary -Everyday info on the latest exploits/virus/security issues.
http://eeye.com - perfect for advisories and the best security software.
www.majorgeeks.com - Every program a nerd could think of!!
www.sygate.com
www.kaspersky.com
www.lavasoftusa.com
http://www.grisoft.com


Let me know if you have questions or need any help!

Jorden
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12118328
knoxj,,,,, this system is runnign without any firewall or antivirus software....
"I have no anti-virus or anti-anything software on my machine."

can u imagine how messed up it can be.... i know we help people here,,,, but what is the use of a help when we cannot get it to STAY !!

look at the other threads,,,, people who are running powerfull av, firewall and adware\spyware removal tools, even they are badly infected,,,,, and cannot get rid of them...... and we are dealing with a hopeless system !!  :-/

Im sorry but i cannot agree that we shud try "cleaning" the system,,,,, its just uselss and waste of time coz infection is too bad and strong that if by chance he can get it cleaned,,,,, there are 95% chances of reinfection.... !!

searcherguy  are afraid of formatting and reloading softwares.... i think it will still take less time and energy than cleaning this Dead Meat system !! =\

But if still u wanna try to clean it then Good Luck from my side !!
0
 
LVL 9

Expert Comment

by:woodendude
ID: 12118636
knoxj81, has made some great suggestions, but  I believe if you have use of another computer, work, family, friends,net cafe, etc.. download and disc the programs he/she has suggested and then install and run them on your system(with out going online). With no anti-virus program or firewall you will be picking up more crap as you are trying to clean out what you already have. I was once online for maybe 5 minutes with out an AV, picked up 3 worms and 2 trojans. Also use this other computer to download one of the many free anti virus programs out there, some suggested above, install in on your system before you even think of going online, and only then go online. Once on line, firstly update your AV, then run a full scan, then update and run the other suggested adware programs.....Formatting may in the end be your only option, but all is not yet lost!


Good Luck
0
 

Author Comment

by:searcherguy
ID: 12119954
Guys, I really appreciate the great debate here.  Reformat the hard disk, or fight software with softare?  The essential question as I see it from a lay perspective.  Both answers are valid depending on the user and the user's situation.

I have decided to go the reformat route.  At least then I'll know I've gotten everything at least once.  I will let you know how it goes.  Because man, my machine is toast!  Even my office applications are all trying to contact remote IP addresses now.  Scary.  I've got something called NT Kernel and System that my firewall blocks when it's on -- that contacts other IP addresses.  I have no idea which of this stuff is benign and which is dangerous, but probably some of it is very dangerous.  Moreover, I got within infrared range of another computer and started to send an Excel file, and my machine sent the other machine a bunch of sinister-sounding files!

By the way, I called IBM about getting installation CD's for Windows XP Pro and they said definitely DO NOT use format c:, because they do not provide installation CD's for Windows XP Pro.  Instead, the IBM guy advised me to use IBM's built-in rebooting tool (F11 on my machine) that restores the machine to it's factory-original disk, erasing everything but Windows XP Pro, as I understand what he was saying.  I asked what if my Windows XP Pro itself has a virus and he said it was unlikely such a virus could penetrate the partition that holds the XP Pro installation files...  I'm out of my depth here so my takeaway is that this gets around my main worry which was how in the world to reinstall Windows XP Pro.  
0
 
LVL 6

Expert Comment

by:knoxj81
ID: 12120004
Bro,  I run every program I listed and the only time my PC is infected is when I'm analyzing trojans, malware, viruses on my system. The fact of the matter is your system can be clean, and yes it will take some time. If you willing to let me prove it, we can get through this in a few hours of dedicated work. I fix peoples PC's remotely all day long and have yet to turn someone to formatting their PC. if you start from the beginning of my post you'll notice a difference. I understand that the virus keeps reappearing after rebooting, thats because you have system restore active. ALL you have to do is run a virus scan to determine the virus and we can take the steps to proceed with proper removal. PLEASE don't waste your money... If your final decision is giving up and waiting for those restore CD's than fine.

however, as long as you have your windows install cd, you don't need a restore cd, JUST goto www.majorgeeks.com and download a DRIVER backup tool and it will backup all your drivers. Than you just burn a cd with your drivers and perform a fresh format... ON THAT NOTE. if you proceed with a format, ALSO DOWNLOAD the firewall, antivirus, adaware, bhodemon and burn them onto a cd. and install those programs before plugging into the network.

word from SANS study. The avg system only takes 20 minutes to get infected after formatting your pc and plugging right into the internet. 20 minutes isn't long enough to download all the windows updates.

If you have windows xp pro, I recommend slip streaming SP2 onto the cd, this will make it so you dont have to run any windows updates after formatting.

Let me know your decisions and I'll view your response 8:00am pacific time.

Tech-Security.com,

Jorden
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12120006
nah nahhhhh..... u are taking in a wrong way...... look what actually Restore disks contains, is just an IMAGE of the installtion...... means when companies install XP on hard drive along with their utilities and drivers etc etc,,, after that they create an image of that newly installed OS..... and that image is present on the Restore disks !!

and when we run those Restore disks.... they format the drive and copies that image on the hard drive..... and what IBM have done... it has created a hidden partition in ur C: drive and have put that image on that hidden partition....
now when u will hit F11, it will access that hidden partition and when u will order it to restore the factory settings,,,,, it will format ur visible hard drive(not itself) and then tranfers that image to it......

and what u will get is the EXACT same setup of OS like when u first got it !!
if u can tell me the exact model of ur IBM system,,,, i can provide u with the Step to Step instructions on how to restore ur system to the factory settings by pulling a link from IBM.... or u can go to http://www-1.ibm.com/support/us/search/index.html  urself, and can search for the Recovery guide :)

still confused ??  8-)
0
 

Author Comment

by:searcherguy
ID: 12120074
Guys,

I will get on this first thing in the morning.  I think what I will do is the full reformatting (which doesn't need to await CD's from IBM for the reason stated by SheharyaarSaahil), but I also need to make sure before I access the Internet again that I get some of that antivirus stuff installed that knox was talking about.

I only have one machine handy (the compromised one) but my idea for doing it is to download the antivirus software using my existing compromised laptop, but not install it yet, then back up that antivirus software without even installing it, then format the laptop and reinstall all software including the antivirus software I downloaded.  Only THEN access the Internet!  

Does that work?
0
 
LVL 6

Expert Comment

by:knoxj81
ID: 12124216
yea, do that before connecting to the internet. And be sure to run windows updates as soon as you can. Also disabling DCOM, WINDOWS MESSANGER SERVICE,  won't hurt either. check out, grc.com for some handy tools in aiding you in those tasks.

Let me know how it goes, and any questions you have along the way.

Good Luck,

Jorden
0
 

Author Comment

by:searcherguy
ID: 12126231
I'm testing these software tools on my existing machine before reformatting, to make sure they will work afterwards.

82 pieces of spyware identified and fixed by SpyBot.
Around 30 pieces of adware identified and fixed by Adaware.

Noticeable increase in web browsing speed post-fixes.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12126556
Im listening..... :)
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Expert Comment

by:todesenge1
ID: 12127940
First: Buy Norton AV Pro, install, then scan.
Second: Download Ad-Aware (www.lavasoft.de), run it every week.
Third: Replace IE and Outlook with Firefox and Thunderbird (www.mozilla.org)
Fourth: Buy a hardware or software filewall, such as ZoneLabs ZoneAlarm

After that, you shold be set!
0
 
LVL 6

Expert Comment

by:knoxj81
ID: 12133929
Do NOT use Norton AV, please, before doing that read some of the issues with symantec products here: http://www.eeye.com/html/research/advisories/index.html

If you want a great free virus scanner, use AVG, if you want the best download kaspersky(provided links above for both)

Firewall, sysgate home edition is free, sysgate pro is about $39.00. Great firewall.

Third, I would have Mozilla as a backup browser, and just lock down IE browser. With the problems I listed above, those are all the tools you'll need to keep IE Secure as possible.

You still need HiJACKTHIS, and BHODEMON.

Make sure you run updates for all your programs.

Good Luck,

Jorden
0
 
LVL 9

Expert Comment

by:woodendude
ID: 12138424
HAHA..... I knew the buy norton comment was going to attract attention.
0
 

Author Comment

by:searcherguy
ID: 12138485
Jorden/all:

Okay, the following action items are done:
Bought and installed Kaspersky, scanned all files.  20 viruses found and destroyed.
Ran Spyware
Ran Adaware
Bought and installed Sygate pro, reconfigured it to let it allow my web pages through (had to always accept my ISP IP)
Downloaded and ran bhodemon

How do I "lock down" the IE browser?

I decided to hold off on reformatting for now since these steps seem to have cured my computer slowness problem as well as my outbound applications contacting other IP addresses.



0
 

Author Comment

by:searcherguy
ID: 12138490
However, if it's still critical to reformat (because all these tools may have missed something) I can do that too.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12138496
>> How do I "lock down" the IE browser?
try to use the Immunize feature of Spybot !!

>> However, if it's still critical to reformat (because all these tools may have missed something) I can do that too.
If ur system is up and running happily, why to format, go and enjoy :)
0
 

Author Comment

by:searcherguy
ID: 12138524
Okay, Spybot says "permanently blocking bad download pages of Internet Explorer".  I guess that means it will prevent me from accessing known bad web pages.  I don't know if that's equivalent to "locking down" IE but I did it anyway.
0
 

Author Comment

by:searcherguy
ID: 12138545
Note that once I started actually implementing Knox's suggestions, I ended up deciding not to reformat my hard drive for now, because the problems I was having appear to have been fixed.

Also, note that this whole process burned probably ten+ hours of my time.  Without Experts-Exchange, forget it.  So thanks guys.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12138719
glad ur problems are solved,,,,, wish ur system will not get reinfected :)
Cheers ^_^

BTW, just for reminding, do u want me to open ur SygateFirewall question ?? =)
0
 
LVL 6

Expert Comment

by:knoxj81
ID: 12143872
Hey, if you still want to lockdown Internet explorer. Only thing I can say is BHODEMON, SPYWARE BLASTER, ADAWARE (scans 2-3 weekly), clear cache, temp internet files, temp files.

Spyware blaster, will add a ton fo sites to your "blocked sites" list, as well as locking down your HOST file. Also takes a snap shot of your system settings, so any changes can easily be reverted.

If I were you I'd browser around Majorgeeks.com and check out some of there tools. Just be careful on the SHAREWARE programs.

Look into a registry monitor, I use AdAware Pro, it comes with AdWatch, which monitors my registry for changes on the fly. Prompts me for action. This is a useful procedure for the fact if im installing some program and it trys to add to my startup I'll be prompted to ACCEPT or REJECT.

Last words: Keep your programs up-to-date. Run both Windows Updates and Office Updates for the new patch on the JPEG exploit. You can expect to see a major worm that uses this exploit soon. This time around don't be a victim.

Tech-Security.com,

Jorden
0
 

Author Comment

by:searcherguy
ID: 12145609
Sheharyaar,

Yes, please open my Sygate question so I can reallocate points.  

0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12145726
ok wait, i'll ask a moderator to come in that question and reopen it :)
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12147437
ok done, the question has been reopened for u by Lunchy :)
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now