+ Reply to Thread
Results 1 to 20 of 20
  1. #1
    Junior Member
    Join Date
    Jan 2012
    Posts
    4

    Angry Infected PC - Rebuild failed to resolve

    Hi

    I have an ongoing problem with my home PC which has been driving me crazy for a couple of months.

    The PC is an HP desktop running Windows XP SP3 and it was protected by Windows Defender and the free version of Zone Alarm. Internet connection is a wired connection to a BT Home Hub 1.0. It has worked perfectly for 2 years.

    Two months ago I received an email from BT saying that we'd exceeded our 10GB monthly download limit which I knew was not me. I suspected someone had hacked the BT Hub and was using our wireless connection. This was possible as it was using WEP which I've read can be hacked using brute-force!?

    I then got a virus/malware which created loads of pop-ups in IE8 and kept re-directing the browser to dodgy sites. Google was afected too - it produced different results from the same search and the hyperlinks in the results didn't go to the right site. A full system scan by ZoneAlarm and Windows Defender reported nothing. Tried running MalwareBytes - it too found nothing.

    Rather than downloading lots of free tools and risk making the situation worse I decided to archive all my files from the desktop PC to external disk and do a full re-install of Windows. I read up on securing the BT Home Hub and have disabled the wireless capability, switched from WEP to WPA2 and created a strong password so hopefully nobody can hack into the Hub now.

    I also purchased and installed ZoneAlarm Extreme Security for £30. The only other software I installed on the new clean build was MS Office 2003 from my external disk. After doing a Windows Update and installing approx 100 updates everything seemed fine. A couple of weeks later the same thing happened.

    Rebuilt again, same thing happened.

    I've now rebuilt the PC 4 times and each time it seems OK for a week and then odd things start happening. Last night I tried to send an email from my hotmail account and it froze. Tried navigating away from the page and got a pop-up message:

    ----------------------------
    Windows Internet Explorer
    ----------------------------
    Are you sure you want to navigate away from this page? Can you wait a little longer? If you leave before your connexion is restored, the last action you took might not happen.
    Press OK to continue or Cancel to stay on the current page.
    [OK][Cancel]

    Note the mis-spelling of 'connection' with an 'x' instead of a 't' in the popup.

    Alarm bells started ringing again. I killed the iexplore.exe process in Task Manager and from that point on we lost all internet access and the PC wouldn't recognise the BT Home Hub.

    Clearly there is something malicious working away in the background in IE and I'm worried that our activity is being monitored by a hacker. I've checked the IE settings and all seems fine - no dodgy looking add-ins and the security level looks OK.

    What I can't understand is how these viruses/malware/trojans or whatever are getting onto my PC? It is connected to the internet over a wired connection with ZoneAlarm acting as the Firewall. I update the ZoneAlarm definitions daily and carry out a deep scan every day and it always reports no problems. I also perform a Windows update daily and keep the PC disconnected from the internet when not in use. I've installed no software apart from MS Office. How can it keep getting infected? Could it be that the external disk is infected and the install of MS Office is installing some kind of malware each time?

    If so, how do I get rid of it? I've carried out a ZoneAlarm full scan of the external disk and it reports nothing. It's driving me mad and I'm actually starting to lose sleep over this now as I need the PC for work.

    I've now purchased Norton Internet Security 2012 and I'm in the process of rebuilding the PC again.

    Can anybody please advise what I can do to stop this happening? Any advice greatly appreciated.

    Many thanks in advance.
    Mike

  2. #2
    Millwright stroyal's Avatar
    Join Date
    Dec 2002
    Location
    New Hampshire
    Posts
    8,189
    First, stop buying stuff.

    Norton is just a waste of more money.

    You should never run 2 virus programs at the same time.
    Norton security, if you are scanning with Zone alarm, you must have their virus scanner, as well as defender.

    Pick 1.
    All you need is Avast Free, or Microsoft Security Essentials.

    You will never find anyone that knows anything about computers, saying pay versions are better.
    They have more bells and whistles, they don' find viruses or malware any better.
    Some down right suck, like Norton.

    All your scans should have been done in safe mode, with system restore turned off.
    By "rebuild", I assume, you mean reinstall.

    How did you reinstall?
    Did you format?
    Did you use any kind of a restore program?


    I did read about a new and so far rare virus, that infects the boot sector, and can't be removed with a regular format.
    There is also a type of malware that uses your computer, for elicit distributed computing, also rare.

    I would start with 1 Virus program, probably AVAST FREE, because it has boot time scan, and that is better than safe mode.
    avast! Free Antivirus - Download Software for Virus Protection
    Then Super Anti Spyware, in safe mode.
    SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

    I would any of your backed up files, that you scan with a separate computer would be safe, as they can't use windows to hide.

    Don't forget to shut off "System Restore" till this is sorted.


    Another option Is a scan with a Linux program.
    The virus would not be able to hide from Linux, as it wasn't written for it.

    Avira AntiVir Rescue System - Download


    Another tool is rkill, that is suppose to stop any running virus/malware that is stopping scans from working.
    RKill - Free software downloads and software reviews - CNET Download.com


    Here is a "common spyware solutions" post
    Common Spyware Solutions
    Hard Sayin Not Knowin

  3. #3
    Training for Bankai JPMiller's Avatar
    Join Date
    Jan 2003
    Location
    Milwaukee, WI
    Posts
    7,657
    My first guess is something is re-infecting you from the external hard drive.
    Use Malwarebytes and $uperAntispyware to scan the external drive and use Microsoft Security Essentials as your main Antivirus/Antispyware...

  4. #4
    Ultimate Member bigBonehead's Avatar
    Join Date
    Dec 2008
    Location
    East Chamunga
    Posts
    2,362
    "...All your scans should have been done in safe mode, with system restore turned off..."

    This ^ step is The Most Important one of all... I've dealt with enough Spy/mal-ware
    issues on mine and others computers where the nastiest junk just hides in the 'Restore' image...

  5. #5
    Banned
    Join Date
    Feb 2009
    Location
    KFNL FS2004
    Posts
    11,886
    Blog Entries
    1

  6. #6
    RIP Jessica Francesca. paul9's Avatar
    Join Date
    Aug 2003
    Location
    Gateshead U.K.
    Posts
    12,720
    The default passwords to access the BT Homehubs (at least the older Homehubs) are VERY insecure. Default key algorithm in Thomson and BT Home Hub routers | GNUCITIZEN
    I do well with Malwarebytes and Avast. One of your other problems could be that you seem to use IE8.
    Try using Opera, Chrome or Firefox as your main browser from now on.
    The external hard drive should be scanned. Try the trial version of The Cleaner from MooSoft Development
    This program specialises in trojan and rootkit detection.

  7. #7
    Super Stealthy Moderator RicheemxX's Avatar
    Join Date
    Jan 2003
    Location
    Outside the box
    Posts
    8,572
    Blog Entries
    4
    Aside from what everyone else has mentioned I want to say Windows Defender is ok, but relying on Zone Alarm for some form of protection isn't. Its a software based firewall which should report any outbound connections but it doesn't act as an antivirus or malware protection. It really only helps to tell you that something bad is trying to connect to the net.

    Secondly, as everyone else has mentioned you should do full scans of everything attached to your computer. It could be something hidden on your external drive, a flash drive or even an old dvd/cd.

    Third, are you using legit software?? I've ran into many cases of people using "downloads" that aren't legit and they find out the hard way that someone attached malicious files to the installer.
    Last edited by RicheemxX; January 12th, 2012 at 12:46 AM.
    Be a Liberal, blame everyone else!!

  8. #8
    Training for Bankai JPMiller's Avatar
    Join Date
    Jan 2003
    Location
    Milwaukee, WI
    Posts
    7,657
    Quote Originally Posted by bigBonehead View Post
    "...All your scans should have been done in safe mode, with system restore turned off..."

    This ^ step is The Most Important one of all... I've dealt with enough Spy/mal-ware
    issues on mine and others computers where the nastiest junk just hides in the 'Restore' image...

    While completely true,... the trouble is, that doesn't apply to his issue...
    He's saying he's reinfected after a full re-install

  9. #9
    THE Gimp Clown Fish! nemowolf's Avatar
    Join Date
    Jun 2007
    Location
    Bay Area
    Posts
    4,935
    Quote Originally Posted by JPMiller View Post
    While completely true,... the trouble is, that doesn't apply to his issue...
    He's saying he's reinfected after a full re-install
    I dont recall but does the plugandplay service start in safe mode so he can scan the external drive?

    TechIMO Folding@home Team #111 - Crunching for the cure!

  10. #10
    I Haz Catputer JLK03F150's Avatar
    Join Date
    Sep 2004
    Location
    GA
    Posts
    5,494
    Flash drives work in safe mode, so I assume the usb hdd will work too.

    I've now rebuilt the PC 4 times
    What exactly do you mean by this? If I'm doing a windows reinstall because of a virus I always delete the primary partition then create a new primary partition, then full (not quick) format the hdd.

  11. #11
    Ultimate Member Chuckiechan's Avatar
    Join Date
    Oct 2001
    Location
    North Mexico
    Posts
    16,838
    Let go about fixing...

    Step one: Scan with Ad - aware Free:

    Get Ad-Aware Pro for Free with Lavasoft and TrialPay

    NOTE: Read carefully. As you know everyone nowadays is trying to trick you into pressing a button for a download you don't want. Just keep slashing through the BS. The Free one is in there somewhere.

    Once this is installed and updated, boot your computer into safe mode and run a full scan. And while you are in there make sure your XP firewall is turned on.

    Someone else can supply the path. I'm running Win 7.
    Over heard in a restaurant: "How do you want your eggs?" the waitress asked. "NFL Style. Beaten"!

  12. #12
    Ultimate Member
    Join Date
    Oct 2003
    Location
    Canada [Maritimes]
    Posts
    1,266
    BT Home Hub - Wikipedia, the free encyclopedia

    Security>>"The device has also been known to 'kick' users off the internet if too much data is downloaded in a certain timeframe"

    the best thing the OP can do is ditch this router and get a better one

    ie: dir-655 by d-link or better

    btw i agree with the above posts [for whats its worth]

  13. #13
    Ultimate Member bigBonehead's Avatar
    Join Date
    Dec 2008
    Location
    East Chamunga
    Posts
    2,362
    Quote Originally Posted by JPMiller View Post
    While completely true,... the trouble is, that doesn't apply to his issue...
    He's saying he's reinfected after a full re-install
    Under normal circumstances, when doing a clean re-install on one HD,
    I would agree... but since the SR saves it's content on each HD monitored, I stand by my original opinion...

  14. #14
    Junior Member
    Join Date
    Jan 2012
    Posts
    5
    when you reinstall windows, make sure you also wipe all of you're storage including any external hard drives. It could possibly be a BIOSrootkit (BIOS is sort of like the operating system that your motherboard has that allows it to boot the operating system that you use) bios rootkits can't be dealt with by reformatting, you'll have to reflash your BIOS (get a professional for this, it's risky for anybody who isn't an avid PC builder) but I highly doubt that's it because those are pretty rare.

    I've never seen a virus that can't be dealt with through Malwarebyte's free antimalware, combofix and Microsoft security essentials.

    NEVER BUY ANTI VIRUS PROGRAMS, remove all of the antiviruses you have, then use microsoft security essentials. just google it and get it from the microsoft download site.

    also, don't bother with IE because it's very unsecured. the only thing internet explorer is good for is downloading firefox

  15. #15
    THE Gimp Clown Fish! nemowolf's Avatar
    Join Date
    Jun 2007
    Location
    Bay Area
    Posts
    4,935
    Quote Originally Posted by jogo00062 View Post
    when you reinstall windows, make sure you also wipe all of you're storage including any external hard drives. It could possibly be a BIOSrootkit (BIOS is sort of like the operating system that your motherboard has that allows it to boot the operating system that you use) bios rootkits can't be dealt with by reformatting, you'll have to reflash your BIOS (get a professional for this, it's risky for anybody who isn't an avid PC builder) but I highly doubt that's it because those are pretty rare.

    I've never seen a virus that can't be dealt with through Malwarebyte's free antimalware, combofix and Microsoft security essentials.

    NEVER BUY ANTI VIRUS PROGRAMS, remove all of the antiviruses you have, then use microsoft security essentials. just google it and get it from the microsoft download site.

    also, don't bother with IE because it's very unsecured. the only thing internet explorer is good for is downloading firefox
    While I agree that no one should pay for anti-virus ... there isnt anything insecure about IE that cant be said for FireFox. Every year some blackhat manages to break both browsers at the hack-a-thon. This is a matter of opinion at this point and your not giving factual information backing it.

    Use the browser of choice.

    That said. I choose FireFox for the selection of plugins direct from them and i like their new version cycle. The constant changing of the game should keep "hackers" on their toes more so then on a stale build that hasnt changed in a year. This in mind, if your not one to update your browser, maybe sticking with IE and updating to the newest one every year or so when they release is a good thing. Remember to turn on Windows Update and keep your anti-virus updated.

    Cheers.

    TechIMO Folding@home Team #111 - Crunching for the cure!

  16. #16
    Junior Member
    Join Date
    Jan 2012
    Posts
    4
    Quote Originally Posted by JLK03F150 View Post
    Flash drives work in safe mode, so I assume the usb hdd will work too.


    What exactly do you mean by this? If I'm doing a windows reinstall because of a virus I always delete the primary partition then create a new primary partition, then full (not quick) format the hdd.
    When re-installing I delete the primary partition that contains Windows but leave the recovery partition which is named HP_RECOVERY. Is this the right thing to do? Also I do a quick format rather than full.

  17. #17
    Junior Member
    Join Date
    Jan 2012
    Posts
    4

    Question Update on infection - progress made

    Thanks for all the advise - very helpful.

    I've made a number of changes to help secure the PC...

    - Ditched ZoneAlarm (and got my money refunded!)
    - Installed Norton Internet Security 2012. Update daily and run full system scan.
    - Always login as a normal user rather than a user with admin rights.
    - Use Firefox with the NoScript add-in. Only use IE for windows updates.
    - Replaced the hosts file with the one from the winhelp2002 web site - this blocks 15,000 known threats
    - Changed the admin password on the BT Home Hub.
    - Disabled wireless on the Home Hub.
    - Generally keep the PC off the web when not in use.

    In terms of cleaning the PC I've done the following:
    - Ran CCleaner - no problems found.
    - Ran BitDefender - no problems found.

    As advised in this forum I downloaded SuperAntiSpyware, Malwarebytes and Ad-aware, switched off System Restore and re-booted in

    safe mode. Checked the local disk - no problems.

    Checked the external hard disk (which Windows detected ok in safe mode) and found the following:

    - MalwareBytes found no threats

    - SuperAntiSpyware found 12 infections of Trojan.Agent/Gen-MSFake. It was detected in a number of programs I've created using Ms

    Visual studio and in the system restore - see attached screenshot. I clicked [Remove Threats] and all 12 threats were successfully removed. Ran another full scan and no problems found.

    - Norton found 16 problems that it couldn't resolve. It found 8 infections of WS.Trojan.H. It claims the infections are inside zip

    files that are contained inside other zip files - see two examples below. Norton recommended that the files are deleted which I did

    as I no longer need them.

    -----------------------------------------------------------------------------
    WS.Trojan.H
    Type: Compressed
    Risk: High (High Stealth, High Removal, High Performance, High Privacy)
    Categories: Heuristic Virus
    Status: Remove Failed
    -----------
    1 File
    [Batcher.exe] inside of [Utils.zip] inside of [f:\archive\dev.zip] - Infected
    -----------------------------------------------------------------------------
    WS.Trojan.H
    Type: Compressed
    Risk: High (High Stealth, High Removal, High Performance, High Privacy)
    Categories: Heuristic Virus
    Status: Remove Failed
    -----------
    1 File
    [Batcher.exe] inside of [Training.zip] inside of [f:\archive\dev.zip] - Infected
    -----------------------------------------------------------------------------

    Norton also found 6 infections of a Heuristic Virus (example below). This is software I no longer need to again I followed the

    recommendation and allowed Norton to delete the files.

    Risks in compressed file "setup.msi"
    Type: Compressed
    Risk: High (High Stealth, High Removal, High Performance, High Privacy)
    Categories: Heuristic Virus
    Status: Not Attempted
    -----------
    1 File
    [f:\Project1\release\setup.msi] - Not Attempted




    These are a bit more worrying - some on the external disk (F:\), some on the PC (D:\)

    -----------------------------------------------------------------------------
    Risks in compressed file "IEAK4.CAB"
    Type: Compressed
    Risk: High (High Stealth, High Removal, High Performance, High Privacy)
    Categories: Heuristic Virus
    Status: Not Attempted
    -----------
    1 File
    [f:\downloads\microsoft\visual basic 6\vb6\ie4\ieak4.cab] - Not Attempted
    ----------------------------------------------------------------------------
    Risks in compressed file “PR308246.CAB”
    Type: Compressed
    Risk: High (High Stealth, High Removal, High Performance, High Privacy)
    Categories: Heuristic Virus
    Status: Not Attempted
    -----------
    1 File
    [f:\downloads\microsoft\office\office 2003 sp1\pr308246.cab] – Not Attempted
    -----------------------------------------------------------------------------
    Risks in compressed file "applemobiledevicesupport.msi"
    Type: Compressed
    Risk: High (High Stealth, High Removal, High Performance, High Privacy)
    Categories: Heuristic Virus
    Status: Not Attempted
    -----------
    1 File
    [d:\documents and settings\all users\application data\apple\installer cache\apple mobile device support

    4.0.0.97\applemobiledevicesupport.msi] - Not Attempted
    -----------------------------------------------------------------------------
    Risks in compressed file "PR308246.CAB"
    Type: Compressed
    Risk: High (High Stealth, High Removal, High Performance, High Privacy)
    Categories: Heuristic Virus
    Status: Not Attempted
    -----------
    1 File
    [d:\msocache\all users\90000409-6000-11d3-8cfe-0150048383c9\pr308246.cab] - Not Attempted
    -----------------------------------------------------------------------------
    Risks in compressed file "c5bd78.msi"
    Type: Compressed
    Risk: High (High Stealth, High Removal, High Performance, High Privacy)
    Categories: Heuristic Virus
    Status: Not Attempted
    -----------
    1 File
    [d:\windows\installer\c5bd78.msi] - Not Attempted
    -----------------------------------------------------------------------------

    Are these likely to be genuine viruses or could they be false positives? How can I tell? Can anyone advise me what my next move

    should be?

    I've read all of the replies to my posting and several people are recommending I use Avast Free and Microsoft Security Essentials.

    Is it really best to ditch Norton and go with Avast?

    Also, is it worth downloading combofix and MooSoft Cleaner to get a second opinion on the five remaining problem files? Or is there

    a better way to go?

    Any help much appreciated.

    Many thanks
    Attached Thumbnails Attached Thumbnails Infected PC - Rebuild failed to resolve-trojan-no-paths.jpg  

  18. #18
    Goverment property now GroundZero3's Avatar
    Join Date
    Oct 2001
    Location
    NOVA
    Posts
    34,900
    Blog Entries
    59
    Is the stuff you have archive pirated material? (ie anything you have downloaded off the internet from some kind of share site/application)

    Im assuming the .cab are are for the installation of Windows software such as office. Perhaps you should start there.....

  19. #19
    Junior Member
    Join Date
    Jan 2012
    Posts
    4
    Quote Originally Posted by GroundZero3 View Post
    Is the stuff you have archive pirated material? (ie anything you have downloaded off the internet from some kind of share site/application)

    Im assuming the .cab are are for the installation of Windows software such as office. Perhaps you should start there.....
    All copies of genuine Microsoft CDs. No pirated copies and nothing downloaded from the internet (apart from Windows XP SP3 as my CD only contains Windows XP SP2) but it was downloaded as part of a Windows Update so I guess this is safe.
    Not sure what you mean by Perhaps you should start there???

  20. #20
    Goverment property now GroundZero3's Avatar
    Join Date
    Oct 2001
    Location
    NOVA
    Posts
    34,900
    Blog Entries
    59
    There are images you made yourself? Usually those types of infections you have there inside cab files (if not false positives) are stuff people throw in to infect a pirated copy of software. Either way you may want to just create your software installation images and get rid of that drive, I agree with everyone else that your portable drive is the issue when it comes to reinfection

Quick Reply Quick Reply

If you are already a member, please login above.

What is the color of the sky?

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. DNS unable to resolve IP address
    By Nitja in forum Networking and Internet
    Replies: 10
    Last Post: May 11th, 2011, 02:14 AM
  2. Is it possible to resolve any issue in DebateIMO?
    By osprey4 in forum IMO Community
    Replies: 32
    Last Post: September 5th, 2007, 09:50 AM
  3. Sense Operation Failed / Delayed Write Failed
    By Filipin0yboi in forum Technical Support
    Replies: 5
    Last Post: June 30th, 2006, 04:22 AM
  4. Bind9-- Change resolve local network
    By flashingcurser in forum Linux and Unix
    Replies: 2
    Last Post: June 22nd, 2005, 01:36 PM
  5. DNS doesn't resolve; IP works
    By Socalgal in forum Networking and Internet
    Replies: 22
    Last Post: October 27th, 2002, 11:33 PM

Posting Permissions

  • You may post new threads
  • You may post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Copyright 2014 All Enthusiast, Inc