Need help with BAD infection

[ghoti]

I am in desperate need of help. Although I can occasionally reach my desktop (WinXP Pro SP3) -- most of the time, the computer shows a perpetual hour glass before I reach the desktop. Even when I do reach the desktop, I can do nothing from there. The machine simply shows a perpetual hour glass no matter what I try to do.

I am occasionally able to boot up in Safe Mode and have run scans with Avira AntiVir (freeware) and SpyBot, finding Trojans and other nasties, which I have quarantined. Nonetheless, the machine has gotten worse in how quickly it becomes useless.

I thought I might try SuperAntiSpyware which John recommends in this Security thread, but John seems to say that it must be installed on the machine to be scanned (I cannot run it from a CD). I am dubious of my chances of installing it on my infected machine. Is this something I might be able to do in Safe Mode?

If I MUST reformat my hard drive, there are some files I would like to save first (assuming I can then get them back onto the reformatted computer. Where is the 'favorites' info (showing favorite web sites) stored (what is the file name)? I run Outlook 2000 which I use for e-mail. Where are the address book and previously received (not archived) e-mail messages stored? Can I simply copy those files onto a disk from Safe Mode and then copy them back onto the computer after I have done a clean install of WinXP? Will I be able to run Roxio in Safe Mode so as to burn a CD with these files, or must I run out and get a flash drive (with its very limited capacity)?

I confess my ignorance. Like certain famous literary figures, I must "rely upon the kindness of strangers." Your help will be greatly appreciated!

 

[law9933]

Safe Mode with Networking allows unsafe internet/downloads, but you are already had.
MalwareBytes is now thought better than SuperAntispyware, also free.

http://www.malwarebytes.org/mbam.php

Do you know about HJT?

 

[ghoti]

Thanks Law.

Sorry, but I do not know about HJT -- I'm gonna take a guess: Hijack This? Even if that's right, I don't really know about it (where to find it, how to use it, etc.).

I guess I had the naive hope that there was one (perhaps two) prieces of software I could run in safe mode (e.g., Malwarebytes and/ or SuperAntiSpyware) that would purge the malware.

BTW, I found that I was able (just now) to boot up in Safe Mode w/ Networking, despite the earlier 'refusal' of my machine to do so. So, I guess I will be able to download Malwarebytes free version, update, and then run it (all in Safe Mode + Networking).

Thanks again in anticipation of your further input and help.

 

[law9933]

A website that is very good at giving HijackThis advice.
Post #5 here explains how>

http://forums.pcpitstop.com/index.php?showtopic=161018

Hope it is running better after MBytes

 

[ghoti]

Interesting! The infected computer will not allow me to connect to either of the sites to which you posted links. This clean computer will connect to both sites and the infected computer will connect to other sites (e.g., Google). I guess the malware is preventing the connections to these sites?

I can download the programs to the desktop of the clean computer, burn a CD with the downloaded files, then use the CD to install the programs on the infected computer (unless the malware prevents that, also, which seems a real possiblity judging from John's guide posted in this Security thread), BUT even if all that works, how am I going to get to the malwarebytes site to update the definitions on the infected computer?

Is there any software I can use (download to the clean copmuter) and run from a CD?

Thanks again Law.

 

[law9933]

Try using MBytes & SuperAntiSpyware with out the updates the first time.
Save their logs
You might need a HJT adviser to get going, if HJT will install & run.

Online scanner if you can connect to it

http://housecall.trendmicro.com/

 

[ghoti]

Law,

Nope, mbam-setup.exe will not run off the CD in the infected computer. It will run on this clean computer.

MAN, this d#*n malware is TOUGH!

I'll try HijackThis -- though I doubt I'll get any further than I have with mbam.

Salud!

 

[ghoti]

Well, I was able to run HijackThis.exe from CD on the infected machine. (I could not install HijackThis on the infected machine). I posted the log to pitstop. (I hope that is the right place to post in order to get the best advice.)

I could not reach housecall.trendmicro from the infected computer.

Thanks.

 

[law9933]

Great!!!!
You are now in good hands, they give great/friendly advice, but there are other very good HJT sites.
Only post at one, your turn for help will come. You gave them a great description of the problem.
They will probably have you install MBytes when you can or do install it later, it is a good program.

You can post & check your HJT log here, but do nothing-it is not really safe! One extreme nasty, there could be more.

http://www.hijackthis.de/en

 

[law9933]

Maybe you would find this useful on your good PC & the other after the fix.

http://www.pcpitstop.com/pcpitstop/default.asp

 

[Chapbass]

grab a copy of bartPE, boot into it and do manual removals from a remote OS? BPE also has some built in scanners as well.


Usually a good start if you cant get into safe mode.

 

[law9933]

ghoti,
It lookes like the adviser has you running again. It took 40+ posts from you two, I did not say it was easy, only that they are good. He would not give up when you thought you wanted to. I saw that another great adviser was watching the progress (may have assisted Aflac) I am not allowed to post in their HJT forum. Job well done!!!

 

[ghoti]

Amen to that, Law! I was impressed.

I do still have some residuals (you can see from my last post), but I am hopeful I'll soon (with help) have them cleared. And the machine is running normally again (at least at the moment).

Thanks again for your recommendations! I'm going over to TrendMicro Housecall now to see what it finds.