PC Pals Forum

Technical Help & Discussion => Broadband, Networking, PC Security, Internet & ISPs => Topic started by: Tony on October 07, 2003, 17:10

Title: Has my PC been infected.
Post by: Tony on October 07, 2003, 17:10
Right A friend of mine had probs with his PC, mouse all over the place, Active Desktop would not load. And before you could attempt to solve any thing or attempt to go into safe mode, Windows would just close down.

Anyway in the course of things I was going to restore a saved image of C: Drive, which ment putting his Hard Drive in my PC. Anyway, could not do for some reason, and nor would his hard drive, after reformatting, install a clean W2K. Anyway it was running late and as it was an old 5400rpm 8MB hard drive, I let him have my stand by 40GB hard drive, so as to get him up and running.

Anyway since then, my PC has been acting funny, like sometimes when closing down, a box comes up saying Outlook is running, even if I have not had it open. Plus some times when I try to open Outlook it will not load unless I reboot.

Also whilst browsing, sometimes hearing the 'shutting door' sound made by instant messager programs even though I do not use such programs or have any installed.

And when I look in the 'Computer Management' tab under 'Shared Folders' there are three folders listed as:

'Shares' containing "ADMINS$ C:\ WINNT [under properties tab/ comment, it says, Remote Admin]

also C$ C:\ [under properties tab/ comment, it says, Default Share]

IPC$    [under properties tab/ comment, it says, Remote Admin]

Also under "Shared Folders" it has two more folders named "Sessions" and "Open Files" [both of which are empty]

Does this mean my C:Drive is wide open
 
Now I have not enabled file sharing, and if I try to stop sharing. A message box comes up saying : "This share was created for Administrative purposes only. The share will reappear when the Server service is stopped and restarted or the computer is rebooted.

As I have not enabled File sharing, I'm sure that Folder should be empty, Right ?

I have run my Anti Virus program [Symantec] found nothing.

Also I have run the following "fix it tools"

Trojan.Qhosts
W32.Swen.A@mm
W32.Sobig.F@mm
W32.Dumaru@mm
W32.Welchia.Worm
W32.Blaster.Worm
Backdoor. Winshell.50

All said, non were found on my PC, but the Trogan. Qhosts said this:

The value "HostName" of the registry key
"SYSTEM\CurrentControlSet\Services\VxD\MSTCP"
is set to "Administrator".
The folder "C:\System Volume Information" was not scanned.
Trojan.Qhosts has not been found on your computer.
 
The Fix Swen tool came upo with this message:

The default value of the registry key
"SOFTWARE\Classes\scrfile\shell\config\command"
is set to ""%1" %*".
The folder "C:\System Volume Information" was not scanned.
W32.Swen.A@mm has not been found on your computer.

Right anybody got any thoughts on the above.


 ???
Title: Re:Has my PC been infected.
Post by: Tony on October 07, 2003, 17:17
Oh, whilst I remember, on sending emails, I noticed the little box " Symantec scanning" was not coming up.

So I went into Symantec and notice "Auto Protect" and "Email Scanning" had been switched off!!!!!!! and I could not enable them with out rebooting.
Title: Re:Has my PC been infected.
Post by: Clive on October 07, 2003, 17:20
That is usually a classic symptom of a virus isn't it?  I hope someone can help.
Title: Re:Has my PC been infected.
Post by: Sandra on October 07, 2003, 17:24
Have you tried running a scan in safe mode Tony, I think 2K has system restore too so disable that before you scan.
It does sound like you have caught something off your friends drive even though it wouldnt allow you to copy it across.
I had that recently when putting another PCs drive in mine as a slave to copy its data and fortunately Norton found and quarantined 2 viruses (virii ?) before any harm was done.

The moral of the story is that unless you are certain that the other PC is not infected do not put its drive in your main PC if at all possible. I wanted to put it in my no 2 PC but that will only take a 65 gig drive and it was an 80 gig drive that I was saving data from  :(
Title: Re:Has my PC been infected.
Post by: Sandra on October 07, 2003, 17:27



So I went into Symantec and notice "Auto Protect" and "Email Scanning" had been switched off!!!!!!! and I could not enable them with out rebooting.



Prior to doing what I have just suggested Tony, uninstall and reinstall Norton, it sounds like something has switched the auto protect feature off and may have corrupted your current Norton installation  :(
Title: Re:Has my PC been infected.
Post by: Simon on October 07, 2003, 17:42
Sounds nasty, Tony.  I'm not going to try to offer any advice, as this is way over my head, but best of luck, mate!   :-\
Title: Re:Has my PC been infected.
Post by: Michelle on October 07, 2003, 17:44
I had some new info sent from ntl today .... well sometime but I only looked at it today.:-\ I doubt its news to you but you might wanna have a look anyway.

I think clive has already posted on these things but just in case .

http://homepage.ntlworld.com/virus.outbreak/
Title: Re:Has my PC been infected.
Post by: Sandra on October 07, 2003, 17:57
I wonder why the XP version in that information didnt say anything about turning off system restore as I am sure that the original fixblast removal tool info suggested that as well as running it in safe mode  ???
Title: Re:Has my PC been infected.
Post by: Simon on October 07, 2003, 18:39
Here are the instructions for the Norton FixBlast tool:

   1. Download the FixBlast.exe file from:

      http://securityresponse.symantec.com/avcenter/FixBlast.exe


   2. Save the file to a convenient location, such as your downloads folder or the Windows Desktop (or removable media that is known to be uninfected, if possible).
   3. To check the authenticity of the digital signature, refer to the section, "Digital signature."
   4. Close all the running programs before running the tool.
   5. If you are running Windows XP, then disable System Restore. Refer to the section, "System Restore option in Windows Me/XP," for additional details.

      CAUTION: If you are running Windows XP, we strongly recommend that you do not skip this step. The removal procedure may be unsuccessful if Windows XP System Restore is not disabled, because Windows prevents outside programs from modifying System Restore.
   6. Double-click the FixBlast.exe file to start the removal tool.
   7. Click Start to begin the process, and then allow the tool to run.

      Note: If, when running the tool, you see a message that the tool was not able to remove one or more files, run the tool in Safe mode. Shut down the computer, turn off the power, and wait 30 seconds. Restart the computer in Safe mode and then run the tool again. All the Windows 32-bit operating systems, except Windows NT, can be restarted in Safe mode. For instructions, read the document "How to start the computer in Safe Mode."
   8. Restart the computer.
   9. Run the removal tool again to ensure that the system is clean.
  10. If you are running Windows XP, then re-enable System Restore.
  11. Run LiveUpdate to make sure that you are using the most current virus definitions.


When the tool has finished running, you will see a message indicating whether W32.Blaster.Worm infected the computer. In the case of a worm removal, the program displays the following results:

    * Total number of the scanned files
    * Number of deleted files
    * Number of terminated viral processes
    * Number of fixed registry entries
Title: Re:Has my PC been infected.
Post by: Tony on October 07, 2003, 19:04
W2K does not have system restore Sandra, but I do have Goback, but I uninstalled it before running the Fix It tools. I also run a scan as you suggested in Safe Mode, but still nothing. At the time I did not think my mates PC was infected Sandra, but that is the last time I put somebody elses HDD in my PC. >:(

Can anybody out there who has not enabled "File Sharing" confirm that there is no files in the "Share Files" folder under  the "Manage" tab in "My Computer" on their PC.

Thanks for your input guy's and gal's, but if I cannot find anything, and given all the unusual events with my PC since I put my mates HDD in my machine, I'm minded to do a reformat and reinstall. It's just the thought of the frigging hours of security downloads that p** me off   >:( Roll on Broadband.  

I'll wait and see what Adept or Dack have to say on the matter first though.
Title: Re:Has my PC been infected.
Post by: Sandra on October 07, 2003, 19:16
I have shared folders on mine Tony but I think that the only ones that go in there are the ones you put in yourself, so if you havent shared any it should be empty  :)
Title: Re:Has my PC been infected.
Post by: Clive on October 07, 2003, 19:40
I've just checked mine too Tony and there are no files there which I haven't put in myself.
Title: Re:Has my PC been infected.
Post by: Tony on October 07, 2003, 20:19

I have shared folders on mine Tony but I think that the only ones that go in there are the ones you put in yourself, so if you havent shared any it should be empty  :)


Yes that's what I think Sandra, I can prove it either way, by doing a reformat and clean install, but it means hours of program installs an updating to prove it. As you an Clive do use File Sharing, I would have prefered somebody not File Sharing, just having a look on their PC and posting if that "Shared Folders" folder was empty or not, it's only a 3 second job.

It's times like these you get to know who your real friends are
 ::)  ;)
Title: Re:Has my PC been infected.
Post by: Adept on October 07, 2003, 20:38
It does sound suspicious Tony :(

But before you go wiping your drive, tell me something, do you still have a spare drive available, or even another PC?

Personally, I would remove the current drive from your PC, install the spare one and install W2K on it with up-to-date AV. Then re-install the "infected" drive as a slave or the secondary master and give it a good going over with your av program.

If it doesn't find anything, it ism't infected and you need to look elsewhere for the source of the problem. If it is infected, your av software should sort it out, allowing you to re-install the newly cleaned drive. Don't forget to re-install and update your av software once the PC is back to normal.

Hope this helps :)

Title: Re:Has my PC been infected.
Post by: Tony on October 07, 2003, 20:54
Cheers Adept,

No I have not got a spare drive [gave it to my mate] But I'm hoping a replacement will arrive tomorrow some time. So I reckon I'll wait til it comes and do as you say. And as soon as I install W2K on that new drive, I'll be able to see if that " Shared Folder" is empty.

Thanks mate

Title: Re:Has my PC been infected.
Post by: joudi on October 07, 2003, 21:36
Hi Tony,

     Sorry if I misunderstand what you are asking for, but I like to help if I can.

     I have not enabled filesharing, and I have Windows XP. "Files Sharing" has the sign "+" beside it, and when I click on + it opens three files inside it, (I'll translate from french)they are:

- Shared
- Sessions
- Open Files

    Only the first one has something in it. It has a file in form of a drive called "IPC$" which shows nothing when I click on. It's described as following:

Sharing File:  IPC$
Type:    Windows
Nb. of client connections:   0
Comments:   IPC distant

Sorry, I'm not sure that that will help, but I tried to answer your need as I could understand it. Hope it helps.
Title: Re:Has my PC been infected.
Post by: Tony on October 07, 2003, 21:48
That was very helpful joudi, as I have three files in mine thank you.

Title: Re:Has my PC been infected.
Post by: Simon on October 07, 2003, 22:00
This is mine, Tony, and I have never enabled File Sharing to my knowledge.  I think this is the same as Joudi has.
Title: Re:Has my PC been infected.
Post by: Tony on October 07, 2003, 23:26
Cheers Simon,

Well then, I like joudi and Simon have not enabled "File Sharing" yet my corrosponding file looks like this. It would appear as if my PC is compromised, so that's it, I'm reformating and doing a clean install.

(https://www.pc-pals.com/smf/proxy.php?request=http%3A%2F%2Fwww.tonysugrue.co.uk%2Fmanagement.jpg&hash=b6eeb8fea7f5a32585254f0a395851573d7beb5c)

Title: Re:Has my PC been infected.
Post by: Tony on October 08, 2003, 18:43
Hey Simon,

My replacement standby HDD [40GB Samsung with a 3 year warranty] arrive this morning sometime between 7.30 and 8.00am. Not really sure exactly as it, along with my ADSL modem   ;D was on the kitchen work top when I got up, [I have decided to go with either NDO or PlusNet for my broadband]  By the way they were ordered Monday afternoon from your mates at CCL
 ;D

Anyway, as soon as I installed W2K on the new drive, I looked in shared files, and bugger me, it showed the same file arrangement as I have on my existing drive!!!! So I have fully loaded it,and created a back up partition where I saved imaged file of the new set up.

And even though I could find nothing in the way of worms or viruses on my exsisting drive, I copied an image of the new drive over on to my existing drive, so they are both nice and new. Mind you I'm going onto that "Sheilds Up" site to find out how to disable the shared file option, like Chorley Dave has done, just to be on the safe side.

Plus I'm going to start using Mozilla email in stead of Outlook,lets see it start up incognetoe now ;D  so I best go and down load the "spellchecker" I suppose  ::)
Title: Re:Has my PC been infected.
Post by: Simon on October 08, 2003, 20:28
You'll need the UK English plug in as well, Tony, or the spell checker will default to US spellings.  You can get the UK dictionary here. (http://www.mozcafe.com/download/)

As for CCL   ::)  I thought I'd give them another chance, as they were still the cheapest, so I ordered a case (the one you recommended they don't do anymore), a Maxtor 40gb HDD, and a cheap Floppy Disc Drive.  Delivery arrived within two days, but they had sent a monitor, yes, a 15" monitor instead of the case!

I contemplated keeping it out of spite, and trying to flog it on, but my conscience got the better of me, so I rang them, and spoke to a really helpful lady who had just spoken to another person asking where his monitor was!  Anyway, they swapped it the next day, and I got a better case than I ordered, so they have redeemed themselves to some extent.

Tip for MozMail: If you want the same colour background as we both had in Outlook, you need to type about:config in the browser address bar, then scroll down to msgcompose.background_color and change the value to #ffffee.  You have to do it that way, because although you can select default fonts and background in Edit > Preferences > Mail & Newsgroups > Composition, that particular colour is not one of the ones available to set as default by that method, so you have to go in the back door.   ;)
Title: Re:Has my PC been infected.
Post by: Tony on October 08, 2003, 23:20
Cheers Simon,

Don't you have some fun on the ordering and delivering front  ;D,

I've PM'd you mate, regards Moz mail.