Ok normally i would try and do this on my own but everything keeps shutting down/crashing? to oftn to get any good results.

A roomate thinks there is a 'shell' being loaded on startup on my pc. My desktop icons regularly flash and refresh. Explorer wont stay open. House Call won't run. none of my av malware detectors stay open long enough to finish a scan.

Running xp pro sp2 fully updated

when i look at my system performance my cpu is always at 100% and my pagefile is over 500mb

my pagefile settings are max an min set at 256mb

also on startup there is something, not sure if bad or not just don't recognize, called geols31.exe running

i wish i could try and give more info but nothing wants to stay open or run as i said even in safe mode as admin.

if anyone can point me in the right direction to get more info for you guys please tell me what to do.

ok as soon as i posted this i actually got Ewidow to run a scan. This is what it says it was able to clean from backup. Not sure if the backups it used are corrupt or not so maybe this will help

All of these were found in C:\system volume information\_restore .. . . .

Backdoor.PPdoor.bc - found multiple times in that directory
Adware.Virtumonde - ditto
Downloader.CWS.cs - only one instance found
Trojane.iespy - only one found
Trojan.Agent.fd - again only one

The one listed below were found in my \windows\system32 directory
Adware.Virtumonde - again multiple times
Backdoor.PPdoor.al - only one found with the .al
Backdoor.PPdoor.bc - multiple found with the .bc

didn't realize i could export ewidow scan results as a text file doing so now

Yeah

I would say you need to disable your system restore...How to Info (http://www.kellys-korner-xp.com/xp_restore.htm) then go back into safe mode and run your scans again, and clean them out, then reboot into normal, this should flush your old system restore points.

Most of these System Restore points are created by the user downloading and installing programs, so when a malware is downloaded via a browser highjack, it becomes part of the system restore point, and each time you do a boot up, they can be reactivated, or if you try to do a system restore to an earlier date.

Do a couple of online scans in Safe Mode with networking from Trend Micro and Panda...also you may want to get Stinger (http://vil.nai.com/vil/stinger/) from McAfee...

Your solution lies in buying a USB external enclosure for your hard drive.
Removing hard drive, set drive jumpers as Master, put drive in enclosure, plug USB enclosure into a known UNINFECTED system. You should be able to access the drive as another drive letter now, say as, D: or E:

Now run a checkdisk. If time permits, I would run a surface scan in conjunction with the checkdisk.

Then perform your antivirus scans and spyware scans on the drive.

On the external drive only, remove the following files/folders:

1) Pagefile.sys
2) Remove all files from \windows\prefetch
3) Remove all files/folders from \documents and settings\username\local settings\temp
4) Remove all files and folders from \documents and settings\username\local settings\temporary internet files\content.IE5
5) Remove the file C:\Documents and Settings\PCPro\Local Settings\Application Data\IconCache.db

After all you've done all that. Take drive out, reinsert in computer and reboot to SafeMode by pressing F8 repeatedly (once a second) until you get a menu. Choose SafeMode with networking. Don't press the F5 key as that is NOT what I want.

While booting you will eventually see some graphic page (not the desktop yet), either saying "Loading SafeMode" or "Windows XP" or whatever. As long as you see some sort of graphic page (ANY graphic page), hold down the shift key until the desktop is fully loaded. Doing this prevents certain progams from autoloading on bootup.

While in SafeMode, are things working somewhat?

If so, shutdown normally and bootup to Standard mode, but again, press and hold the shift key until the desktop is fully loaded.

Is it working?

If so, get on the internet, download a program called "CodeStuff Starter". It's FREE and will allow you to uncheck those programs you don't want loading on startup. It's better than most of it's competitors.

[Edit: Since I posted this, some other posts intervened saying Remove your restore points. I can agree with that too.]

If you can't slave the drive to clean it for some reason, maybe look at BartPE (http://www.nu2.nu/pebuilder/). You can run windows based Anti Malware stuff from it. Just DL the creator and add the modules that you want. You can make your own modules quite easily for it. I believe it already has Adaware modules already (although you will need to update defs). Only downside to this is that you need a PC to burn the .iso on.

Edit: Forgot to mention, A nice little scanner that I quite like is Sysclean from Trendmicro(http://www.trendmicro.com/download/dcs.asp)

see if you can run a HIjackThis scan.... and do as suggested above and get into safe mode to run your other AV/Spyware scans

That Backdoor.PPdoor chit's nasty. Gonna be tough getting that out.

http://forums.spywareinfo.com/index.php?showtopic=72965

Symantec's got a VirtuMonde removal tool.

http://www.symantec.com/avcenter/venc/data/adware.virtumonde.html

Sounds like you've been using Internet Explorer. That's how this stuff's gettin' in. FWIW.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=274884#post897887) by brokencrow
Sounds like you've been using Internet Explorer. That's how this stuff's gettin' in. FWIW.
You mean a poorly configured Internet Explorer. :) Firefox has also had more than its share of security vulnerabilities. There just aren't many working exploits because the user base is still smallish.

Run your browser under a different user account that only has read/write permissions to the cache folder and read permissions to the browser's home directory. If you need to save files, create a special folder that the user can only read/write to. Deny "Login over Network" for this user account under the Local Group Policy Settings.

- X

No, I meant what I said. Internet Explorer, poorly configured or not.

Firefox has also had more than its share of security vulnerabilities. There just aren't many working exploits because the user base is still smallish.

All software has its vulnerabilities, including Firefox. It's the vulnerabilities it doesn't have, ActiveX and embedding, that make it much safer. Of course, you can download the ActiveX plug-in for Firefox, but I don't reco' it. And there's no doing away with Explorer's kernel status. Hack IE and you can get into the kernel. Hack Firefox and where are you?

Just curious, anybody have a browser hijack for Firefox yet?

I notice he still hasn't responded to this post to say how he's doing.

Well since he's running XP, if you havn't been able to do your scans yet, or don't have another computer as most of these suggestions require.

Reboot in safemode, through F8. Next I believe you can clear your restore points here, which is:
rich click my computer>properties>System Restore Tab. Turn off system restore on all drives (if you have more than 1 you often have to do it on each).

Next go to Start>Run
type in MSCONFIG
go to the startup tab and disable anything that looks suspicious (if your unsure you can always come back and fix this, unlike hijackthis's run list)
Run a few of your utilities, reboot in normal mode, run them again.

This will allow you to atleast have some usability of your computer and you should be able to do your diagnostics.

Post a hijackthis scan if your unsure of what to disable, also if your unsure of any of the utilities starting up under MSCONFIG enter those as well.

(yes I know there's better utilites than MSCONFIG, but how often can you get to them without already having them or having an internet connection that actually RUNS)

Galiath

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=274884#post897954) by brokencrow
No, I meant what I said. Internet Explorer, poorly configured or not.



All software has its vulnerabilities, including Firefox. It's the vulnerabilities it doesn't have, ActiveX and embedding, that make it much safer. Of course, you can download the ActiveX plug-in for Firefox, but I don't reco' it. And there's no doing away with Explorer's kernel status. Hack IE and you can get into the kernel. Hack Firefox and where are you?

Just curious, anybody have a browser hijack for Firefox yet?
If you're concerned about ActiveX vulnerabilities, why not just remove the ability to run ActiveX controls altogether?

Start -> Run -> MMC -> Add the Local Group Policy Editor -> Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Page -> Security Page -> Lockdown Local Machine Zone. (This does assume you're not running as Admin or else this would hardly be effective. Since running as Admin is foolish, I think this is a safe assumption.)

As to "embedding", I don't know what it is. Could you please elaborate?

- X

Come on guys....!
:o

Read what he says on the first post:

but nothing wants to stay open or run as i said even in safe mode as admin.

AND

My desktop icons regularly flash and refresh. Explorer wont stay open. House Call won't run.

If it was as simple as booting into safe mode and turning stuff off, it would have been addressed.

LOL.

Anyways, I further read he got *something* to finally work. Who knows the final outcome, as someone mentioned he hasn't been back since.

:confused:

And allow me an additional solution:

Find some nice ol' chap who might allow you to add your harddrive as a slave device to their computer, if you cannot or don't want to buy an external enclosure. Then perform the steps I gave you.

I find simple USB to IDE and usb to SATA cables are always nice to have. Also they're normally cheaper than an enclosure.

...why not just remove the ability to run ActiveX controls altogether?

I've relegated IE to an antivirus app (http://www.antionline.com/showthread.php?threadid=274639&perpage=10&pagenumber=1). How would I scan my hdd for viruses then? :)

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=274884#post898121) by brokencrow
I've relegated IE to an antivirus app (http://www.antionline.com/showthread.php?threadid=274639&perpage=10&pagenumber=1). How would I scan my hdd for viruses then? :)
Why not disallow all ActiveX from any site not in your Trusted Zones list?

- X

Too much work. It's a lot easier installing Opera and Firefox, then using those as my primary browsers. Been using Opera since '98.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=274884#post898121) by brokencrow
I've relegated IE to an antivirus app (http://www.antionline.com/showthread.php?threadid=274639&perpage=10&pagenumber=1). How would I scan my hdd for viruses then? :)

Easy.

Trendmicro's online scan offers two methods of scanning, both found on the same download screen. They offer browser based ActiveX or Javascript, your choice.

Panda has since changed their online scan to a "scan but no clean" policy. Instead they encourage you to purchase their program to remove found malware.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=274884#post898142) by brokencrow
Too much work. It's a lot easier installing Opera and Firefox, then using those as my primary browsers. Been using Opera since '98.
Then you have no right claiming that Internet Explorer is insecure if it's only because you won't take the time to set some settings.

- X

Excellent point xierox

Any OS or browser not properly configured\setup\maintained is insecure

MLF

I prefer Panda, I think it's a more thorough scan. And I could really careless about an online scan cleaning anything. I prefer manual removal. Thanks for the heads up on Trend's java scan. That's good to know.

Any OS or browser not properly configured\setup\maintained is insecure

Tell that to Microsoft...

I am sorry...

you are saying MS is the only one the releases patches....updates to thier software?????

Or am I misunderstanding what you are saying :rolleyes:

MLF

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=274884#post898352) by brokencrow
Tell that to Microsoft...
Right. While I do that, you tell that to The Mozilla Foundation, Netscape, Apple, the makers of GNOME and KDE, Konqueror, and Linus.

The problem is not Microsoft. The problem is twofold:
1. Most people completely misunderstand computer security.
2. Failure to make use of the security that Windows operating system can provide. (How is Microsoft's fault if you fail to make use of the tools they provide?)

- X

The problem is not Microsoft.

I beg to differ. Most people will NEVER understand computer security (especially consumers), and MS has been slow to consider that fact. I think much of what we're seeing in the computer world is the result of MS's monopoly. The following .pdf is a good critique of what's going on, IMHO:

http://pdf.textfiles.com/academics/cyberinsecurity.pdf

I really take exception to people constantly blaming Microsoft for Malware...

Did MS write the malware??

Did MS host these trojan downloaders on their web site??

Does MS provide patchs, help articles, workarounds for these vulnerabiliies???

Is it Microsofts fault that people are "stupid" and "lazy"

I run IE and I dont have these programs on my machines......so it comes down to...

What is the end user doing with the infected machine?

P2P file sharing, downloading warez programs, opening email attachments, clicking on links in email, visiting questionable sites, using the administrator account to do all this, not regularly updating AV and scanning....

Should I go on.....

It is not Microsofts fault. :rolleyes:

MLF

It is not Microsofts fault.

Is so......jk.... :p

[tongue in cheek]But.....the majority of the Malware writers out there are disgruntled ex MS employees and certainly know what they are exploiting...[/tongue in cheek]

Yes MS provides patches...long after the event has taken place....too little too late...

Yes it is MS fault that most people who buy their products haven't a clue as to how to configure the PC to their benefit (MS Defaults)...

As to everything else, no Microsoft is not responsible for what users do to their PC after they have purchased it, so it is down to the "user" to ensure their product is in tip top shape and bug free....and if they are too stupid to ensure they have all of the patches and a working AV and Firewall, then they deserve everything they get...which is usually a big fat bill for the cleanup....lol

While catching up on my reading I came across this article by Kaspersky Labs

http://www.viruslist.com/en/analysis?pubid=184012401

in regards to Malware Evolutions and the new trends of malware writers

The near future may well bring a range of malicious programs created on the principle “If changes to the configuration of the operating system modules are monitored, then we will modify the modules themselves”. This is an approach which has long since been used by virus writers in creating rootkits for UNIX.

This is interesting....these types of threats have been around for ages...and with other OSes...and the only way to protect your self is to keep updated and patch your systems...no matter what OS or browser you are running....

and this...hardware :eek7:

However, SubVirt, when taken together with eEye’s BootRoot, signal the dawn of an era when users will need hardware protection.


and this MAC

The potential popularity and consistent growth of future versions of MacOS didn’t just attract the attention of IT professionals and users, but naturally also of virus writers and hackers around the world.


and cell phones

The problem of mobile malware is intensifying by the day. In 2005 there was a steady trickle of Trojans designed to infect mobile devices running Symbian;


My point....

Its not Microsofts fault .

Its crimminals trying to take advantage of people......where ever they can find a way to.

So people...you might as well get used to patching\securing and maintaining ANYTHING that has software :D

My .02 cdn

MLF

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=274884#post898464) by brokencrow
I beg to differ. Most people will NEVER understand computer security (especially consumers), and MS has been slow to consider that fact. I think much of what we're seeing in the computer world is the result of MS's monopoly. The following .pdf is a good critique of what's going on, IMHO:

http://pdf.textfiles.com/academics/cyberinsecurity.pdf
What happens then when cross-platform viruses become more common and attack the top three desktop systems instead of just the top one? What you're advocating is security through being a minority, which really isn't security at all.

- X

Ok well sorry i didn't post my results but been real busy with work. Long story short nothing i tried to use in safe mode would finish running except the one scan i mentioned. Basically i said screw it, lysoled my drive and reinstalled windows. Luckily i keep everything important to me on an external so data loss was almost nill. thanks for all your guys help yet again.