Jump to content

Jersey Mike

  • Posts

  • Joined

  • Last visited


0 Neutral

About Jersey Mike

  • Birthday 07/09/1958

Contact Methods

  • Website URL
  • ICQ
  1. Kay, I'm going to jump on this one since no one else has answered as of yet. It sounds like you are pretty well covered as far as anti-malware is concerned. That means you are ok for viruses, trojans, and malware in general. One thing I would look for is a software firewall for your new PC. There are several very good ones available for just the cost of a download. Kerio, and Comodo are two that come to mind. I've chosen Comodo because the version of Kerio I have seems to want to act like a real hardware FW. It wants 2 NIC's and wants to be setup to know which is the internet side and which is the internal network (safe) side. I will probably impliment that some day especially since this incoming garbage is getting more and more sufisticated. Kerio Personal Firewall was a very good product and I used it for about 5 years with great success. I believe it is still around, and if so, it would be another very good choice. McAfee is a decent product and I use it on a couple machines that my kids use. It doesn't do much for letting the malware in but is able to detect it's presence most of the time. Malwarebytes is incredible. It knows just where to look for those stubborn programs that you just can't seem to get rid of. BTW, I am just a member of this forum and do not work for Malwarebytes. It really is a good program to have on board. I run a scan on about 15 machines daily. The time that the machine is down is well worth the garbage that MBAM finds. I don't know anything about either of the virus programs that you mentioned. I would get demo versions from each of the major vendors and see which ones find the most problems. I have Trend on most of my machines because I was working for one specific client and that is what they required. I have had times when Trend would find malware just during the course of normal business, and would popup a message box telling what it found and did I want to quarentine it. Before that I used Symantec's Anti-virus, which is also a good product, but I found that with AV software, you are safer to use more than one brand. McAfee might pickup something that Trend misses and Symantec might pickup something that McAfee and Trend both miss. In order to keep your machine running clean, you should have anti-virus, anti-malware, a personal firewall that can be configured for either inbound or outbound or both (which Windows FW doesn't do). I don't know why, but MS scrimpt on the FW they decided to bundle with. If I'm not mistaken (experts, correct me if I am wrong) you can set up rules (simple ones) on inbound traffic but there is no facility to alter outbound traffic. So, if you have spyware or download an evil program by accident, it could send the entire contents of your hard drive to it's host computer and Windows FW would totally allow it. I'm sorry but I nodded off in the middle of this email, so if anything is unclear, post a question back to the same topic and either I or one of the more experienced monitors of this forum will try to straighten out what ever I messed up. The bottom line is that I think you need a personal firewall and more than one anti-virus program. Also, no matter what you are using, remember to update before starting a scan, unless the infection is so bad that you wouldn't trust that update. There are so many factors involved in keeping a computer clean, it is impossible to give you exact, specific answers based on the information that you have provided. Although I do believe that you made a concerted effort to supply as much info as you have available. Thanks, Mike Disclaimer: I am not affiliated in any way (other than being a co-member) with Malwarebytes. I do have many years of computer experience in general, and have been interested in malware and how it works, ever since I realized that I didn't know enough to acurately guide someone through the steps of total PC cleanup. I have used Malwarebytes and found it to be very helpful. It is a nit-picky program and tends to find things that others have skipped over. My first 2 programs to run would be Spybot Search & Destroy and then Malwarebytes. between both of them, you will probably find out more about your computer than you really wanted to know. If you really want to get a great overview of infestation and repair, take a look at this post by JeanInMontana. It might help to let you see the big picture: http://www.malwarebytes.org/forums/index.php?showtopic=2936.
  2. tommymason, Eric the Red is correct about the set procedure to clean all the junk off a machine. However, I am just a little curious as to what the messages were that got converted to images and stored in PhotoBucket. Apparently PB didn't like something about them and either moved or removed them. Knowing what was in the error messages might help to cut down on troubleshooting time. I'm not an expert but I always feel that the more info you have (as long as it is relavent) the better. It would probably help to speed things along somewhat (remember that cleaning an infected machine can take DAYS, depending on the situation). Is there anyway to post copies of the errors from PB? If it is impossible, don't fret over it. The link provided by Eric should get you on your way to a clean machine again. I was just thinking that a few steps might be able to be skipped if more was known about the infestation. Mike
  3. Jean, Here is one thing I thought of. If I am trying to troubleshoot a permissions problem I like to use FileMonitor (used to be by SysInternals but It should be on the MS site by now). If you run it as a non-admin user, you should be able to pick out what file they are trying to read/write. Then you can take steps to ensure that GPO enables the correct permissions for everyone in say the development group. You can do the same things using RegEdit except it will monitor the registry instead of the file system. If you have a ton of executables accessing either file or regestry at the same time, you can set up a filter so you only get what you need instead of everything. I have to do this on a fairly regular basis because my kids are regular gamers but some of the games they play want to deposit files in C:\Windows\System32. I almost had a hemorrhage the first time I found one of these. In 2008, game writers can't find any place to write temp files except the system32 directory? Anyway, now I knew what the problem was and how to fix it. This could be a similar situation. Thanks, Mike
  4. I would try almost ANYTHING before I would be willing to re-install XP. Remember that all your program settings for anything you installed after the OS was installed will be missing. Some of it will be minor and will repair itself once you run the program again. On the other hand, programs that write an encoded key of some sort under HKLM will probably need to be reinstalled, although you might get by with just re-enterring the registration key. Companies and people who make their living from software development, want to make it difficult to either move a program from one machine to another, or to have the same program on more than one machine when you only purchased one license. The idea to try add/remove programs from either start/run or from the applet within control panel seems like a reasonible test. If you have something like MS Office installed and add/remove programs doesn't see it, that's a big problem. I would try creating the reg key by hand before reinstaqlling the OS. Unless, of course, you have a very recent backup of the entire drive that you could use to put everything back right. On my important machines, I periodically take a snapshot of the boot drive using "Ghost". I use that because I have it and it is licensed. There are other programs that do the same thing. They basically make a sector by sector copy of the drive you specify, leaving you with either one or several files that could be restored (if needed), rendering your machine back to the state it was in when you took the snapshot. That info might be helpful going forward, but probably won't help you much right now. If you are still having a problem, let me know and I'll check my own registry for that key and see if there is anything else you need to do besides put the program name under the key. Knowing MS, I would suspect that there is but since I'm kind of jumping in the middle here, for all I know your problem may have already been solved. Thanks, Mike
  5. I don't know why you would not be able to upload your HJT file. I'm not senior enough to help you out in that department. Take a look at some of the help files in that forum or try using search for an answer. Some of those files are indeed important Windows files. I don't know how your machine would even boot without explorer.exe. That is actually the main part of Windows that you interact with. It's called the shell. You can probably find most, if not all of those files in a hidden folder where Windows keeps backups for just such a problem. The path to the folder is c:\windows\system32\dllcache. You will probably need to be in safe mode to copy the good file from dllcache to where ever it belongs on the system. Most will go into c:\windows or c:\windows\system or c:\windows\system32. All 3 of these locations are in your PATH statement (or should be) so it's not super critical that they be placed in the right folder, it's just good to keep the machine as close as you can to the way it was originally setup. You also can check to see if there is a malware program that is running at startup. Check your startup folder first. There are also 2 places in the regestry where startup programs can go. If you need help to check there I'll send it in a seperate post. While in safe mode you should also empty all your temp and internet temp folders. They turn out to be handy places for malware writers to put their code. Good luck, Mike
  6. I just thought of something else. If you can't delete the files, you can try rebooting into "Safe Mode" and the files may no longer be locked. To boot into safe mode, as soon as Windows starts to come up, hit the F8 key and you will get a menu of various alternate modes that Windows has. One of them is safe mode. Select that and hit enter. Things will look different because many drivers and other things that Windows can run without, will not be loaded. Try deleting the files in this mode. If that doesn't work, Malwarebytes has a product called FileASSASSIN which is able to delete locked files. Thanks, Mike
  7. jaykim, The reason the files keep coming back is because your machine is still infected with something. I see that you have run malwarebytes on the machine. Did that prevent the files from coming back? I'm going to guess no, since if it did you probably wouldn't be posting here. There is an excellent tutorial written by one our senior members, JeanInMontana and it can be found here: http://www.malwarebytes.org/forums/index.php?showtopic=2936. It is a lot of work but it tells you step by step what actions you need to take to make sure your machine is clean again. Try this out and post back if you have any troubles or to let us know if it worked. Thanks, Mike
  8. You guys are great. I am a programmer myself and recognize nice work when I see it. I did, however hit a problem while scanning one of my computers tonight. I will attach a picture of the screenshot to this email. I'm afraid it doesn't supply much info. I can't be 100% sure because I wasn't watching the scan constantly, but I think it was scanning through a user's internet cache when this happenned. I know from my own experience recursing an entire hard disk that I had trouble with these folders myself. MS allows characters in filenames here that are prohibited elsewhere. I found the percent sign % to be particularly troublesome because if you use any of the printf or fprintf functions, it thinks the % is the beginning of a regular expression replacement. Depending on how it is interpreted, you could end up anywhere in memory. Here's the screenshot. Unfortunately, I don't see any logfiles (unless I'm looking in the wrong place). Good luck. Mike
  9. About a week ago two of my computers were suddenly hit with a trojan called the "XPFIXER". It's initial symptoms are very visible. Your background is changed to a solid blue with a single warning box right in the middle of the screen that says "Your computer has been infected. Click here for a free virus scan". The wording might be a little different because I'm going by memory. Also internet explorer (if that is your browser of choice) will start acting very strange as if someone else is controlling it. It will open and close, and go to different websites on it's own. You will definitely know that something is wrong. Do NOT click that warning box because it is not going to help get rid of your problem, it will only get worse. I immediately went to "My Network Places", right clicked on the desktop icon and picked "Properties". From there I disabled my network card to (hopefully) keep damage to a minimum. I then used every virus scanner, malware scanner, rogueware scanner that I had and ran it on the one machine. I just powered off the other one until I could find what would fix the problem. Nothing I used worked. I couldn't get rid of the background, or the bizarre behavior in IE, no matter what I did. I finally started killing processes using SysInternal's procexp.exe, which is a process explorer. It functions similar to task manager but shows you the whole process tree instead of just the process. You can also use this tool to end processes that task manager says "access denied" to. When I killed one instance of svchost.exe, the system shut itself down and rebooted. This meant that there was at least one dll involved. When the system came back up, it was acting the same way. It was also now preventing me from running certain programs like Spybot S&D. I started looking through the Windows\System32 file system for things that looked abnormal. I sorted the folder by date and found 3 dll's that had been created very recently. They all had strange names that looked like letters randomly thrown together. I tried to delete each one in turn but they were all locked. I didn't know about Malwarebyte's FileASSASSIN at the time. I probably could have rebooted into Safe Mode to delete those dll's, but I have a bootable CD which is especially for troubleshooting. It started with Bart's PE but has been worked on by several people since then. Anyway, this CD has gotten me out of many sticky situations in the past, so I booted it up. Once the system was up, I could delete the locked dll's, get rid of the background and put my normal background back in place. I also took the time to empty each users temp and internet temp folders. I've found in the past that malware writers like to stick their code into the temp folders because most people don't look in there. I rebooted back into XP and it looked like the problem was gone. However, I found that I had a new problem. My computer could not get a DHCP address no matter what I tried. I tried changing the TCP/IP settings and set a static ip address. This would allow me to ping another machine on my internal network but I could not get out to the internet. At this point I went to another clean machine, and sent out a plea for help to the Malwarebytes community. AdvancedSetup and JeanInMontana we both very willing to help me, even though I had made some obvious mistakes in the information I provided. It was 2:30 in the morning and I was really starting to hate malware. JeanInMontana has written an excellent tutorial of what steps to take to get your machine as clean as you can and then send in HijackThis logs for further anaysis, if necessary. You can find that tutorial here: http://www.malwarebytes.org/forums/index.php?showtopic=2936. She also sent me another url, and that was what I needed to fix the network problem. The url is http://www.bleepingcomputer.com/tutorials/tutorial59.html. This site has a tiny little utility called "LSPFix.zip", it might also be available as an exe file, I can't recall. I downloaded that utility to a usb key on a working computer, then plugged into my broken one and ran it. It took about 10 seconds and came back and said "Your LSP chain is broken. Do you want us to fix it?". The wording may not be exact but it's pretty close. I answered Yes, the computer hard drive made some awful sounds for about another 30 seconds and then LSPFix prompted me to reboot my computer, which I did. When it came back up, the network card immediately got a DHCP address, I could get on the internet just fine and I was as happy as I could be. I then went through Jean's tutorial again, using each tool in the exact order that she specified and cleaned up 32 other pieces of rogueware. I'm going to monitor it, and run scans on it daily for about a week but I think it is back to normal. And it's really funny because now it seems to be much snappier (quicker). It had been degrading for some time and I didn't notice because I used it every day. Hats off to AdvancedSetup and JeanInMontana and her excellent tutorial. I printed it out and put the pages in plastic covers. I'm keeping this one close at hand. Thank you everyone, Jersey Mike P.S Jean, thanks for pushing. Without it I don't think I'd have done it and someone else would have to go through the same torture again. I hope I put it in the right place.
  10. Malwarebytes Corporation personnel: Congratulations and Best of Luck! Keep up the great work. Mike
  11. Jean, I'm glad that I'm far enough away so I don't hear all the names that you are calling me right now, but that link for the instructions on how to start your own forum takes you to the "Before HJT Logs" page. Can you send me the correct link (DUCK!) or can I find it myself through searching. Thanks again and I'm sorry to be such a pain in the butt, Mike
  12. Advanced and Jean, Thank you so much for your help. There were some messed up registry entries (like clsid's that pointed to programs that no longer existed) but the main problem was a missing link in the LSP chain. I've never seen this before but I've heard of it. I did all the upfront cleanup so hijackthis and Malwarebytes showed no errors except for the LSP problem. I downloaded and ran LSPFix, rebooted and life (at least on that machine) is good again. I wouldn't have thought of that one on my own because I've never seen it before. I think I'm going to have to get hold of some virus code and disassemble it. You have to have a pretty intimate knowledge of Windows, under the covers, to come up with something like this. I didn't upload the logs. I still have them, except for the PandaActive scan, because I couldn't get out the wire. If you want me to upload what I have, I will but everything looks clean so I can't see that you'd gain anything from it. Thanks again, Mike PS, now that that machine can communicate again, I WILL upgrade it to sp3 and what ever else has come out recently. Then it will be up to date (after a couple hours sleep).
  13. Yes, I realized that after I posted. I have to remember to get the sequence right: 1) Engage brain, 2) Open mouth or write post. Sorry about that. Mike
  14. Jean, I just read Advanced and your responses. I haven't had a chance to run HijackThis yet, so the logs you are looking at are not from me. I will run it now, copy the results to a USB key and then upload them from this computer. Thanks, Mike
  15. All, If anyone can figure this one out, my hat's off to you because I consider myself a pretty good fixer of these weird problems. I have a laptop (an IBM T41) which I was infectied with a virus last week. The T41 is running XP with SP2. The virus was different than any I had seen before. It changed the screen backround to display a message similar to this: "Your PC has been infected Go right now to <some site> for a free PC scan. Of course I didn't believe the message but went through my usual suite of virus removal tools. They include Trend A/V, Malwarebytes version, what ever the latest is as of 2:00 AM EST. SD Search and Destroy, and a couple others that I can't recall right now. (My mind tends to switch into standby mode at around midnight and it won't come back on-line unless i continue to pressure it for at least an hour more. The problem I am having is one of the strangest that I've ever seen (and I've been doing this a long time). The hardware is an IBM T41 laptop on a docking station, running XP w/ SP2 and all other current security patches. The network on the computer will not connect to the physical network. The icon in the task bar keeps going back and forth like it's trying to obtain an ip address. This happens either with the wired lan or the wireless card under the keyboard. I've obtaned the latest drivers for the lan card from Intel but it made no difference. I tried deleting the offending components, hoping that PNP would pick them up. Well it did, but the end results were the same. I even tried setting a static ip address, but there was no difference. As a little background, this laptop and an older machine running Win2K were both hit, almost simultaneously by the XPFIXER virus. They plant a seed on your computer and if you go to the site to get the fix, you are flooded with tons of other viriues. Of course I recognized this as a scam immediately and tried to remove the origininal infestation. (Please forgive any spelling or grammer errors tonight as I've been at this for about 14 hours now). I thought that I was doing good. I identified 3 new dll's in the system32 directory that couldn't be moved, renamed, deleted, etc. I brought the system down and rebooted with some incantation of Bart's PE (on CD) that a friend gave me and that has saved the day dozens on times before. I deleted the stuborn dll's, fixed the startup list to contain only reasonible stuff, popped the cd out and rebooted. Now I cannot connect to either my wired or wireless network. The Icon shows the comp. searching for an ip address, but it never finds one. I wonder if I accidentally closed either port 67 or 68. I didn't check that yet and probably won't until tomorrow because it's already 2:30 AM. I hate being up this late working on computers. It makes me a real bear the next day. Putting that aside, does anyone have an idea what could still be wrong? I run Malware now and it comes up clean. It's probably not port 67 or 68 being blocked because I get the same results, even if I specify a static ip address. It's an older machine. I could just take my 5 pound sledge hammer and beat it into tiny pieces. This would probably affect the functionallity of the laptop though. If anyone has any ideas, please send them along. I will check in the morning (it's already morning). Thanks, Mike
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.