[Inactive] Infected With TDSS Rootkit

[Hoov]

You are right, with the free versions you have to run manual scans, but the AV and Firewall will start with windows and protect you in real time, and it will protect you from bad e-mail attachments as well. As for malware scanning, Malwarebytes' Anti-Malware Pro will do the trick but the free version does not run in the background. If you cannot afford the pro version, then I suggest adding Spybot Search and Destroy. Between the immunize feature and the Teatimer portion of Spybot, you will be protected real time as well.

And yes you need to download the programs that you are going to use first, then disconnect, uninstall, then run the McAfee removal tool, then install the new software.

[soupman]

Considering my options...

Are we still waiting to clean up my desktop or should that be done at this point?

[Hoov]

We can do all the cleanup right now. When I give out the cleanup instructions, I also give references and other advice to help users from getting into this kind of situation again.

Now  there are a few thing's you need to do to fully clean your system and keep it secure.


Uninstall Combofix
The following will implement some cleanup procedures as well as reset System Restore points:
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTC
Download OTC to your desktop and run it
Click Yes to beginning the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Cleaning out Temporary Files etc. There are several different products that you can use for this. You can go thru the Internet Options in the windows Control Panel. There are several programs that also do the job better than windows does it, in my opinion. There is System Security Suite, EasyCleaner, Ccleaner. Also sometimes other program sometimes do it as well as what you originally got it for like ZoneAlarm Security Suite. Just make sure to keep them updated and use them regularly.

Disable and Enable System Restore.
I recommend you turn off System restore, and then turn it back on so that you will not be able to restore your problems to a clean computer.
For Vista use these instructions, Windows Vista Restore Guide
For XP use these instructions, Windows XP System Restore Guide
Reboot
Re-enable system restore with instructions from tutorial above
Create a System Restore Point
Go to all programs, then to accessories, then to system tools, then to system restore. Check the box for create restore point (not select a restore point), then click next and follow the instructions.

Make your Internet Explorer more secure - This can be done by following these simple instructions: (unless you are using ZoneAlarm Security Suite or something similar, then you would secure the browser thru the firewall). There are some good basic instructions for that here.

Use a different browser other than  IE (most exploits are pointed towards IE). One of them is
Firefox.
It is also worth trying Thunderbird for controlling spam in your e-mail.

Always use an UPDATED anti-virus program Make sure you update this at least weekly, if not more often. This is one thing that may save you more than anything else.

Run malware scanners. Three free ones are Spybot Search and Destroy, and AdAware and Malwarebytes' Anti-Malware

Always use a firewall.
Any firewall is better than none, and you should pick a firewall that you will use, as even the best firewall is worthless if you turn it off.
 
Learn how to use your firewall Only programs that need it should have access to the net. But these are specific to the firewall you use, so you will need to learn how. Several firewalls have support forums here. My page will help you with ZoneAlarm if that is what you choose. 


Never run two Antivirus programs or two Firewalls  at the same time. They can interfere with each other and cause problems. Some people swear that more protection is provided, but the reverse is true. They tend to argue amongst themselves and end up leaving holes. Now I have more than 1 AV installed on my computer, and I keep them up to date. I only run one at a time, but each program has weakness's, so I keep a backup in case my computer starts acting up.


 MOST IMPORTANT : Windows and IE, and whatever other software that you have that connects to the net, needs to be kept updated. The reason is, these programs connect to the net, and if there is an internal security problem, you have already told your firewall to allow the communication, and thus you will have allowed a hole. UPDATES are important. I suggest that you make sure that Windows Updates and the updates for your antivirus and antimalware programs are set for automatic updates. I also suggest running Secunia PSI. It will monitor the software you have installed and let you know when something needs to be updated.

Don't ever use P2P or filesharing software Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The reason for this is simple. File sharing relies on its members giving and gaining unfettered access to computers across the P2P network. However, this practice can make you vulnerable to data and identity theft. Even if you change those risky default settings to a safer configuration, the act of downloading files from an anonymous source greatly increases your exposure to infection. That is because the files you are downloading may actually contain a disguised threat. Many very malicious worms and trojans, such as the Storm Worm, target and spread across P2P files sharing networks because of their known vulnerabilities.

Before using any malware detection / removal software Check with Rogue/Suspect Spyware List and Rogue Applications List That way you will know if the program you are looking at is on the up and up. If you want to know how it stacks up against other programs check out SpywareWarrior

We have a good guide here at Spyware Hammer on how to prevent Malware in the Future. You might want to peruse this and follow the recommendations in there.
PLEASE READ IT AND FOLLOW THE RECOMMENDATIONS TO PROTECT YOURSELF.

Let me know if you want to keep pressing on with the slow running.

[soupman]

Uninstalled ComboFix, ran OTC and deleted logs. What about HJackThis?

[Hoov]

You can delete it or keep it, dealers choice.

[soupman]

Hi Hoov,

Continued with cleanup. Ran Ccleaner and set Restore.

Uninstalled McAfee. Installed Online Armor Free, Avast Free and Spybot Free. Already had Malwarebytes Free. Everybody seems to want to play nice together, so far.

Ran msconfig and got same admin box... but end program box is gone.

Computer runs better (pages load faster and no hesitation scrolling). Boot time is still slow and I can amend my description after rebooting so many times;
 
As for the boot time, I want to say there are two areas that are considerably longer.
a) The black Win XP screen with the progress bar.
    (This is long from the start of this screen, all the way through the blank, black screen following, all the way to the welcome screen)
b) After I log on at the welcome screen and it's loading my settings. (Still takes forever but I want to say the crunching at the end is less.)

If it's OK, I would like to start deleting old programs. It's my understanding that the priority is start>programs (if there is an uninstaller there) then add/remove if not? (Is Ccleaner better or regular add/remove?)

[Hoov]

The regular remove is better, then thru the add/remove. If neither one of them can do the trick, then use a third party tool. I would like you to try one thing before starting to remove programs. Logoff your user account (just logoff not restart or shutdown) and see if a new user named Administrator shows up. If it does, try logging on to their and see if you can do the msconfig thru there.

There is something I just found. Apparently it has to do with some HP printers. If you still can't do the above, see if this will work. But read over it and go thru the steps to make sure you can do it, before you do it. If you don't understand something, ask first.

   1. Click on Start, Run
   2. Type REGEDIT and Press Enter or Click OK
   3. Click on the Pluses (+) next to the following items in the left column of the Registry Editor
          * HKEY_LOCAL_MACHINE
          * System
          * CurrentControlSet
          * Services
          * PML Driver HPZ12
   4. In the right-hand column find the key named Start and double-click on it
   5. Change the value in decimal to one of the following

      2 for Automatic
      3 for Manual - Use this one.
      4 for Disabled

   6. Click on OK
   7. Close the Registry Editor
   8. Reboot your computer

[soupman]

Tried logging off as you requested. No luck. I have read numerous times that the only way to access the Administrator user in XP Home is in safe mode.

The item "PML Driver HPZ12" does not exist under"Services".

Found something strange regarding the HP printer. In start>programs>Hewlett-Packard I have v3.4 AND v4.3. There are uninstall features in both.
In add/remove I have "hp deskjet 940c series (Remove Only)" or "HP Driver Diagnostics"

[Hoov]

If you have the discs for your printer, try uninstalling all the HP software that is installed. Let me know if there is something from HP left over.

[soupman]

Uninstalled the four items I mentioned in my last post. Program files still has two HP folders (there used to be three).
One is Hewlett-Packard>HPZ>Glue>(lots of stuff).
One is hp deskjet 940c series>(a little less stuff).

Should I be looking anywhere else?

[Hoov]

Download Windows Install Clean Up and then install it. Run the program and then scroll down the list and select any HP entry and then click Remove. Do that until all HP entries are gone. Then see if you can run the msconfig changes.

[soupman]

There are no HP entrys. Would it help you to know what the "stuff" is in the folders in program files?

[Hoov]

Nope. If there is nothing in the list, and nothing in the uninstall list, go ahead and delete those folders. They are probably remnants from older programs. Try going thru the msconfig steps. Let me know how it goes.

[soupman]

Deleted folders, restarted and no luck.

Hp website now has an Install Software for XP (my disks are old versions that don't support XP). Should I use it to get my printer back up?

As I've reviewed all these old programs, I've mentioned, one stands out to me. My original digital camera reader software was a Fuji Finepix piece of work that was a problem out of the box. I haven't used it for years but the software is still installed. My gut tells me that if we're looking for a problem child, this might be it.

[Hoov]

Go ahead and uninstall the software. And download the software from the HP website and install it. Try msconfig again, if it doesn't work, we are going to try something else. Download Autoruns and unzip it to a folder and run the program autoruns.exe. When it is done running a scan, go up to Options and make sure that only the Hide Windows entries is checked. If the Hide Microsoft and Windows Entries is checked, uncheck it. If you have to change either option, then go to file and click refresh.

Then go to the services tab and uncheck everything. Then go to the logon tab and uncheck everything. Close the window and reboot the computer. See how the computer reboots and runs, then start Autoruns again and recheck everything in both tabs , then close it and reboot. Let me know how it went.