Win XP computer is messed up bad...

CloneRanger

today has not been a good day.

I started before 8am (PST) searching for all photos on the infected PC so i could scan and move them (or move and scan; whatever). Now, at 315pm, it is still scanning.

I click on the option that tells how it will show the files and it takes 4ever for the drop-down window to open and then even longer for it to obey the command.

I know there are not THAT many photos on this old PC (it's not that big!) so I know something is in there messing with it...

advice?

(and I thought i'd have this evening to work on this - busy school day, computer wise - and I just found out there is a ceremony I need to attend tonight!!! arg!)

 

Originally Posted by kathyL

Doesn't sound right to me.

Ditto.

What about all the culprits itunes etc ?

It does appear so !

I notice from your previous threads on here, that you have used SM before, maybe you've forgotton ? Not SR, just SM. So hopefully it should remind you

What i've done very successfully before, several times, is to take out the PC's hard drive & connect it inside another PC, & use that PC to search/find/copy whatever wanted files etc over to that PC.

I know you said you're not too savvy on hardware, but i'm saying this to let you know that if for some reason/s you can't fix the PC, ALL is NOT lost, as at some point you can reclaim your files. Even if you can't do it, you could get someone else who can to do it for you.

So bearing that good news in mind, i would say it's probably time to try the SM & SR.

It's up to you, so how would you like to procede ?

 

Ok... breathing easier now...

I've not even touched iTunes, lol. wanted to get my precious photos out first, then on to music.

well, ok, then. Like I said, I'm not even going to be around tonight, blah and blah.

But I will go back over the info to start up in SafeMode, blah, blah, blah and see how far I get.

Stand by. Like, maybe make several batches of good buttered popcorn whilst you wait, LOL.

grrrrrrrrrrrrrrr.

ETA: well, I've gotten all the way to "Select a Restore Point" and there are NO (yes, ZERO) date options. I've hit the arrows to the left and right and nothing comes up.

EaTA: (edited again....) Recall, this computer was down for near a year and we just got it fixed like in January. Since that time, I'd been fighting to get the antivirus pgm loaded on it.

Seems to me, tho, that you said these restore points are set up when Microsoft does its updates...and certainly updates have been done on this... Just no clue when...

 

Good

OK

.

Yet here you are

Very good

It's alright for some

 

CloneRanger (oh, to have a clone of me right now! sigh!)

make sure you go back and read my latest edits to my last post...please. i've got about 45 more minutes here before i must bug out.

K

 

@ kathyL

Just read your edits. Well that changes things ! If no SR points are visable, it doesn't automatically mean they are lost though

Get some sleep & later on today when you check back in, i will have posted some details for you of how we "might" be able to find them & restore one or more.

 

CloneRanger- roger, that...

thank you so much.

and there is nothing wrong with buttered popcorn (except for me. boohoo)

 

@ kathyL

Here's a few things i'd like you to do before we go any further. On the PC,

Go to Start/Search & select this.



Then type restore & also select your C drive



Wait for the search to finish, now,



If you can see it, double click on it to open it. What's inside, anything or nothing ?

Then,

Reconnect the cable you unplugged, back to to PC & router. Go to the following two www's in turn & download the files to the PC's desktop, but do NOT run them yet.

MBRCheck -http://ad13.geekstogo.com/MBRCheck.exe

TDSS Killer -http://support.kaspersky.com/downloads/utils/tdsskiller.exe

I've put a - in front of those which you need to remove.

Do NOT go to ANY other www before or after, keep the online session as short as possible, so as SOON as they are DL'd shutdown the PC & unplug that cable again, & KEEP it unplugged as before. Then reboot & run MBRCheck first. You should see something like this.

You should see a mbr.log on the desktop, or wherever you Dl'd MBRCheck to. Open it & make a pen/paper or laptop note of what the things i've Bolded say.

Then on your laptop follow the instructions on how to run the TDSS Killer on here http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller

Post back with your answers & results to the above.

 

cant you do a remote session instead?

 

Hi, actually i had thought about it & how much quicker it would be for me instead of taking all the time to compose all the info & make screenies & post etc etc. But as i've never done it before & i have it disabled, though i could reeenable it, i felt it was better not to experiment on her PC.

Thanks for the tip though

 

but if thats the only thing to do, it would be better if you try, just get the details of what she wants you to do,

 

Hi,

Perhaps she could try Comodo GeekBuddy. This is a service that is supposed to provide remote assistance to people to help them fix their PC, it is free for 60 days.
http://www.geekbuddy.com/what-your-geek-can-do.php

Regards

 

Clone Ranger: for now, I'm just going to keep listening to you, OK?

I appreciate all the suggestions, however.

In Safe Mode, I went to Start/search and that cute little deely bob that should come up (what do you want to search for?) does not come up. The dog (search hound) does but nothing else. I thought perhaps it was delayed (as everything has been for the past week) but I've sat here for 10 minutes waiting for it possibly to load and no go.

should i NOT be in SM?

K

 

@ kathyL

Re - Start/search in SM

It should work in SM, try in normal mode & then post back.

Do NOT try Anything else just yet, Only the search for Restore.

 

Had to take computer out of safe mode but did finally find the restore folder (along with 163226 other files with "restore" in it! yikes!!!).

The folder FINALLY opened and i have four files:

srframe.mmf
srdiag.exe
rstrui.exe
filelist.xml

not doing anything till i hear back from you...

(BTW, Avast was still operating in the background and while PC was searchig for "restore" file, it popped up a window that said it had found that "^#Zx&C*" virus (what was the name of the virus you suggested?? whatever, it was that name, the one you suggested) and Avast suggested I delete it, which i did. Avast then wanted to reboot but I told it it had to wait till we were finished...)

K in pacific standard time zone

 

So the one you found was this one



No sign of one that looked like the i showed you with lots of numbers/letters etc in Post # 58 ?

I got those, plus two others which are missing from yours ! But i'll wait to hear about Post # 58 before i say anything.

OK

It might have been the same, or another instead and/or as well, it happens.

If can look in Avasts log etc & write down the EXACT name/s of the nasties, & post them it could help

Yes reboot & again etc if it asks & then post back with the above info

 

HOLY SMOKES! I rebooted and searched again and the very FIRST file that came up has a bagillion numbers after it. it is in the "system volume information" file...does that sound like the correct file?

Oops. Just scrolled down and see you asked me to DBL click it and open:

fifo.log
drivetable.txt
filelst.cfg
driver.cfg
RP227 (the rest of these are folders within)
RP226 ...etc down to 222

ETA: it's almost midnight there wow... just before 4pm here...

 

New info:

avast detected the virus again: ROOTKIT (i figured I was close when i thought it was REBOOT)

deleted it

then avast wanted to reboot

upon reboot, avast scans again

in finds: File C:\Documents and Settings\Al users\Application Data\AVAST Software/Avast/arpot/837f1-554-0.dat is infected by win32:Alureon-FZ

I moved it the chest, not knowing what was best

avast continues to scan....

 

Yes that's it

I did

Aha, sort of some progress ! Very good

So there aren't that many, but there are some We don't know if they are 100% yet, but it's progress as SR said there were one. These "might" be VERY recent due to the rebootings etc ? Let's find out

Go to each RP*** in turn & right click on them



Click on Properties



& write down the date for EACH one, making SURE you also note the EXACT RP*** numbers for each one.

Post back with the info.

*

Not really, BIG difference

Good

Fine always let it

Same as before

Good

OK

Avast should NOW have ALL of that nasty in it's Latest virus definitions update. Before it appeared to detect it, but couldn't Fully deal with it, from what i've read. But as you have been offline Avast obviously won't have updated, so it "seems" as if it's in a loop.

Anyway see what it does next & if it keeps repeating itself we'll think of going online, but NOT just yet.

How is the PC running, generally now, as slow or ?

Please answer ALL the above questions & we'll try & move on

 

eeks. you posted 20 minutes ago... so now it is after midnight-thirty for you...

when i rebooted, avast wanted to scan and it's scanning now (11% complete; began when i last posted, half hour ago).

shall i abort the scan or let it continue?

I really need to get off/away from the computer and we've got doings again tonight but i might be able to check back in around 930-10pm PST (6am-ish your time).

 

Continue, otherwise you'll just be wasting time doing it over again !

Doesn't matter if i'm not here, just post back with the latest on Avasts scan etc, & ALL the other things i asked you I can read your posts whenever it's convenient & the sooner they are posted the better

 

RP227 - May 25, 2011 (interesting, eh?)
RP226 - May 21, 2011
RP225 - May 20, 2011
RP224 - May 19, 2011 (seems to be a pattern here!)
RP223 - May 18, 2011, 9:04:22 PM
RP222 - May 18, 2011, 3:10:01 PM

I had to leave the house shortly after I wrote that and when I got back (an hour? later), the screen saver was on and I needed to sign back in (we have it password protected for all the good that did me!). Avast was no longer running, yet it was only about 6% thru the scan when i wrote you and had been running for at least half an hour, so who knows if it really completed...

well, i've not really done anything on it other than what has needed to be done, but i just now asked it to search for all pictures and it seems to be responding faster... or is that my imagination...

650pm PST; i'll be leaving home again in about 15 minutes and won't be back for about 2 hrs.

>>ETA<< Wow!!!! 15 minutes ago, I began a search for photos on the sick PC; i happened to look at it just now and it has finished! the other day, it was running for HOURS!!! I'd do one of those cool thumbs up emotes if i knew how! )

 

Just to step back for a bit

What was your actual AV you were currently using before you did that, & is that still installed ?

Did you Uninstall that first, or install Avast whilst it was still installed, if you had one ?

*

Indeed ! Not sure why that should be right now.

Yes, & i'm "presuming" that Avast has managed to clear/clean "some" part/s of the nasty, & SR is now saving points again due to that. Unfortunately even though SR saving points again is good, NONE of those are probably safe to restore to, due to them ALL included since the infection date/s. But we'll sort that out later. No harm is being done by them, or others, being saved.

Re - All RP's

We see RP's only from when you first posted about this on May 18th, but you've now read why above.

Because most likely EVERBODY knows it Each person should have their own account/Log on name & PW, which will also mean ONLY that PW can be used for their SS = Good. But again, if we get you going we'll do that later, as NOBODY but you is using the PC now, or should NOT be, as talked about earlier !

You should still see it running if it is. Open it up & see what it says, still running or completed ? If completed look at the Log/Report etc & let me know what it says, and/or if it's still running etc ?

Maybe not

Good So have you copied them over to the External Drive yet whilst you had the chance ? If not you should have to save time later on You should also do the same with ALL the itunes & whatever else you want to save ASAP Let me know your progress.

 

[urg. rather bothers me that when i respond to posts on this forum, I can't see what YOU are responding to!!]

I wasn't using anything before. Recall I'd been having difficulty with AVs loading on that computer. I'd managed to get Avast (i think...) loaded and then the kids were all upset cuz it took out one of their favorite games (that they'd paid $$ for) and after that download, it seemed like all was messed up so i uninstalled it and looked for something else that i might use.

I tried Trend Housecall but the virus wouldn't let it even open up. I don't remember what all I tried, but I was able to get Avast back on...

[um, I'm currently trying to copy the photos to the external and i'm getting grief... I can't highlight the first photo in the list and scroll down to the one further down to highlight them all in between...so i'm hesitant to go look at anything else right now to see if i've got anything else loaded on this PC... but I did it anyway... I've got malwarebytes and superantispyware; i think those both work. i also have spybot but i think it is screwed up and won't work and i can't uninstall it. Blue had me put Hijack This on but I don't think that's an AV...]

i think i was using avast prior to it dying (fan died) and it was outdated by the time we got the computer up and working again...

Well, all the GOOD kids know it and the kid who chooses to do BAD things set up his own account when the security was down so he was able to by-pass the "family" password to get on/in...

Roger, no one but me is on it...

I'm really not that stupid but I can't seem to figure out this new Avast pgm. I've found a vault but I can't see anywhere where it says when it last successfully scanned.

That is another thing that is bothering me about Avast... It's got the oh-so-cool window that pops up when you want to do a scan. But then what looks like 'the blue screen of death' pops up upon reboot as it begins a fresh scan (what it recommends you do if it found something nasty) - that is scary! But it looks like it's running in DOS and seems - so - hokey. anyway, perhaps i digress.....

urg. i didnt even think about that till you wrote this. way too much on my plate! but now i've addressed the issue i'm having trying to copy these pictures over to the Ex HD. But while i wait for the home made bread to cool enough to use to make a sandwich for the man in the morning and then put it away, I still have about a half hour to be awake working on trying to move more photos at once...

 

Ah but you can



Just open another instance of your browser, IE or FF or whatever, & go to the same page you want to be on, but do NOT click the REPLY button on the second one, otherwise you'll be only seeing the same REPLY page. In my screenie to be able to show you, i've had to shrink them both & put them side by side. I would suggest not doing that, too small, just go back & forth from Tab to Tab to view each page, as many times as you like. When you've finished & want to log out, first close the second Tab & then Log out normally.

So you "could" have had other infections in there too, before you put Avast on !

If that game "was" actually legit, you could have made Avast, or any other AV, exclude it from further detection etc. You still could, but NOT now, we have other things to deal with.

Good, but they won't have the latest updates, until we go back online & try to update them, NOT now though. You could try running them, ONE at a time after each has finished, & see what they find. Save ANY .txt logs & post back them here as an .txt upload attachment. I showed you how earlier. As you didn't have any AV for some time, MBAM & SAS "might" find some nasties in your PC, that are included their older data bases they already have.

Forget SB, leave it alone !

HJT is NOTan AV.

You should have just updated it Immediately you got the PC back !

Understood, but we'll fix him later, & set up seperate LUA accounts for Everyone too, except you who will be Admin, After/If we get this sorted. But you should do that on EVERY comp anyway, but right now we're too busy with other things.

10-4

I don't use Avast, but i doubt if that info is in the vault. Have a look in as many Tabs etc in Avast as you can to see.

Not sure how Avast works, so it "might" be normal ?

Does "the man in the morning" assist in trying to sort out the PC, or is it just you ?

I have to say, if you'ld like to get this sorted, one way or another ASAP, you really need to move this up your priority ladder. The longer you delay, might not be beneficial all round

Keep me posted about the MBAM/SAS scans etc. The Avast info etc. And your progress on moving the photos etc over to the Ex D, & whatever else i might have asked and/or you may think is useful.