| Author |
Topic: WIZ it happened again |
Bent Romnes
From:
London,Ontario, Canada
|
Posted 23 Nov 2010 8:54 am |
|
Wiz I had a nasty one again, before I had a chance to do what you told me.
This morning, upon booting up there was a window come up saying it couldn't start because of some error in system32.
I sent the error report and proceeded to do another scan with MBAM.It came up with two infections. One in C\doc&set\local service....temp int. files\content IE5\J&U8Y392\dm4[1].exe(Rootkit.TDDSS)
the next one was in the same folder except for"network service" instead of Local service...00TU)DTK\ and the same dm4 and Rootkit.TDDS
MBAM had a hard time deleting those files but after 3 tries I managed to get rid of them(I think)
When attempting to restart, the computer seemed to hang on the opening screen for a while and then switched to the black screen with the choices for safe mode startup etc. This could be because I had tried earlier to start in safe mode without success. So the next time it I restarted I chose "Start Windows in the last known good configuration"
That's where I am at now.
I then scanned with MBAM again and it reported a clean system.
Is it in fact clean since I reset to last known good configuration?
Should I go ahead and do the stuff you told me to do in the other thread?
Will I have to format to make sure I am rid of all the nasties?
I will wait for an answer from you before I do anything. Thanks again for your help!
_________________
BenRom Pedal Steel Guitars
https://www.facebook.com/groups/212050572323614/ |
|
|
 |
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 23 Nov 2010 8:14 pm
|
|
Bent;
You are obviously browsing the Internet with vulnerable software. Would you please enumerate the following:
- The make and version of browsers you are using
- Your operating system and service pack level, if any
- Whether you are fully up to date with Automatic Windows Updates
- Your version of Java
- Your version of Adobe Flash
- Your version of Adobe Reader
- Your version of Apple Quicktime
- The brand, version and subscription status, if any, of your anti-virus program
- What firewall you are using actively
- How your computer is connected to the Internet
- Your email client, if any
- Your instant messaging programs
- Other anti-spyware programs
- Whether your installation of MBAM is the free or registered version
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 23 Nov 2010 9:06 pm
|
|
I thought I would take this opportunity to mention that from now through Monday, Trend Micro is selling all of their home security programs and service plans at 50% off. No coupon code is needed, but I would appreciate it if you, or others reading this would click through my links to go to Trend Micro's website.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
|
|
Bent Romnes
From:
London,Ontario, Canada
|
Posted 24 Nov 2010 7:18 am
|
|
| Wiz Feinberg wrote: |
Bent;
You are obviously browsing the Internet with vulnerable software. Would you please enumerate the following:
- The make and version of browsers you are using
- Your operating system and service pack level, if any
- Whether you are fully up to date with Automatic Windows Updates
- Your version of Java
- Your version of Adobe Flash
- Your version of Adobe Reader
- Your version of Apple Quicktime
- The brand, version and subscription status, if any, of your anti-virus program
- What firewall you are using actively
- How your computer is connected to the Internet
- Your email client, if any
- Your instant messaging programs
- Other anti-spyware programs
- Whether your installation of MBAM is the free or registered version
|
1 Firefox 3.6.12
2 Windows XP SP 3, on automatic updates
3 Java 6.0.18.0
4 Adobe Flash 10.0.45.2
5 Adobe Reader 9.4.1. When I opened the prog to check the ver #, It shut down Firefox and a balloon came up telling me I had unsafe programs or something. Then I couldn't get it shut down. Had to use ctrl alt delete
6 Quicktime 7.68.75.0
7 AVG virus program, the free one; ver# 9.0.872
8 I believe that the windows firewall is active, or is the Resident Shield in AVG a firewall?
9 My connection is a cable with cable modem; Rogers Yahoo
10 No email client, using the web email from Rogers among others.
11 Using Skype extensively, also have messaging thru Rogers Yahoo! I ma usually "available" there but hardly even msg in Yahoo.
12 No other anti-spyware progs
13 MBAM - Free version
14 Also scan with SBS&D
Another problem cropped up as well ..now the computer shuts down and restarts at random intervals. It might run for 2 hours or 2 minutes. I was lucky to get thru this posting.
I will await your advice, but I have a good notion to just format and start over again.
Thanks again for all your help Wiz.
Bent
_________________
BenRom Pedal Steel Guitars
https://www.facebook.com/groups/212050572323614/ |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 24 Nov 2010 7:48 am
|
|
Bent;
I found that you are using out of date, insecure versions of the following exploitable programs:
Java (v6-build-22 is current),
Flash (10.1.102.64 is current),
Quicktime (7.6.8 is current)
Adobe just released version X, which has a "sandbox" that isolates everything running in Reader or Acrobat from the operating system. Go to http://get.adobe.com/reader/ and download the new version. If you ever use IE, go there with it as well.
Your free AVG is also out-dated. The current version is AVG Anti-Virus Free Edition 2011. Get it from http://free.avg.com/us-en/download-free-antivirus.
The Windows Firewall is important. Please go to Control Panel > Windows Firewall and make sure it is enabled. The AVG Resident Shield is not a firewall. Only the paid version of AVG contains a firewall.
Are you connected directly to your cable modem? If so, and if the Windows Firewall has been compromised by malcode, that would be a direct route into your PC, from remote locations.
The random shutdowns are a major cause for concern. Either you have conflicting malware programs installed, or corrupted system files, or an overheating problem inside the case, or a failing hard drive. Open the case, with the power off and vacuum out all of the dust and hair, lint, etc. Carefully dust the fins and fans of all heatsinks, especially on the CPU and graphics card (if exists). Or, use compressed air to blow dust from the fans and fins.
Re-seat your RAM. Wiggle the heatsink on the CPU to make sure it is tight and not lifting off its housing on the board. Make sure all cables are firmly plugged in at both ends, where applicable.
Sometimes, when things get this bad, it is best to save personal data files to an external drive, reformat completely, and reinstall Windows (& re-activate it), install all drivers for the MB, especially the network adapter (to re-activate online), then grab all available Windows Updates, rebooting as necessary and re-checking until no more are available. Last, install all (new versions if available) of your security and productivity programs and peripheral devices (printer, camera, scanner, discombooberator, etc).
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
|
|
Bent Romnes
From:
London,Ontario, Canada
|
Posted 24 Nov 2010 8:07 am
|
|
Are you connected directly to your cable modem? If so, and if the Windows Firewall has been compromised by malcode, that would be a direct route into your PC, from remote locations.
Yes, direct out of the wall to the modem to the computer.
Will this be corrected when I make sure that my Windows firewall is running?
Also, if there is malcode in my PC, does it manifest itself in the hard drive only or can it actually go into my mother board as well, making a reformat non-effective?
If I decide to re-format, and I want to back up personal files, can I do so on an extra internal hard drive that is only used for backup for unloading photos from our 2 camera cards?
Can this drive have been infected as well? It has only the photos on it.
_________________
BenRom Pedal Steel Guitars
https://www.facebook.com/groups/212050572323614/ |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 24 Nov 2010 8:34 am
|
|
| Bent Romnes wrote: |
Are you connected directly to your cable modem? If so, and if the Windows Firewall has been compromised by malcode, that would be a direct route into your PC, from remote locations.
Yes, direct out of the wall to the modem to the computer.
Will this be corrected when I make sure that my Windows firewall is running? |
The Windows Firewall (1 way, incoming) is the only thing standing between your hard drive and hostile TCP/IP probes from the Internet. If the firewall has been altered with a rule allowing a hostile communication to occur over a particular port, you will have to find and delete that rule (and the malware that created it). The simplest way to do that is to reset the Firewall rules to default values and approve each application that requests incoming communications over non-browser ports (80 and 445).
You can also install a third party software firewall and learn to configure it (noisy alerts), or buy a NAT router, which contains a rudimentary 1 way (incoming) firewall (blocks all unsolicited inbound communications), then connect the modem to it and the computer to the output of the router. This will require a hard reset of the cable modem, before it will recognize the router and pass Internet activity to it. If you opt for a router, be sure to change the admin login password, disable remote administration and UPnP.
| Quote: |
| Also, if there is malcode in my PC, does it manifest itself in the hard drive only or can it actually go into my mother board as well, making a reformat non-effective? |
That could happen if you have acquired one of the few hardware infecting rootkits. There are also several rootkits that infect the Master Boot Record of the primary hard drive. A complete format should clear them, but so can a particular DOS command, issued during a reboot into the "Recovery Console."
To fix possible MBR infections, insert your Windows XP CD into an optical drive and reboot into the CD. Choose the Repair Windows option using the Recovery Console. When the Recovery Console launches, choose the C partition and login in with your Administrator password (if exists). At the command prompt, type this:
fixmbr
press enter
Acknowledge the warning message and continue.
For good measure, also issue this command:
fixboot
press enter
When you type EXIT and reboot, any MBR infectors will be gone.
| Quote: |
If I decide to re-format, and I want to back up personal files, can I do so on an extra internal hard drive that is only used for backup for unloading photos from our 2 camera cards?
Can this drive have been infected as well? It has only the photos on it. |
Yes, that will be fine. I would have mentioned it but most people don't have additional internal hard drives (I do). They generate more heat inside the case. If your case is well ventilated with fans, this is no problem. Just make sure the vent holes in the case are not clogged with dust and dust bunnies.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
|
|
Cal Sharp
From:
the farm in Kornfield Kounty, TN
|
|
|
|
Bent Romnes
From:
London,Ontario, Canada
|
Posted 24 Nov 2010 12:07 pm
|
|
Cal, could you expand on this? 1-I don't understand how a router can make it safer. 2- I thought a router was only a "wireless router" that only enables you to connect to other computers wirelessy and and other computers to hook up to yours and use your internet service. That tome doesn't sound as the safest way to surf. But like I say, I don't know.
_________________
BenRom Pedal Steel Guitars
https://www.facebook.com/groups/212050572323614/ |
|
|
|
Bent Romnes
From:
London,Ontario, Canada
|
Posted 24 Nov 2010 12:16 pm
|
|
| Wiz Feinberg wrote: |
| They generate more heat inside the case. If your case is well ventilated with fans, this is no problem. Just make sure the vent holes in the case are not clogged with dust and dust bunnies. |
Wiz, My shut-down/re-boot can occur after 3 minutes of operation from a cold start-up. And then it might run fine for the next hour. This tells me the heat sinks etc are clean and not overheating. I will check and possibly clean though. However, are there other reasons for a computer shutting down like that? Like...
What malware in what part of the PC could cause this?
_________________
BenRom Pedal Steel Guitars
https://www.facebook.com/groups/212050572323614/ |
|
|
|
Cal Sharp
From:
the farm in Kornfield Kounty, TN
|
Posted 24 Nov 2010 12:30 pm
|
|
| Quote: |
| 1-I don't understand how a router can make it safer. 2- I thought a router was only a "wireless router" that only enables you to connect to other computers wirelessy and and other computers to hook up to yours and use your internet service. |
Bent,
A router is a physical barrier between your computer and the Internet which in many cases keeps the bad guys from even seeing that your computer is online. If you can't be seen, you can't be attacked. A wireless one also enables you to connect wirelessly to a home network and/or the internet through your modem and should be properly configured with WPA encryption. Not all routers are wireless. But if you have just one computer that's on the net you should protect it behind a router.
_________________
C#
Me: Steel Guitar Madness
Latest ebook: Steel Guitar Insanity
Custom Made Covers for Steel Guitars & Amps at Sharp Covers Nashville
Last edited by Cal Sharp on 24 Nov 2010 12:55 pm; edited 1 time in total |
|
|
|
Bent Romnes
From:
London,Ontario, Canada
|
Posted 24 Nov 2010 12:53 pm
|
|
Cal, thanks for the explanation. So, can I say that a router is instead of a firewall? Or do you always use the firewall with the router? So this Router, I take it, is not wireless but hooks up between the cable outlet and the modem?
_________________
BenRom Pedal Steel Guitars
https://www.facebook.com/groups/212050572323614/ |
|
|
|
Bent Romnes
From:
London,Ontario, Canada
|
Posted 24 Nov 2010 1:07 pm
|
|
Wiz,
I did do a Restore Defaults in Windows Firewall. The only two apps that need incoming communications are Firefox and Skype, and both of these function without approval. With this I take it that I did it correctly?
Like yesterday, I scanned with MBAM and sure enough, the same type infection were in the same two folders again. So now, to verify that Win Firewall is working, can I leave things as is till tomorrow, and do a scan. If MBAM comes up with no infections, will this prove that the firewall is working?
Then, when I update the Java and all the progs you mentioned, will I be surfing safely once more?
_________________
BenRom Pedal Steel Guitars
https://www.facebook.com/groups/212050572323614/ |
|
|
|
Cal Sharp
From:
the farm in Kornfield Kounty, TN
|
Posted 24 Nov 2010 1:08 pm
|
|
A router is a physical barrier, where a firewall is a software barrier. A firewall isn't really necessary if you have a router, although there are different opinions on this. You plug your internet cable into the modem, then plug the modem into the router, which gets its power from a wall outlet just like anything electric and is about the size of the modem. Routers usually have 4 ports which you can hook up to any desktop comps you might have; otherwise you might not need the ports. Sometimes the modem and the router may be one unit, like the AT&T DSL connection I have. Routers are about $30-$60, and well worth it.
_________________
C#
Me: Steel Guitar Madness
Latest ebook: Steel Guitar Insanity
Custom Made Covers for Steel Guitars & Amps at Sharp Covers Nashville |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 24 Nov 2010 2:51 pm
|
|
| Bent Romnes wrote: |
Wiz,
I did do a Restore Defaults in Windows Firewall. The only two apps that need incoming communications are Firefox and Skype, and both of these function without approval. With this I take it that I did it correctly?
Like yesterday, I scanned with MBAM and sure enough, the same type infection were in the same two folders again. So now, to verify that Win Firewall is working, can I leave things as is till tomorrow, and do a scan. If MBAM comes up with no infections, will this prove that the firewall is working?
Then, when I update the Java and all the progs you mentioned, will I be surfing safely once more? |
Regrettably, it appears that the infections are backed up in your System Restore folder. This is why they have reappeared after being removed by MBAM. You have three choices now.
1: Restore the computer to a date before the infections became noticeable (guesswork at best).
2: Disable System Restore, wiping out all previous restore points, along with all malware backed up in those places.
3: Reinstall Windows from scratch, including deleting the existing partition, performing a full formatting of the hard drive, followed by a fresh install, update, secure, install procedure.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
|
|
Bent Romnes
From:
London,Ontario, Canada
|
Posted 24 Nov 2010 7:10 pm
|
|
Wiz, I want to thank you for your great help . You pointed me in all the possible correct directions and I learned a lot.
Miraculously, the computer isn't shutting down any more but it is acting strange in other ways.
No matter what I tried, I still had the feeling I wasn't rid of the nasties so tomorrow I will likely be formatting and starting fresh.
Hope to be back online some time tomorrow night. Thanks again!
_________________
BenRom Pedal Steel Guitars
https://www.facebook.com/groups/212050572323614/ |
|
|
|
Bent Romnes
From:
London,Ontario, Canada
|
Posted 26 Nov 2010 10:29 am
|
|
Wiz, It looks like the source of all my troubles was in fact that rootkit.tdss. I went as far as inserting the windows disk do do a format and there was likely something in that virus that prevented the disk from operating. The install disk detected a problem in a driver or something and shut down.
So I went on the web and found "tdss killer" scanned my system with that and lo and behold tdss was still in my system despite MBAM's efforts earlier.
TDSS killer found and wiped out the virus or whatever it was. After that, the computer started running like a brand new machine.
After that, I updated all the programs that you recommended earlier, and made sure that my windows firewall works properly.
I still might get hold of a router like Cal was talking about They sound like a great idea to me.
I learned a lot though all this
Again, thanks for your help!
_________________
BenRom Pedal Steel Guitars
https://www.facebook.com/groups/212050572323614/ |
|
|
|
