slowly-spreading, but very annoying problem

[Ken]

Please Help!



I am seeing what appears to be a slowly-spreading, but very annoying
problem. Over the past three weeks, I have had three separate groups of
people (including myself) describe a problem their experiencing with their
Windows XP systems. There are several similarities in the symptoms being
reported.



All affected computers -

..are running Windows XP

..have plenty of processor, memory and disk capacity

..have High-Speed cable network connection

..have been running efficiently until now

..only one user can login, others cannot

..detected large number (230-12000) of spy ware related files

..have NOT detected any viruses using Norton Anti Virus

..have had their TEMP directories cleaned and are now empty

..are now protected with Anti Spy and Virus, and Firewall software

..are STILL running poorly and experiencing the same problems



Can anyone offer any guidance (please) on how we can regain control and
performance over my computers?



Thank you.



//Ken

 

[anonymous]

1. Format your hard disk.
2. Reinstall Windows XP.
3. Stop using P2P file sharing programs and browsing dodgy websites.

 

[Jim Macklin]

A firewall only blocks what wasn't asked for, file sharing
P2P opens the door. Never invite a vampire in your house
and don't invite hackers in with P2P.


"(e-mail address removed)"
| 1. Format your hard disk.
| 2. Reinstall Windows XP.
| 3. Stop using P2P file sharing programs and browsing dodgy
websites.
|
|
| | > Please Help!
| >
| >
| >
| > I am seeing what appears to be a slowly-spreading, but
very annoying
| > problem. Over the past three weeks, I have had three
separate groups of
| > people (including myself) describe a problem their
experiencing with their
| > Windows XP systems. There are several similarities in
the symptoms being
| > reported.
| >
| >
| >
| > All affected computers -
| >
| > .are running Windows XP
| >
| > .have plenty of processor, memory and disk capacity
| >
| > .have High-Speed cable network connection
| >
| > .have been running efficiently until now
| >
| > .only one user can login, others cannot
| >
| > .detected large number (230-12000) of spy ware related
files
| >
| > .have NOT detected any viruses using Norton Anti Virus
| >
| > .have had their TEMP directories cleaned and are now
empty
| >
| > .are now protected with Anti Spy and Virus, and Firewall
software
| >
| > .are STILL running poorly and experiencing the same
problems
| >
| >
| >
| > Can anyone offer any guidance (please) on how we can
regain control and
| > performance over my computers?
| >
| >
| >
| > Thank you.
| >
| >
| >
| > //Ken
| >
| >
|
|

 

[Handsome Bob]

The thing is that once a system is corrupted, cleaning out the spyware or
viruses does not undo the corruption. You could try and do a repair install
with the xp disk.

 

[Ken]

I appreciate your responses. However, I DO NOT use P2P (i.e., Kazza, etc.)
or any other file-sharing software.

Next.

 

[Jupiter Jones [MVP]]

Ken;
Carefully follow everything on this link.
Make sure your spyware detection applications and anti virus have been
updated within the last week:
http://www3.telus.net/dandemar/slowcom.htm

 

[Malke]

The thing is that once a system is corrupted, cleaning out the spyware
or viruses does not undo the corruption. You could try and do a repair
install with the xp disk.

The thing is that without actually seeing the computers to which you are
referring, no one can give you a complete definitive answer. The fact
that other people have experienced similar symptoms is a non-issue: you
are all running Windows machines, which are vulnerable to spyware and
viruses. In addition, there are lots of other factors contributing to a
system's speed and overall health. That's why the troubleshooting steps
you get from a newsgroup are mostly *general* - when someone has the
sort of symptoms you describe, you always say OK, clean off any
viruses, spyware, empty the TIF files, minimize programs and services
running in the background, etc. That's always the first step. And then
if someone says the machine is still running poorly, it could be a lot
of other things: 1) person could be infected with something like one of
the newer Bagel variants and it was picked up by his av or it broke his
av; 2) person could have failing hardware; 3) person could have 12 usb
devices all powered off his computer which he neglected to mention; 4)
person could have installed all sorts of beta software that has
interacted badly with the core system files. And so on. You see?

So the guidance to having control over your computer is to install
cleanly and only what you need. To do regular software and hardware
maintenance. To run av and a firewall. To not open attachments. To keep
whatever operating system you're running patched with security updates
in a timely fashion. Etc. There's no magic bullet.

HTH,

Malke

 

[Peter]

It really depends on what your definition of 'plenty of' (memory disk space
etc) means. Some people think, 256 is sufficient RAm for XP.. (it isn't)
depends on what you have running in the background or foreground for that
matter.. Depends on your CPU too. AND, If you have winamp, for example, and
some graphics intensive or memory intensive apps running all at once, plus
lottsa little icons in your systray etc etc, your PC may be slow. It isn't
Windows XP, it's whatever you have running or have installed on your HD that
might be running 'tho not on the desktop so to speak.

 

[cquirke (MVP Win9x)]

Please Help!

OK, let's make a deal: I'll help you (from here in security_admin) if
you cut down the number of ngs you send this to

Only kidding - I'll help you anyway - but machine-gunning multiple
newsgroups is Bad. You'd alienate some good frontals that way.

I am seeing what appears to be a slowly-spreading, but very annoying
problem. Over the past three weeks, I have had three separate groups of
people (including myself) describe a problem their experiencing with their
Windows XP systems. There are several similarities in the symptoms being
reported.

All affected computers -

.are running Windows XP

On FATxx or NTFS? Both can get shot to pieces by malware, but NTFS
can pose obstacles in cleaning this up.

.have plenty of processor, memory and disk capacity
.have High-Speed cable network connection

OK; a significant risk surface, that. Now I'mm waiting to see the
words "firewall" and/or "router"

.have been running efficiently until now
.only one user can login, others cannot

Is that by design, or an effect of the problem? Sounds like something
needed system-wide is patched in only through the user startup axis or
similar runpoints. Smells like commercial malware; something like a
namespace extender a la NewDotNet.

.detected large number (230-12000) of spy ware related files

OK. How did you manage these, and did things go sour before or after
you whacked 'em? Hopefully you logged what was found and done, as you
never know when you may need to "go manual" in cleaning up the mess.

That's when a GoOgleable name is a Good Thing To Have.

.have NOT detected any viruses using Norton Anti Virus

<shrug> Well, it's active, ergo it got past Norton. Why does it not
surprise me that active malware missed by Norton can maitain "air
superiority" and keep itself hidden from Norton thereafter? If NAV
was still working OK, a new update could help it detect the malware.

But the malware's active, so Norton may no longer be working OK.

.have had their TEMP directories cleaned and are now empty

Interesting, that.

.are now protected with Anti Spy and Virus, and Firewall software

"now", eh? Hmm.

.are STILL running poorly and experiencing the same problems
Yup.

Can anyone offer any guidance (please) on how we can regain control and
performance over my computers?

0) Isolate the PCs from LAN and WAN
- pull cables
- wireless devices; [x] Disable in this profile (DeviceManager)

1) Do a formal virus check
- run NO code off HD in the process
- scan all files
- first, look don't clean; save log
- then read up what you find (www.f-secure.com/v-descs etc.)
- then if no caveats, clean the malware
- if can't clean, no caveats; rename away so reversably inactive
- www.f-prot.com, www.nod32.com, www.sophos.com for free tools

Just because NTFS may make (1) difficult or impossible, makes it no
less the bottom line here. Users don't get to pick only the easy,
solvable problems; the problems pick you! If an NTFS victim, read up
bootable CDRs such as Knoppix (Linux) or Bart's PE builder (XP) and
start hunting for av that will run from these.

2) Manually clean up any residue; startup axis etc.

3) Informally scan and manage commercial malware
- Ad-Aware, Spybot etc.; use more than one
- keep logs, remember which order you ran them in
- once again, read up on what you find
- Spybot in particular may wave things best ignored

4) Apply risk management
- decide what you don't need; wall it out
- any file sharing over WAN
- full shares of startup axis, including hidden admin shares
- autorunning scripts in email "messages"
- support for WSH, "remote desktop" etc.
- only you know what's on this list
- kill 'em all, but do so reversably
- also; close broken-code autorun holes via patches
- decide what some ppl need; pwd-protect it
- goes about user permissions, good pwds etc.
- a poor substitute for the above, where above applies
- what may be risked, evaluate
- build user skills to make that evaluation
- ensure system doesn't "do it for the user" automatically
- ensure system offers required info, e.g. show extensions
- what is risked, screen first
- firewall as doorman of last resort
- antivirus as goalkeeper of last resort

5) Purge hidden malware stashes
- System Restore (if cabbed, may be undetectable)
- email apps that hide attachments in mailboxes

6) When all systems clean, reconnect LAN

7) When all systems patched and 'walled, reconnect WAN

8) When (if ever?) you know wireless is secure, enable wireless

Sorry such a generic answer, but it's a generically common problem!

-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.

 

[wojo]

Man that was an outstanding answer!
May take longer than reformating but no data loss (hopefully).
Cudos

Please Help!

OK, let's make a deal: I'll help you (from here in security_admin) if
you cut down the number of ngs you send this to

Only kidding - I'll help you anyway - but machine-gunning multiple
newsgroups is Bad. You'd alienate some good frontals that way.

I am seeing what appears to be a slowly-spreading, but very annoying
problem. Over the past three weeks, I have had three separate groups of
people (including myself) describe a problem their experiencing with their
Windows XP systems. There are several similarities in the symptoms being
reported.

All affected computers -

.are running Windows XP

On FATxx or NTFS? Both can get shot to pieces by malware, but NTFS
can pose obstacles in cleaning this up.

.have plenty of processor, memory and disk capacity
.have High-Speed cable network connection

OK; a significant risk surface, that. Now I'mm waiting to see the
words "firewall" and/or "router"

.have been running efficiently until now
.only one user can login, others cannot

Is that by design, or an effect of the problem? Sounds like something
needed system-wide is patched in only through the user startup axis or
similar runpoints. Smells like commercial malware; something like a
namespace extender a la NewDotNet.

.detected large number (230-12000) of spy ware related files

OK. How did you manage these, and did things go sour before or after
you whacked 'em? Hopefully you logged what was found and done, as you
never know when you may need to "go manual" in cleaning up the mess.

That's when a GoOgleable name is a Good Thing To Have.

.have NOT detected any viruses using Norton Anti Virus

<shrug> Well, it's active, ergo it got past Norton. Why does it not
surprise me that active malware missed by Norton can maitain "air
superiority" and keep itself hidden from Norton thereafter? If NAV
was still working OK, a new update could help it detect the malware.

But the malware's active, so Norton may no longer be working OK.

.have had their TEMP directories cleaned and are now empty

Interesting, that.

.are now protected with Anti Spy and Virus, and Firewall software

"now", eh? Hmm.

.are STILL running poorly and experiencing the same problems
Yup.

Can anyone offer any guidance (please) on how we can regain control and
performance over my computers?

0) Isolate the PCs from LAN and WAN
- pull cables
- wireless devices; [x] Disable in this profile (DeviceManager)

1) Do a formal virus check
- run NO code off HD in the process
- scan all files
- first, look don't clean; save log
- then read up what you find (www.f-secure.com/v-descs etc.)
- then if no caveats, clean the malware
- if can't clean, no caveats; rename away so reversably inactive
- www.f-prot.com, www.nod32.com, www.sophos.com for free tools

Just because NTFS may make (1) difficult or impossible, makes it no
less the bottom line here. Users don't get to pick only the easy,
solvable problems; the problems pick you! If an NTFS victim, read up
bootable CDRs such as Knoppix (Linux) or Bart's PE builder (XP) and
start hunting for av that will run from these.

2) Manually clean up any residue; startup axis etc.

3) Informally scan and manage commercial malware
- Ad-Aware, Spybot etc.; use more than one
- keep logs, remember which order you ran them in
- once again, read up on what you find
- Spybot in particular may wave things best ignored

4) Apply risk management
- decide what you don't need; wall it out
- any file sharing over WAN
- full shares of startup axis, including hidden admin shares
- autorunning scripts in email "messages"
- support for WSH, "remote desktop" etc.
- only you know what's on this list
- kill 'em all, but do so reversably
- also; close broken-code autorun holes via patches
- decide what some ppl need; pwd-protect it
- goes about user permissions, good pwds etc.
- a poor substitute for the above, where above applies
- what may be risked, evaluate
- build user skills to make that evaluation
- ensure system doesn't "do it for the user" automatically
- ensure system offers required info, e.g. show extensions
- what is risked, screen first
- firewall as doorman of last resort
- antivirus as goalkeeper of last resort

5) Purge hidden malware stashes
- System Restore (if cabbed, may be undetectable)
- email apps that hide attachments in mailboxes

6) When all systems clean, reconnect LAN

7) When all systems patched and 'walled, reconnect WAN

8) When (if ever?) you know wireless is secure, enable wireless

Sorry such a generic answer, but it's a generically common problem!

-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.

-------------------- ----- ---- --- -- - - - -

 

[Ken]

cquirke -

I really appreciate your well articulated and very informative response. You
certainly appear to know your stuff! Great job!



Regarding the "machine-gunning multiple newsgroups", point taken, thanks for
the tip. I was told in the past that instead of posting to each list
individually, cross-post. It covers more ground, enables more people to
learn and contribute and it avoids folks from having to respond to each
list. However, I understand your point.



I will follow your guidance closely. Interestingly enough, yesterday, my
system on its own (not sure why) ran Scan Disk. It ran for about an hour
before it completed. When it was done and the system was rebooted, the
entire system began functioning (a whole lot) better and quicker. Not to
imply this has solved my problem.



I will certainly share the results of the fix, after execution of all the
great advice you and others have provided.



Thank you.



//Ken

Please Help!

OK, let's make a deal: I'll help you (from here in security_admin) if
you cut down the number of ngs you send this to

Only kidding - I'll help you anyway - but machine-gunning multiple
newsgroups is Bad. You'd alienate some good frontals that way.

I am seeing what appears to be a slowly-spreading, but very annoying
problem. Over the past three weeks, I have had three separate groups of
people (including myself) describe a problem their experiencing with their
Windows XP systems. There are several similarities in the symptoms being
reported.

All affected computers -

.are running Windows XP

On FATxx or NTFS? Both can get shot to pieces by malware, but NTFS
can pose obstacles in cleaning this up.

.have plenty of processor, memory and disk capacity
.have High-Speed cable network connection

OK; a significant risk surface, that. Now I'mm waiting to see the
words "firewall" and/or "router"

.have been running efficiently until now
.only one user can login, others cannot

Is that by design, or an effect of the problem? Sounds like something
needed system-wide is patched in only through the user startup axis or
similar runpoints. Smells like commercial malware; something like a
namespace extender a la NewDotNet.

.detected large number (230-12000) of spy ware related files

OK. How did you manage these, and did things go sour before or after
you whacked 'em? Hopefully you logged what was found and done, as you
never know when you may need to "go manual" in cleaning up the mess.

That's when a GoOgleable name is a Good Thing To Have.

.have NOT detected any viruses using Norton Anti Virus

<shrug> Well, it's active, ergo it got past Norton. Why does it not
surprise me that active malware missed by Norton can maitain "air
superiority" and keep itself hidden from Norton thereafter? If NAV
was still working OK, a new update could help it detect the malware.

But the malware's active, so Norton may no longer be working OK.

.have had their TEMP directories cleaned and are now empty

Interesting, that.

.are now protected with Anti Spy and Virus, and Firewall software

"now", eh? Hmm.

.are STILL running poorly and experiencing the same problems
Yup.

Can anyone offer any guidance (please) on how we can regain control and
performance over my computers?

0) Isolate the PCs from LAN and WAN
- pull cables
- wireless devices; [x] Disable in this profile (DeviceManager)

1) Do a formal virus check
- run NO code off HD in the process
- scan all files
- first, look don't clean; save log
- then read up what you find (www.f-secure.com/v-descs etc.)
- then if no caveats, clean the malware
- if can't clean, no caveats; rename away so reversably inactive
- www.f-prot.com, www.nod32.com, www.sophos.com for free tools

Just because NTFS may make (1) difficult or impossible, makes it no
less the bottom line here. Users don't get to pick only the easy,
solvable problems; the problems pick you! If an NTFS victim, read up
bootable CDRs such as Knoppix (Linux) or Bart's PE builder (XP) and
start hunting for av that will run from these.

2) Manually clean up any residue; startup axis etc.

3) Informally scan and manage commercial malware
- Ad-Aware, Spybot etc.; use more than one
- keep logs, remember which order you ran them in
- once again, read up on what you find
- Spybot in particular may wave things best ignored

4) Apply risk management
- decide what you don't need; wall it out
- any file sharing over WAN
- full shares of startup axis, including hidden admin shares
- autorunning scripts in email "messages"
- support for WSH, "remote desktop" etc.
- only you know what's on this list
- kill 'em all, but do so reversably
- also; close broken-code autorun holes via patches
- decide what some ppl need; pwd-protect it
- goes about user permissions, good pwds etc.
- a poor substitute for the above, where above applies
- what may be risked, evaluate
- build user skills to make that evaluation
- ensure system doesn't "do it for the user" automatically
- ensure system offers required info, e.g. show extensions
- what is risked, screen first
- firewall as doorman of last resort
- antivirus as goalkeeper of last resort

5) Purge hidden malware stashes
- System Restore (if cabbed, may be undetectable)
- email apps that hide attachments in mailboxes

6) When all systems clean, reconnect LAN

7) When all systems patched and 'walled, reconnect WAN

8) When (if ever?) you know wireless is secure, enable wireless

Sorry such a generic answer, but it's a generically common problem!

-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.

-------------------- ----- ---- --- -- - - - -

 

[Mad Max]

Ken,
All I can say to cquirke is ----------What ?
Obviously his reply sailed right over my uninformed head. He lost me when he
said something about alienating some good frontals. Wouldn't want to
alienate any frontals, especially good ones .
The one thing I did get, I think, is that you may have parasites.
http://www.spywareinfo.com/forums/index.php?act=idx
Use the link above to receive one on one assistance in removing parasites
from your PC.

Mad Max

cquirke -

I really appreciate your well articulated and very informative response. You
certainly appear to know your stuff! Great job!



Regarding the "machine-gunning multiple newsgroups", point taken, thanks for
the tip. I was told in the past that instead of posting to each list
individually, cross-post. It covers more ground, enables more people to
learn and contribute and it avoids folks from having to respond to each
list. However, I understand your point.



I will follow your guidance closely. Interestingly enough, yesterday, my
system on its own (not sure why) ran Scan Disk. It ran for about an hour
before it completed. When it was done and the system was rebooted, the
entire system began functioning (a whole lot) better and quicker. Not to
imply this has solved my problem.



I will certainly share the results of the fix, after execution of all the
great advice you and others have provided.



Thank you.



//Ken

Please Help!

OK, let's make a deal: I'll help you (from here in security_admin) if
you cut down the number of ngs you send this to

Only kidding - I'll help you anyway - but machine-gunning multiple
newsgroups is Bad. You'd alienate some good frontals that way.

I am seeing what appears to be a slowly-spreading, but very annoying
problem. Over the past three weeks, I have had three separate groups of
people (including myself) describe a problem their experiencing with their
Windows XP systems. There are several similarities in the symptoms being
reported.

All affected computers -

.are running Windows XP

On FATxx or NTFS? Both can get shot to pieces by malware, but NTFS
can pose obstacles in cleaning this up.

.have plenty of processor, memory and disk capacity
.have High-Speed cable network connection

OK; a significant risk surface, that. Now I'mm waiting to see the
words "firewall" and/or "router"

.have been running efficiently until now
.only one user can login, others cannot

Is that by design, or an effect of the problem? Sounds like something
needed system-wide is patched in only through the user startup axis or
similar runpoints. Smells like commercial malware; something like a
namespace extender a la NewDotNet.

.detected large number (230-12000) of spy ware related files

OK. How did you manage these, and did things go sour before or after
you whacked 'em? Hopefully you logged what was found and done, as you
never know when you may need to "go manual" in cleaning up the mess.

That's when a GoOgleable name is a Good Thing To Have.

.have NOT detected any viruses using Norton Anti Virus

<shrug> Well, it's active, ergo it got past Norton. Why does it not
surprise me that active malware missed by Norton can maitain "air
superiority" and keep itself hidden from Norton thereafter? If NAV
was still working OK, a new update could help it detect the malware.

But the malware's active, so Norton may no longer be working OK.

.have had their TEMP directories cleaned and are now empty

Interesting, that.

.are now protected with Anti Spy and Virus, and Firewall software

"now", eh? Hmm.

.are STILL running poorly and experiencing the same problems
Yup.

Can anyone offer any guidance (please) on how we can regain control and
performance over my computers?

0) Isolate the PCs from LAN and WAN
- pull cables
- wireless devices; [x] Disable in this profile (DeviceManager)

1) Do a formal virus check
- run NO code off HD in the process
- scan all files
- first, look don't clean; save log
- then read up what you find (www.f-secure.com/v-descs etc.)
- then if no caveats, clean the malware
- if can't clean, no caveats; rename away so reversably inactive
- www.f-prot.com, www.nod32.com, www.sophos.com for free tools

Just because NTFS may make (1) difficult or impossible, makes it no
less the bottom line here. Users don't get to pick only the easy,
solvable problems; the problems pick you! If an NTFS victim, read up
bootable CDRs such as Knoppix (Linux) or Bart's PE builder (XP) and
start hunting for av that will run from these.

2) Manually clean up any residue; startup axis etc.

3) Informally scan and manage commercial malware
- Ad-Aware, Spybot etc.; use more than one
- keep logs, remember which order you ran them in
- once again, read up on what you find
- Spybot in particular may wave things best ignored

4) Apply risk management
- decide what you don't need; wall it out
- any file sharing over WAN
- full shares of startup axis, including hidden admin shares
- autorunning scripts in email "messages"
- support for WSH, "remote desktop" etc.
- only you know what's on this list
- kill 'em all, but do so reversably
- also; close broken-code autorun holes via patches
- decide what some ppl need; pwd-protect it
- goes about user permissions, good pwds etc.
- a poor substitute for the above, where above applies
- what may be risked, evaluate
- build user skills to make that evaluation
- ensure system doesn't "do it for the user" automatically
- ensure system offers required info, e.g. show extensions
- what is risked, screen first
- firewall as doorman of last resort
- antivirus as goalkeeper of last resort

5) Purge hidden malware stashes
- System Restore (if cabbed, may be undetectable)
- email apps that hide attachments in mailboxes

6) When all systems clean, reconnect LAN

7) When all systems patched and 'walled, reconnect WAN

8) When (if ever?) you know wireless is secure, enable wireless

Sorry such a generic answer, but it's a generically common problem!

-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.

-------------------- ----- ---- --- -- - - - -

 

[cquirke (MVP Win9x)]

cquirke -

I really appreciate your well articulated and very informative response.
Thanks!

Regarding the "machine-gunning multiple newsgroups", point taken, thanks for
the tip. I was told in the past that instead of posting to each list
individually, cross-post. It covers more ground, enables more people to
learn and contribute and it avoids folks from having to respond to each
list. However, I understand your point.

Yes, cross-posting is preferable to multiple separate posts; the
latter is hell! It actually dilutes your replies and
cross-fertilization of ideas.

I read a few "general" groups rather than niche groups, due to time
constraints (xp.general alone can eat you alive). My general rule is,
if I don't read an ng, I don't post there - but with cross-posts, if I
trim the groups I don't read, someone else may lose out.

I will follow your guidance closely. Interestingly enough, yesterday, my
system on its own (not sure why) ran Scan Disk. It ran for about an hour
before it completed. When it was done and the system was rebooted, the
entire system began functioning (a whole lot) better and quicker. Not to
imply this has solved my problem.

Was this on startup? The only way I'd expect Scandisk to start by
itself otherwise would be if it had been set as a Task.

But if this is XP, there's no Scandisk - only the older and far less
flexible ChkDsk. If your file system is NTFS, it does some on-the-fly
repairs - which is a bit controversial as it's outside your control,
may throw away partial data you'd have rather kept, and can sweep "for
immediate action!!" items under the carpet (too late for warranty?).

For example, if your hard drive started to die, developing new bad
sectors, you want that alerted in huge red letters, not so? Instead,
NTFS relocates failing sectors on the fly (just as Scandisk surface
does when you ask it to, and just as modern HD's internal defect
management does whether you want it to or not).

-------------------- ----- ---- --- -- - - - -

Trsut me, I won't make a mistake!