what should i do?, reinstall xp home?

hello Wilders . it's iceni60 at a friend's house we need some advice for xp home.

for the last 7 months she didnt have her firewall switched on, we have done a few scans and deleted malware, however her computer is still running alittle slow. AVG just popped up as i write this saying that it's found a worm in system restore

there are very few programs installed (10-15), so i want to reinstall xp home, i'll check to see if she has her window's serial number first

before the reinstall i want to try out a couple of sandboxes to see how they run on this computer. then afterwards i'll install SP2 from my CD and tighten the computer's security settings, and add the appropriate programs

can you post just to confirm that what i am doing is OK, and safe to do, and if anything goes wrong we can just reinstall again? i'd like to reasure her.

computer stats:

Celeron CPU 1200MHz
1.20GHz
128MB of RAM

can you think of anything else we should do?

and one more question, which freeware anti-virus, with or without email scanning, would work best with AVG.

thanks in advance

 

sorry what i ment to say was which would work best with ewido? thanks again : )

 

First thing u should do is disable System Restore, reboot, enable it again, create a new restore point, do another scan and see if that worm is gone.


snowbound

 

Hi iceni60 incognito!

7 months with no firewall? Even the slowest worm on the internet would have found its way to your friend's computer by now.

You could try scanning from safe mode too. I have read that it is easier to get rid of things that way.

Here is a rough overview for a clean installation (post 3).

Good luck Ice!

 

thanks snowbound, we'd just talked about doing that, and will do it : )

however, i want to reinstall OS because-
1, this computer has been exposed to the internet without a firewall for 7 months
2, this computer has never been to windowsupdate
3, it will be quick and easy, because she only has 10 programs she wants to reinstall and nothing else she wants apart from one picture
4, security settings in IE Outlook etc. have always been default

i need someone to agree with me to reinstall just to reassure helen that its a safe option and will notruin her computer. thanks : )

 

thanks, Devinco. would you agree that we should do a clean install, rather then cleaning as much as we can and hoping she will be OK? thanks again Devinco : )

 

Iceni60,

Just make sure you have the Windows CD AND the cd key first.
Back up her email database, Favorites, and any documents she may have saved. (the individual documents may be saved in the respective program's folder). Also check if she needs any special drivers like RAID, SCSI, Sound card drivers, etc. If you suspect a rootkit or other more serious infestations, you should disconnect the internet during the backup of her data in case her computer is being actively monitored. Check the link i gave for other ideas.

Helen,

You are in good hands. Iceni60 is a nice guy. I would definately do a reformat in your situation. Do a little clean up so you can kill the active malware and then backup what you need. Just make the necessary preparations first.

 

In my opinion to give yourself a little peace of mind I would do a complete reinstall and then install all of the security apps from factory cd or fresh downloaded .exe files to keep from possibly getting some malware from something you may have backed up. And with a fresh install the comp. should work like it did new. That is always a nice feeling.


if you do have to use some backed up items just make sure to really scan them well before install.

bigc

 

thanks, Devinco and bigc. that's a big help to the both of us, we both want the computer to be safe and secure and work smoothly. we are going try both SSM and Prevx before the install just to see which works best on this computer. thanks to the both of you. and i've got a big pile of CD's here that i'm going to go through to check we have the right one's to reinstall : )

 

I would recommend reformatting but before you reformat download the Sp2 complete download from Microsofts website and put it on a cd.

Right after you get the computer back up and running the first thing you install is SP2

First hwoever make sure the firewall is on or disconnect from the internet during this process.

That way you have a fresh format and sp2 with all the security updates.

 

That's a very good idea Brent. The only thing I would add is to download the sp2 and burn it on a known clean computer just in case anything is still hiding on Helen's computer.

 

By Helen :

I sure hope they're labled.
Don't fret, your peace of mind has already begun, Devinco and BigC are here for the assist ...

GF

 

once again thank you to snowbound, bigc, Brent, GlobalForce and Devinco and any one i've missed out for your help

i have posted acouple of times in the last hour or so, but they've not registered for some reason

the questions that i asked were- the printer has two running services in task manager LEXBCES.EXE. and LEXPPS.EXE

i tried to post a sreenshot of how LEXPPS.EXE appears in Port Explorer, but as a guest i cant do that. every time i've checked it in PE the local and remote addresses have been 0.0.0.0. and it has been listening. so, does that mean that it's nothing to worry about and it wont get server rights?

LEXBCES.EXE i havent seen in PE, but it's part of the printer's processes. when i checked it out, this process has sever rights. do we need it on a stanalone computer? can i fix it with HJT? and since the computer tried calling home(dialling out with being prompted) this hasnt happened again. could it have been LEXBCES.EXE that has been hijacked and tried calling out?

i'm only here for an hour or so, so any help/ideas will be greatly appreicated. thanks in advanced, helen and iceni60

 

Hi Ice,

I don't have enough time right now, but I will look into it more tonight. I'll post in the other thread.
But basically my main concern was on the compromised machine that the processes could have been hijacked and used for other motives. If you will reformat and reinstall the drivers from CD anyway, you should be fine. 0.0.0.0 refers to the local host, the machine itself. So that should be okay. Unless it has been replaced by a long distance dialer. Then it would try to dial a toll number. From what SnowGuy said, it seems like it tries to dial an 800 number to register the printer with the company. The process may have other required purposes for the printing functions. I would still do a reformat. If you already reformatted and installed the printer driver, don't remove the process yet. Be very careful with HJT. Don't fix stuff with it. It is very easy to screw up a system unless you really know what you are doing. Only Spyware Fighters and other highly trained people should comment on what to remove from HJT.

Talk to you later.

 

thanks again, Devinco, but where is the other thread?, perhaps that's why i lost my other posts earier today.
could you post a link to the other thread please?

thanks, iceni60 and helen

 

You may want to take a look here for further discussion on security and how to make your system that much stronger

and here for more:

Let us know how you go…

Cheers

 

a very nice and thoughtful post as seems to be the norm with you Blackspear. However, what is causing the most concern, is that there seems to be something that is trying to call home. the other day, without prompting, something started to dial out to an unknown address. it also happened in the middle of the night, the computer repeatly got the dialling tone, dialled, didnt seem to connect, then kept repeating that process.

this is a standalone computer and one of the running processes in task manager is LEXBCES.EXE. this is Lexmark printer's onboard network server. i dont know, but i'm trying to find out if this has been hijacked, as this computer, amongst other things, had it's firewall switched off for 7 months

also, even if this process hasnt been hijacked i'd like to know if a standalone computer needs this process running

i also just found this in HJT log...
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
i think that this is where that process is started-up. but as i'm no expert it would be great if someone could help out

once again, thanks for sticking with us on this one

P.S. when i have time (which may not be for up to 2 weeks we are going to reinstall the OS)

 

thanks, ron . i'll turn it off and see if LEXBCES.EXE stops loading at startup.

also i see why some of my posts have been disappearing, i've been muddleing up my two threads. the other one is here.

i apologise for confusing the issues