Solved

System files missing (ctfmon.exe etc.) because of worm Win32.VB.nk: sfc /scannow, System Restore, In-place upgrade (repair installation) or fresh installation after wiping HDD?

Posted on 2009-04-05
52
2,226 Views
Last Modified: 2013-12-04
(I have posted below questions on another forum, yet with very little respons)
Windows XP Pro SP2 American version, with MUI-Pack for Windows and for MS Office 2003.

---Question 1---My Language bar (ctfmon.exe) has disappeared because of the worm Win32.VB.nk. I suspect that this worm deleted some system files, and also their string values in the Registry.

I have now deleted this worm, but can still not use any other keyboard than the English one because Language bar is missing.
This is an urgent problem for me as I study Chinese, and need to write assignments with Chinese characters.

Besides that the Language bar is missing, also I can't run these two commands from Start/Run...:

msconfig.exe
gpedit.msc (Group Policy Editor)

My laptop (HP Compaq nx7300) is very sluggish and slow now, both when using the internet and also when I run any application.

However, I have cleaned all viruses now (including the worms) with Rising Antivirus, so my laptop should really be clean.

This is what I've tried so far, without any positive result:

1. www.dougknox.com/xp/utils/xp_emerutils.htm (copies of regedit, msconfig, Task manager from a friend who owns a Windows XP Pro English version, which is the same windows version that I have).

2. Start/Run sfc.exe (I inserted my Windows XP Pro original CD-ROM, and the disc device was very busy all the time so I assume that the missing system files were being copied from my original CD-ROM to c:\windows\system32).

3. Control Panel: regional and language options/Languages/Text services and input languages: details/Preferences
(Language bar is grey scaled and it's not possible to choose that option).

4. http://techreviewzone.wordpress.com/...dvisor-review/ Belarc Advisor
(I have 65 missing Microsoft security updates/hotfixes according to Belarc Advisor. I have not yet installed these because I don't know how to do. Is this of any relevance for missing system files and missing registry values?

5. I have copied ctfmon.ex to c:\Windows\System32 from my original CD-ROM for Windows XP Pro English version
Thereafter, when I double-click on this file, I get the message that "File type unknown" (NB! .ex and not .exe)
In c:\Windows\System32 there is also another ctfmon-named file (CTF loader).

What is the main problem? Is there no string value in the Registry for msconfig.exe, gpedit.msc och ctfmon.exe?

Is there any way to recover string values for a selection of system files from System32? Because I own an OEM-license, I don't think it's possible to just recover all string values for all system files as the logon probably wouldn't work then (I have only one user account).

To recover the string value for ctfmon.exe, is the solution on this web page?:
http://social.technet.microsoft.com/...3-9f9cb08fefc9

If you look furthest down on the page, what diman82 has written, then there's a string value for ctfmon.exe to add to HKLM startup.

But I don't know how to add this string value directly into the Registry, and where? I only know how to navigate in the Registry, and to open it of course(Start/Run regedit) Should I choose "Edit/New key"? Exactly how to I thereafter write the string value directly into the Registry? And in which sub-key in the Registry?

Other alternatives are to buy software for getting to terms with the Registry, for example one of these two:

http://www.easydesksoftware.com/moresoft.htm (Registry Drill)
http://www.errordoctor.com/index.php?hop=cherryoak (Error Doctor)

Is there any way to get a complete overview of all the system files in Windows XP Pro SP2, and also what string values they have and in which keys they are located? Could I get such an overview with a software like Registry Drill?



---Answer 1---'2. Start/Run sfc.exe (I inserted my Windows XP Pro original CD-ROM, and the disc device was very busy all the time so I assume that the missing system files were being copied from my original CD-ROM to c:\windows\system32).'

You need to enter sfc /scannow , not just sfc.exe .

---Question 2---Yes, I did that, I entered sfc /scannow and after that it took a long time.

I just found something about doing a Windows XP Repair install:

http://www.michaelstevenstech.com/XP...nstall.htm#top

It leaves the applications and settings intact, only replaces system files that have been altered by adware and malware. Could this be something worth trying?

---Answer 2---Yes, it would be.

edit: before you start 'fixing' things, copy off anything you value

---Question 3---Several times now that my HP Compaq is so sluggish, I've gotten this message (labeled "Application SES002NS"):

"The Win 16 Subsystem has insufficient resources to continue running. Click on OK, close your applications, and restart your machine"

I'm about to make a slipstreamed CD for XP SP2, using Autostreamer, before I do a Windows XP Repair install. Is this just a way to integrate original windows system files with SP2 and with updates? How is it different from Ghost?

I have a Ghost, but the problem is that this worm Win32.VB.nk is on it! And I only have this Ghost. So I really need to do a XP Repair install to recover all system files. If I do a XP Repair install, will the Registry also be repaired?

I inserted my original Operating System CD Microsoft Windows XP Professional Service Pack 2. However, I was not given the option to do a Repair install, only these alternatives were displayed:

Install Windows XP
Learn more about the setup process
Install optional Windows components
Perform additional tasks
Check system compatibility

Does this mean that I can't use Windows Repair Install at all? Why?

Can I instead do an in-place upgrade?

http://support.microsoft.com/default...b;en-us;315341

According to what is written here, it's the same as a repair installation. But is it exactly the same? And it seems to be aimed at intermediate to advanced users.

In my system32-folder, these files are also missing:

undo_guimode.txt
WPA.BAK

Which alternative is best between System Restore and In-place upgrade (repair installation)?

Before I do an In-place upgrade (repair installation), do I need to make a slipstreamed CD for XP SP2? Is there anything else I should do before doing In-place upgrade?

NB! I want to keep all my installed software intact after the In-place upgrade, and also all my settings intact!

What's the difference between sfc /scannow, System Restore, and In-place upgrade (repair installation)? Which of these repairs both system files and also registry values?

In addition to my doing an In-place upgrade (repair installation), would I also need to do a parallell installation and install the patch from this website?:

http://www.vttoth.com/wow32.htm

This, according to this website, would solve the problem with "The Win 16 Subsystem has insufficient resources to continue running".

---Answer 3---Hello and welcome to the forum,

The reason you were not able to see repair option, because you were viewing the
xp disc from the desktop.

You need to boot from the xp disc instead:

If pc is unable to boot from the cd, then you will need to enter bios and set cd drive
to boot up first on the list (varies on different pc`s where in the bios you will find the bootup list).

1. Now when your pc starts after the post screen, press enter to boot from disc.
2. It will load drivers
3. after it gets to the first screen, choose setup xp
4. The next screen it will come to, should have a repair option choose this one.

What I recommend here is to do a fresh install of xp, since you had some virus problems.

1. You can use a harddrive utility to wipe harddrive first before installing xp which I
strongly recommend:

Found here:
http://www.tacktech.com/display.cfm?ttid=287

If the harddrive you have is a toshiba or another one that doesnt have a utility for
wiping the harddrive, then theres

1. killdisc
http://www.killdisk.com/downloadfree.htm

2. dban
http://www.dban.org/download

Of course please use a different pc to download these item`s you will need to effectively
do a fresh install of xp.

After wiping harddrive perform a harddrive test on harddrive so you will need to download
a utility from tachtek for your harddrive.

If harddrive passes test, you are now ready with confidence to install xp.

Note: always test the harddrive before doing any installation of an operating system.

Its true this will take sometime to do, but not near the time if harddrive is bad, Ive seen
and read about peoples problems with installation problems and they have spent days
trying to figure out the problem, only sometimes to find out that it was the harddrive
all along.  
     
---Question 4---I'm not quite following you now... First, you write that "4. The next screen it will come to, should have a repair option choose this one." Then, you write "What I recommend here is to do a fresh install of xp".

Is a fresh install the same as do a new installation, not a repair installation? If so, what about first to try an In-place upgrade (repair installation) and see if it works?

I have very much installed software on the harddisk, it would take so long time do install them again. A lot of the software is in Chinese language, so I would need guidance from my Chinese friends to install them again. Really want to avoid a new installation if possible!

Should I still do a check of my harddisk, even if I do a repair installation? My harddisk is this:

SEAGATE MOMENTUS 5400.4 250GB SATA 2.5IN 12MS 5400RPM 8 (ST9250827AS)

There are several options from http://www.tacktech.com/display.cfm?ttid=287
for Seagate, which should I choose?

On the above link, are there two different utilities I should download and run?: One for checking the harddisk, one for wiping it? And should I first wipe it, then do a check?

Should I finally do a check again with the F8 when I restart?

For wiping, can I use the free software that you posted links to? Or should I use a software like this?: http://www.whitecanyon.com/drive-wipe-wipe-harddisk.php

Why must I use another PC to download the files for wiping the harddisk, I can't understand that either.

Many questions :) It's the first time I'm doing this, have used Ghost to recover earlier and it has worked perfect. But now, my only Ghost is infected with this virus so I hope it's possible to do a repair installation. Greatly appreciate if you could explain some more about this
0
Comment
Question by:hermesalpha
  • 32
  • 10
  • 3
  • +3
52 Comments
 
LVL 16

Expert Comment

by:warturtle
ID: 24071654
Hello,

Yes, you can do a repair installation by reading up this article (you would need the XP installation CD though):

http://www.informationweek.com/news/windows/showArticle.jhtml?articleID=189400897&cid=ref-true

Make sure to read all 5 pages of it, if you have any other questions, please don't hesitate to ask.
0
 
LVL 9

Accepted Solution

by:
samiam41 earned 50 total points
ID: 24071761
You could always use Ultimate Boot CD 4 Windows which would boot you into a Linux based mode.  From there, you could run a host of virus and spyware killing apps to give you a clean environment.  

http://www.ubcd4win.com/downloads.htm

You would need to burn the download to an iso and make sure your pc is configured to boot from CD (bios).  
0
 
LVL 3

Assisted Solution

by:techmaza
techmaza earned 50 total points
ID: 24071900
 Download Drweb Cureit from drweb website it is free standalone utility for removing such type of worms
It will restore back ur computer to normal and if some registry entry needs to be changed use registry mechanic.


0
 

Author Comment

by:hermesalpha
ID: 24075390
I have the original Operating System CD Microsoft Windows XP Professional Service Pack 2, and Application and Driver Recovery DVD, and Operating System CD Multiple User Interface Pack. These three CDs were sent to me from Microsoft in Bulgaria in Europe.

When I bought my laptop two years ago (Hewlett-Packard HP Compaq nx7300), it came preinstalled with Windows Vista Business (Swedish version). After many phone calls to HP Support and trouble with Vista, they finally gave me the Windows XP Professional Service Pack 2 (build 2600) which they sent to me from Bulgaria. This is thus the English version of XP Pro SP2.

When I go to Control Panel/System: General, it says my Windows is registered to [my name] and
[76487-OEM-.....]. Does this mean I have an OEM-version of the XP Pro SP2?

If so, according to this reply to Langa's letter, I would not be able to perform a repair install:

"Nice, informative and very clear instructions.
However, there should be a MAJOR warning/caution to all potential users that this will not work for all XP CDs.
Why not?
If you have an XP CD that was supplied by an OEM (came with your branded Compaq/Dell/Acer/Toshiba etc PC) then this XP CD has been customised by the OEM so that it AUTOMATICALLY runs the XP setup procedure, choosing certain options in certain screens for you, which definitely prevent you from going the non-destructive repair route.
ie booting from these OEM CDs, the ONLY option you have is a complete wipe - as several people here have found...
If you only have such an OEM XP CD, you will have to obtain a "non-unattended" version of the same license type (Home, Pro, Corp VLK etc) and use that instead.
It's fine to slipstream service packs etc into the CD, just so long as the CD is not set to run unattended XP setup.
Hope that helps someone out there.
Cheers,
tU"

There are several comments about succeeding with this repair installation with XP Pro and they have succeeded several times. And then, some do not succeed. For instance, I have a HP Compaq notebook, and one commented on a reply from HP Support:

"This routine may work for an XP upgrade disk that you bought, but it does not work for my XP install disk that came with my Compaq portable. In fact I called HP to verify and they said there is absolutely no non-destructive re-install available for this laptop. From other comments it sounds like it is not a perfect solution even if you have the original install disks. Too bad InfoWeek doesn't pay much attention to this forum, they've been republishing this Langa article for more than a year, but relatively few people have said they tried it and it worked."

Do you think the chances to succeed is less if I have a HP Compaq notebook?

If I begin a repair installation, is there any risk that I will never be given the option to choose a repair installation and the installation procedure just goes on and makes a new installation?
 




0
 

Author Comment

by:hermesalpha
ID: 24075448
Question to samiam41: If I use your solution and download and run Ultimate Boot CD 4 Windows, would this only solve the problem with virus but not with missing system files and missing Registry values?

Question to techmaza: Is Drweb Cureit only for removing virus, not for replacing missing system files? I have already used the Start/Run sfc /scannow option and inserted my XP Pro SP system disk so if that worked, the missing system files should have been replaced already. If my system files are in order now, do you think that the problem could be related to the Registry? Does this worm Win32.VB.nk also make changes in the Registry do you think?
0
 
LVL 16

Assisted Solution

by:warturtle
warturtle earned 200 total points
ID: 24076522
Hmm... I suggest first of all taking backup of all important things that you have. Secondly, I suggest that you do an online scan with Kaspersky Online Scanner based at: http://www.kaspersky.co.uk/virusscanner to find out if you still have something that isn't letting the system file checker copy and repair the files. This scan will not remove infections, but will only create a report telling us of what is in there.

The Windows XP CD will give you options to let you choose to repair or re-install. As is the case with all software, there is no absolute guartantee that this procedure will surely work on your machine. It has worked on some machines and hasn't worked on others. First we need to find out what is causing System File Checker utility to be in-effective, it could be an existing virus within your system. Please do the scan, and let us know what you find or send us the report.
0
 
LVL 9

Expert Comment

by:samiam41
ID: 24079666
It would solve the problem of getting rid of whatever is causing your system files to be corrupt.  Once you remove the cause, you can treat the symptoms.  Like warturtle said, backup your data.  Then repair the OS but only after you have solved the cause (virus, spyware, grayware, etc...)
0
 

Author Comment

by:hermesalpha
ID: 24084975
Questions to Warturtle and Samiam41:

I have just finished the Kaspersky online scanning on Critical areas. Right now, Kaspersky is scanning My computer which will take some time because I have 750 GB of HDD to go through. So far, the result is this (on critical areas):

Infected: Trojan-Downloader.Win32.AutoIt.is (1 piece)
Infected: Worm.Win32.AutoRun.eee (4 pieces)

By the way, can really turn off my Rising Antivirus when Kaspersky is working? Then I won't have any virus protection at all!

So it seems that Rising Antivirus has not found every virus, there are still some left in my laptop.

So the question now is: Is it enough to use Kaspersky to remove these viruses? Or if I use the method that Samiam41 suggested, and download Ultimate Boot CD 4 Windows, would that be the most thorough cleaning of virus that is available, even better than Kaspersky?
0
 
LVL 16

Assisted Solution

by:warturtle
warturtle earned 200 total points
ID: 24085273
Kaspersky online scanner doesn't remove viruses, it only reports them. if you want to use Kaspersky then you will have to download the Kaspersky Internet Suite or just Kasersky Antivirus trial from http://www.kaspersky.co.uk/trials and then remove your existing Rising Antivirus before installing this trial, updating it and then scanning with it.

Kaspersky has highest rates of detection of any antivirus and this is why I suggested scanning with it. The trial version should be good to get rid of anything that you currently have and after that maybe, you can install Rising Antivirus again, if its a paid version.

The contents of the Ultimate Boot CD are here:
http://www.ubcd4win.com/contents.htm

It contains lots of anti-malware and anti-virus utlities within. Its upto you to use any one of them to scan with.
0
 

Author Comment

by:hermesalpha
ID: 24087512
I'm afraid it will take time to finish this scan: 18 % finished so far has taken 6 hours! 4 Threat names and 15 infected objects.
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24098268
Kaspersky has highest rates of detection and that is why I suggested using its trial version to remove the viruses on your PC. I quite confident that you wouldn't have to use anything after Kaspersky is installed and it starts working. If problems are still around, then you can use the Ultimate Boot CD for help.

Rising antivirus didn't detect the viruses that were still around but Kaspersky did, so I think it would be best to stick with something that works.
0
 

Author Comment

by:hermesalpha
ID: 24105917
The Kaspersky-scan is almost finished now (reached 94 % after 20 hours), but for the last few hours it has been stuck on this file:

agsyspr6.r17

What should I do if nothing happens for several more hours, should I just quit? Can I delete the threats that have been detected so far? I tried to find an alternative for that, but couldn't find anything. I don't want to press a button I don't know and everything gets disrupted and needs to start from the beginning again! Please, if you know how to delete what have been detected so far, tell me!
0
 

Author Comment

by:hermesalpha
ID: 24105925
Finally, it got past this agsyspr6.r17 so it might still get to 100 %
0
 

Author Comment

by:hermesalpha
ID: 24105934
But it has still been on 94 % for several hours.
0
 

Author Comment

by:hermesalpha
ID: 24106076
What do you think about purchasing ZoneAlarm  Internet Security (or possibly BitDefender)?

According to toptenreviews, they ranked as 2nd and 1st.
0
 

Author Comment

by:hermesalpha
ID: 24106080
0
 

Author Comment

by:hermesalpha
ID: 24106440
It goes very slowly, still 94 % for many hours. What's the reason? It's another agsys-file
0
 
LVL 9

Expert Comment

by:samiam41
ID: 24106648
UBCD4Windows is not just for worms.  Are you serious?  You can remove viruses, spyware apps and rootkits with the software that comes with UBCD4W.  The advantage is that you don't have to boot up your windows environment to run the scan.  Also, the AV apps on that CD will auto-update before scanning.
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24108339
Yes, please feel free to stop the online scan from continuing and delete the items within Kaspersky report by either using FileAssasin from www.malwarebytes.org or manually (in safe mode). Once these files are gone, hopefully most of your problems will be gone as well.

Try that and let us know, what you get.
0
 

Author Comment

by:hermesalpha
ID: 24112743
The Kaspersky-scan is now finished. Some objects in the list that came up was 'postponed'. Other messages I got was 'untreated' or 'detected'. What should I do now? I want to delete or clean those infections, but there's no option to do so. During the scan, I got a pop-up window several times asking me if I wanted to delete or clean infected file. Now, I still have a list of infections with some labelled 'untreated', and nowhere in this list is mentioned 'deleted' or 'cleaned'. So I assume all the files in the list need to be cleaned or deleted, is that correct? But how?
0
 

Author Comment

by:hermesalpha
ID: 24112767
Warturtle,

So then should I save the report from Kaspersky, on C:\ for instance? And then log on in safe mode, list the report-file that I saved and begin to delete the files?
0
 

Author Comment

by:hermesalpha
ID: 24112779
Warturtle,

And there's no way just to clean the files I assume, I have to completely delete them? (Most often during the Kaspersky-scan, the clean option was not possible, just the delete option).
0
 

Author Comment

by:hermesalpha
ID: 24113844
I couldn't save the Kaspersky report, so I wrote down the infected files. Will now try to delete them in safe mode. Just wonder, even though I delete will delete them, there will still be traces of them, right? The only absolute secure way to completely eliminate these files forever is to wipe the harddisk if I'm not mistaken. However, I might do that later when I have more time, to delete the files in safe mode should be sufficient to get the laptop running again, don't you think?
0
 

Author Comment

by:hermesalpha
ID: 24113901
When I logged on in safe mode, I couldn't find the infected files, they were not displayed at all! Even after I had checked the box in Control Panel for displaying hidden folders and files and restarted the machine, they were still not displayed. So my problem now is how to find these infected files.

Also, when I restart the machine, I get the notification that "Your computer might be at risk. Kaspersky Internet Security is turned off."
0
 

Author Comment

by:hermesalpha
ID: 24113902
This is one infected file (according to Kaspersky): c:\WINDOWS\Help\microsoft.hlp

Is that correct, is this a virus?
0
 

Author Comment

by:hermesalpha
ID: 24113913
These are three other infected files that are not displayed at all:

c:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00A002F954E}\Global.exe

The two other infected files have the same path as above, but the final filename is .svchost.exe and
\system.exe

I can't find the folder dllcache at all.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Author Comment

by:hermesalpha
ID: 24113917
I was logged on as administrator when in safe mode, and changed to display hidden folders and files.
0
 
LVL 16

Assisted Solution

by:warturtle
warturtle earned 200 total points
ID: 24114033
Yes, delete is safe to do with Kaspersky antivirus. If its the only option that is present, you can use it to delete the files. You don't have to wipe the whole hard-disk because of a virus, it should be done only when a virus has left the computer in unusable state. But yours is working properly still, so I don't think that re-install is needed, that is always the last resort.

I suggest that you try to look at the previous report and quartine the infections by right-clicking on the filename and selecting the option to quarntine the file.

Below is the link to the exact virus that is present on your system:
http://www.prevx.com/filenames/1832946869414896206-X1/MS-DOS.COM.html

I suggest that you download and run ComboFix from: http://www.bleepingcomputer.com/combofix/how-to-use-combofix , make sure that you disable your antivirus and firewall temporarily before running it and its always best to run it in safe mode. Don't use the keyboard or mouse while its running though. When you download it save it with a completely different name like - jabba.exe or something different and run it. Please send us the logs after running it though.
0
 

Author Comment

by:hermesalpha
ID: 24114677
I'm afraid I'll have to run Kaspersky scan again (it'll take about 30 hours), because I just wrote down the file names manually on a paper and then closed the program. I couldn't save the report for some reason. Didn't know I could right-click and choose to quarantine.

Ok, so now the viruses have been identified, feels a little better.

I have installed and built the UBCD4Win now, and also copied my XP CDs to my harddrive. But how do I use UBCD4Win now, which file should I click on?
0
 

Author Comment

by:hermesalpha
ID: 24120288
The Kaspersky scan is now on 70  %, and I checked the box for not deleting anything so I can do that later. There are 42 infected files that are marked with red, the other ones in the very long list are only marked with blue. Does that mean that all 42 files marked with red should be deleted? Or could there be some files that are false alarms and should not be deleted? How do I know the difference?
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 150 total points
ID: 24121050
Different scanners have diffeent virus definitions and names...
This one is virut/sality file infector and that is not good.. I usually suggest a reformat when dealing with virut as it can be time consuming for the user and the best and safest solution is a reformat and reinstall.
Specially when the system has been infected for a while and many files would need to be replaced. With patience and time you can remove it to a degree that is presumed clean... When dealing with virut/sality no one can really guarantee that the system is virus free or error free afterwards.
If this was my pc I would just reformat.
 
0
 

Author Comment

by:hermesalpha
ID: 24121160
Ok, I'm beginning to accept the thought I might need to reinstall everything... Just some questions before I begin:
1. Besides Virut/sality, are there also other viruses and worms on my laptop?
2. Will it be very time consuming to try to remove virut/sality?
3. Considering it's virut/sality, is it enough to reinstall XP? Or would I need to wipe the whole harddisk clean first?
4. Even if I reinstall XP, I still have 3 external harddrives with 500 GB on them. Do you think virut/sality could be on these ones also? If so, I would still need to eliminate virut/sality from my external harddrives.
Is that also very time consuming?
0
 

Author Comment

by:hermesalpha
ID: 24121221
Is it a long and complicated process to completely wipe my internal HDD clean? Can I do it with freeware or do I have to buy some software?
0
 

Author Comment

by:hermesalpha
ID: 24121279
I wonder if someone can advice me on these softwares on the HP installation CD for XP Pro SP2?
("Application and Driver Recovery DVD"):

  Recommended software applications:
HP ProtectTools Security Manager
HP Credential Manager for ProtectTools
HP BIOS Configuration for ProtectTools
LightScribe Host Software
HP Mobile Print Driver for Windows
Windows Media Connect

  Hardware Enabling Drivers:
HDA Modem Installer
HP Integrated module with Bluetooth wireless technology
Broadcom BCM440x 10-100 Ethernet Drivers - Windows XP
TI-PCI 6x12/7x12 Cardbus Driver
Synaptics Touchpad Driver
Video Drivers and utilities
WLAN Driver Installer
Intel Chipset Installation Utility for ICH7

  Optional Software Applications:
HP Backup & Recovery Pre-Load Module

All the above software from the HP CD I have NOT installed when I earlier have re-installed XP SP2. Just wonder if I might need anyone of them? For instance, I will buy a portable printer soon (Canon) so I might need to install the HP Mobile Print Driver for Windows?  
0
 
LVL 3

Expert Comment

by:techmaza
ID: 24122352
use Dr web cureit to scan one of the drive it will take time to scan it but it will cure ur harddisk perfectly.

0
 

Author Comment

by:hermesalpha
ID: 24124849
Can someone please tell me whether I need to follow these steps to wipe my HDD and reinstall everything? How long will it take to wipe my HDD and check it? Is that at all necessary? If I just reinstall everything without wiping and checking HDD, will there be a risk that the actual fresh install will not work properly because the virus somehow survives?
0
 

Author Comment

by:hermesalpha
ID: 24124877
I consider buying WipeDrive System Saver for USD 59.95. I can choose to wipe the whole HDD including XP SP2, or leave XP SP2 intact. However, if I leave it intact I would not be sure the virus would be gone, would I? Do you think this is the best, safest and quickest solution? It doesn't seem to complicated.
0
 

Author Comment

by:hermesalpha
ID: 24124882
Right now, my laptop is very slow and hardly possible to operate. Maybe I should first do a fresh install of XP SP2 with my system disk from Microsoft. After that, I could buy and download WipeDrive System Saver, and choose to wipe the HDD but leave the operative system intact. Could this be a good solution?
0
 
LVL 38

Assisted Solution

by:younghv
younghv earned 50 total points
ID: 24125915
hermesalpha,
You don't have to buy anything else and you don't need to install any 'software' firewalls on your computer.

Read what 'rpggamergirl' told you here: http:#a24121050

If you have all of the CD's HP gave you, then back up all of your critical data and do a reinstallation. I realize that it isn't your first choice, but it is your best choice.

Part of the installation process will display your Hard Disk 'partitions'. If you reformat your primary partition (NTFS) that will over-write the infected files.

There are many forms of malware that only function during a normal mode of operating (not in Safe Mode and not if you boot to CD). Attempting to 'scan and repair' malware with either of those methods will not solve this problem.

After you reload your system, make sure that you are constantly checking for MS critical updates and install them when published.

When you are 'surfing' the Internet, create a 'limited' account to do so. Using a limited account will virtually eliminate the possibility of your computer getting infected.
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 150 total points
ID: 24127741
Thanks for joining in younghv, :)
1. >>>"Besides Virut/sality, are there also other viruses and worms on my laptop?"
Most likely that other viruses are present there as well but they're usually easily removed...it's the file infectors like virut and sality that
are harder or tougher to clean...and when we think the pc is clean( when scanners comes up clean) there is no guarantee that the system is
really virus free or error free afterwards.


2. >>>"Will it be very time consuming to try to remove virut/sality?"
It is time consuming because all infected files need to be replaced.... Virut is a buggy file infector in which the infected files can not be
clean successfully by any scanners so the file will either get corrupted afterwards or scanners will just delete the infected file causing programs to not work, and windows gets corrupted, that's why all infected files have to be replaced, programs need to be reinstalled.


3. >>>"Considering it's virut/sality, is it enough to reinstall XP? Or would I need to wipe the whole harddisk clean first?"
Reinstalling without wiping the disk is not enough.... you would need to wipe/reformat the whole drive first so all files are deleted.. then
reinstall XP.


4. >>>"Even if I reinstall XP, I still have 3 external harddrives with 500 GB on them. Do you think virut/sality could be on these ones also? If so, I
would still need to eliminate virut/sality from my external harddrives.
Is that also very time consuming
?"
It's likely that those drives are infected as well.... the most important is the internal drive(if you only have one)....you can just  unplug the external drives -freeze
those files for a period of time and then scan them thoughly before you used them or just wipe them too.

But even if the scans came out clean there is no guarantee they really are clean...
Sality is not as bad as virut.... virut is worse as it infects not only .exes, .scr, .zip and .rar it also infects .htm and html files and PHP, ASP, so you really can't backup these files, backing them up and putting them back in is a risk.
 
>>>"I consider buying WipeDrive System Saver for USD 59.95. I can choose to wipe the whole HDD including XP SP2, or leave XP SP2 intact"
You don't need to buy a third party program to wipe your hard drive... yes you need to completely wipe the whole hard drive... just insert your Windows CD and follow the prompts, it might be a good idea to disconnect external hard drives to avoid confusion.
 

Here's a guide that I've used when I reformat a clean pc.
Scroll down to section "FORMATING PARTITIONING AND INSTALLING" which will totally wipe your hard drive and re-install a fresh copy of
http://forums.whatthetech.com/How_Reformat_Reinstall_your_Operating_System_t91962.html
Also helpful link:
http://www.michaelstevenstech.com/cleanxpinstall.html
 
0
 

Author Comment

by:hermesalpha
ID: 24134362
I finally got my language bar back, and also msconfig.exe, thanks to www.malwarebytes.org, it worked wonder! My laptop got back its speed also. So now I have a laptop that I can use without problems.

I would like to try this solution: Use all kinds of anti-malware and anti-virus utlities such as UB4Windows. When I have a comparatively clean laptop, I do a repair install to get back all system files.
I also start using only a limited account when on internet.

If I choose this solution, is there a risk that the virut/sality gradually will gain complete control of my machine? And finally, there's a "Domsday" when virut/sality have more control than I? Will I run the risk that virut/sality will delete any kind of important files that I have, also on external drives, such as personal data? Or is it only system files that are attacked?

Or will it be like before, I will loose my language bar, msconfig.exe and things like that, but I can do something about it with tools like Malwarebytes?

I don't have time right now to wipe the HDD clean and do a completely fresh install. And for now, my laptop works great again, thanks to www.malwarebytes.org. But of course, I don't know for how long my laptop will be fine, as the virut/sality probably is still there, or the effects of it.





0
 
LVL 16

Expert Comment

by:warturtle
ID: 24138245
Sorry, I've just come back from holidays and have had limited internet access there. You can try this tool to remove sality and see if its any good. Do it in safe mode.

http://free.avg.com/virus-removal.ndi-67769

Hope it helps.
0
 

Author Comment

by:hermesalpha
ID: 24144151
Thanks, I'll try that, hope it works as fine as Malwarebytes did, it worked wonder with that! My language bar and msconfig were restored.

What do you think about doing these things now?:

1. Find all viruses, worms, malware etc.
2. Remove them without removing non-infected files! (Rising Anti-virus did this when I earlier found a lot of viruses, so first I lost my Favorites, but got them back with FinalData File Recovery.)
3. Check the harddisk (sometimes, especially when Kaspersky has been busy scanning, there's a click-sound from the laptop, and I recognize this sound from earlier when my internal HDD broke down and I had to replace it).
4. Do a Repair installation of XP.
5. Change to Limited user account.
6. Create a Ghost backup of XP.
0
 
LVL 16

Assisted Solution

by:warturtle
warturtle earned 200 total points
ID: 24146344
1. Find all viruses, worms, malware etc - There is another tool to try, its called SuperAntiSpyware (www.superantispyware.com). Try a full scan with this in safe mode.

2. Remove them without removing non-infected files! (Rising Anti-virus did this when I earlier found a lot of viruses, so first I lost my Favorites, but got them back with FinalData File Recovery.) - Ideally all scanners will do it, unless the file itself has been replaced by a virus.

3. Check the harddisk (sometimes, especially when Kaspersky has been busy scanning, there's a click-sound from the laptop, and I recognize this sound from earlier when my internal HDD broke down and I had to replace it) - Try the error checking on the hard-disk from within Windows intially by looking at the properties of hard-disk.

4. Do a Repair installation of XP - yes, this is also an option. Might or might not work with the OEM cd.

5. Change to Limited user account - always a good idea to do this. Anytime, you want to install new programs, you can 'run as' administrator.

6. Create a Ghost backup of XP - yes, that is a good idea as well.
0
 
LVL 38

Expert Comment

by:younghv
ID: 24146483
hermesalpha -
I am going to make one final post and then unsubscribe.

You are getting some really bad advice from people who don't have a clue what they are talking about.
You keep asking the same question "Do I really have to format and reinstall" and the answer is yes you do.

You obviously don't like that idea, but you fail to understand that your failure to PREVENT the infection has created this problem and that you can have no degree of certainty that your computer has not been compromised.

Most of my repair business is repairing infected computers and I almost never have to do a complete format/reinstall. I will go to almost any length to avoid doing that. However, there are times when that is the real answer.

Do you really want to be using the Internet when the strong possibility that every account/password you use is being passed on to some gang of cyber-thieves?

I realize that you are a brand new Member here, but do yourself a favor and look at the profiles of the 'Experts' who are posting advice for you. You can learn a lot about those giving you advice - and be especially watchful of those whose apparent goal is only to accumulate points as rapidly as possible.

You need to decide if you are going to listen to someone who is chasing points, or someone who is chasing solutions.
I strongly encourage you to follow the advice of rpggamergirl.

Good Luck.

/unsubscribed
0
 

Author Comment

by:hermesalpha
ID: 24147150
I have a long list now in Kaspersky Internet Security 2009: Reports. How do I begin to delete these viruses? I think I should do that first, and then use other tools (such as SuperAntiSpyware) to find more viruses. I have tried to right-click in the Reports-list, but I can't find any option to delete or disinfect or quarantine.

But It's only necessary to delete the ones which are red marked in the report, right?
0
 

Author Comment

by:hermesalpha
ID: 24147203
Furthermore, in the Reports, there are 1,074 "very dangerous threats", for instance:

c:\program files\microsoft office\office11\outlook.exe (www.viruslist.com/en/advisories/29320)
QuickTimePlayer, AdobeReader, etcetera.

How do I know which ones are false alarms and which ones aren't?
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24153232
Not all of them are viruses. Some of them like Outlook, QuickTime Player, etc might not have the latest updates/versions or might be the files infected by Virut/Sality. Try installing a latest version of say QuickTime Player and only scan the QuickTime folder and then check the report. This is just a test to see if Virut/Sality still exist inside your machine or not. The tool that I mentioned earlier is for removing Sality if its present and removable, but it won't repair the damage that has already been done. You might have to reinstall all those programs and replace all the OS files as well which have been infected by Sality.

I too feel that it would be wise to do a complete reinstall after backing up your important documents without the exe files and scr files. Make a list of the programs that you need on your computer, so that you can download and install them after a re-install.
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 150 total points
ID: 24158079
>>>"is there a risk that the virut/sality gradually will gain complete control of my machine? And finally, there's a "Domsday" when virut/sality have more control than I?"<<<
Yes, by just cleaning the pc to fix the symptoms, it would be like treating a melanoma with just a band-aid... sooner or later it will pop its head again while in the meantime security is compromised.


>>>" Or is it only system files that are attacked?"<<<
NO...not only system files but every .exe, .scr, .rar, .zip, .htm, .html, php and asp are targeted so you can't backup these files.


>>>"I don't know for how long my laptop will be fine, as the virut/sality probably is still there, or the effects of it."<<<
Even when the scanners came up clean there is no guarantee that the system is really clean afterwards... anyone who gives you the false impression that the pc is then free of virut/sality doesn't really know what he/she is doing or doesn't care.


>>>"How do I know which ones are false alarms and which ones aren't?"<<<
All of those legit files flagged as infected are infected... not false alarms.


@ warturtle:
>>>"Not all of them are viruses. Some of them like Outlook, QuickTime Player, etc might not have the latest updates/versions ""
You have got to be kidding here, LOL. No scanner will false positively flag a legit file as infected because the file is outdated and you know that virut is present in the system.


>>>"I too feel that it would be wise to do a complete reinstall after backing up your important documents without the exe files and scr files."<<<
I am disappointed to know you haven't really researched this through..... Old variants only infects .exe and .scr files but now Virut and sality infect infect .exe, .scr, .rar, .zip, .htm, .html, php and asp files.


Good luck!
0
 

Author Comment

by:hermesalpha
ID: 24164720
For the next 1-2 years, I really need a problemfree and safe laptop, so I can use it for my online language courses without interruption. What do you think about this step-by-step solution?:

1. Copy Favorites, Desktop, My computer and important personal files to external harddrive.
     Download installation file for ZoneAlarm Extreme Security to external harddrive.
     Download WipeDrive System Saver from http://www.whitecanyon.com/erase-file-index.php
     and save installation file on external harddrive (I'm willing to spend some money on buying this   software).
      Check internal harddisk for errors by pressing F8 (or F10?) when booting.
2. Use WipeDrive System Saver to wipe my internal harddrive.
3. Install Windows XP SP2 American version with MUI-Pack, and install additional software and drivers from HP.
4. Create a Limited user account, and turn off Auto-run in Control Panel (how do I do that?)
5. Install ZoneAlarm Extreme Security.
6. Begin to install all software (search each folder for viruses before each installation).
7. Gradually check each folder on my external harddrives, using ZoneAlarm.
0
 

Author Comment

by:hermesalpha
ID: 24174223
My harddisk is infected with virus/sality and other viruses.

For the next 1-2 years, I really need a problemfree and safe laptop, so I can use it for my online language courses without interruption. Can anyone advice me if below steps would be a good solution?:

1. Copy Favorites, Desktop, My computer and important personal files to external harddrive.
     Download installation file for ZoneAlarm Extreme Security to external harddrive.
     Download the bundle Wipedrive+SecureClean+MediaWiper for USD 59.95 from http://www.whitecanyon.com/computer-maintenance-bundle.php
     and burn images on CD-ROM for these softwares (I'm willing to spend some money on buying these three softwares).
      Check internal harddisk for errors by pressing F8 (or F10?) when booting.
2. Use WipeDrive to wipe my internal harddrive (and later also use Secure Clean and MediaWiper bought together as bundle with WipeDrive to clean my external harddrives and USBs).
3. Install Windows XP SP2 American version with MUI-Pack, and install additional software and drivers from HP.
4. Create a Limited user account, and turn off Auto-run in Control Panel (how do I do that?)
5. Install ZoneAlarm Extreme Security.
6. Begin to install all software (search each folder for viruses before each installation).
7. Gradually check each folder on my external harddrives, using ZoneAlarm.
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24176178
Hello hermesalpha,

I suggest that you take a backup of all your .doc, .xls, .ppt and other important files except for the list - .exe, .scr, .rar, .zip, .htm, .html, php and asp. Since, you have Sality, it would have affected those files, so its no use backing them up.

Create a list of programs that you would like to re-install on your PC after the wipeout is done. You would have to do a fresh install, because your system files would also have been affected.

Buying WipeDrive isn't really required, because you don't want to save the Windows files which are affected by Sality, this would mean keeping the infection safe within the computer so that it can strike again.

I think rpg's comment 24127741 describes the process of doing it correctly - disconnect external drives, backup the files from internal disk, then do a wipeout and then do a fresh XP re-install, install ZoneAlarm Extreme Security (or free Comodo Internet Security or free AVG Antivirus+ free ZoneAlarm firewall - its upto you) and copy your backed-up files back into the PC, then connect your drives one by one and scan them first and clean them before using them. The free antivirus and firewall are as effective as the paid ones, so you don't really have to spend a penny.

You can create a limited user account in Windows XP after logging in as an administrator, then going into Control Panel and creating a guest user.

Hope it helps.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

If you have done a reformat of your hard drive and proceeded to do a successful Windows XP installation, you may notice that a choice between two operating systems when you start up the machine. Here is how to get rid of this: Click Start Clic…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now