XP Pro with SP1 badly corrupted with suspected viruses

[GBL]

This is a 2-3 year old Compaq Presario running XP Pro with
SP1 standalone PC that connects to the internet using Juno
via dialup.


The following symptoms have gotten progressively worse
since June 2004
When shutting down, there are a number of applications
that hang, "failing to respond" and which have to be
closed using the "END NOW" button or using Task Manager,
such as WTOOLSA.exe, WUPDATER.exe, "Version", "TSM".
On boot up, there is something called "INSTALL" that tries
give a message about not being able to reach a network
server and tries to install something. NONE of behaviors
do not manifest themselves in SAFE MODE.

Steps taken:
Cleaned out the startup groups, now devoid of any apps at
startup-for each profile and for "all users".
Ran Disk cleanup.
Manually cleaned out the c:\windows\temp folder, plus
the "TEMP" folder in each user profile.
De-installed superfluous 3rd party software that was never
to be used.
Chkdsk resulted in "bad clusters for C:\windows\service~1
\i386\MSGSLANGS.DLL
Ran DEFRAG.

Plus..what is the significance of the C:\Windows\prefetch
folder and its contents.

 

[Quaoar]

This is a 2-3 year old Compaq Presario running XP Pro with
SP1 standalone PC that connects to the internet using Juno
via dialup.


The following symptoms have gotten progressively worse
since June 2004
When shutting down, there are a number of applications
that hang, "failing to respond" and which have to be
closed using the "END NOW" button or using Task Manager,
such as WTOOLSA.exe, WUPDATER.exe, "Version", "TSM".
On boot up, there is something called "INSTALL" that tries
give a message about not being able to reach a network
server and tries to install something. NONE of behaviors
do not manifest themselves in SAFE MODE.

Steps taken:
Cleaned out the startup groups, now devoid of any apps at
startup-for each profile and for "all users".
Ran Disk cleanup.
Manually cleaned out the c:\windows\temp folder, plus
the "TEMP" folder in each user profile.
De-installed superfluous 3rd party software that was never
to be used.
Chkdsk resulted in "bad clusters for C:\windows\service~1
\i386\MSGSLANGS.DLL
Ran DEFRAG.

Plus..what is the significance of the C:\Windows\prefetch
folder and its contents.

Juno is a source of many viruses, trojans, and malware. Anyone on
dialup needs an anti-virus app with updated virus defs, a firewall, and
either SpyBot or Ad-aware. Develop a routine disinfection program. At
this point, I believe that your safest course is to disconnect from the
Internet, format and reinstall your operating system. Then acquire
antivirus, updated virus definitions, free personal firewall, Spybot or
Ad-Aware from a *clean* third party, and install those, again before
reconnecting to the internet the first time.

Prefetch contains optimized startup files for your applications. You
can delete the *contents only* anytime you choose. Prefetch will then
be rebuilt as you use applications.

Q

 

[Rock]

This is a 2-3 year old Compaq Presario running XP Pro with
SP1 standalone PC that connects to the internet using Juno
via dialup.


The following symptoms have gotten progressively worse
since June 2004
When shutting down, there are a number of applications
that hang, "failing to respond" and which have to be
closed using the "END NOW" button or using Task Manager,
such as WTOOLSA.exe, WUPDATER.exe, "Version", "TSM".
On boot up, there is something called "INSTALL" that tries
give a message about not being able to reach a network
server and tries to install something. NONE of behaviors
do not manifest themselves in SAFE MODE.

Steps taken:
Cleaned out the startup groups, now devoid of any apps at
startup-for each profile and for "all users".
Ran Disk cleanup.
Manually cleaned out the c:\windows\temp folder, plus
the "TEMP" folder in each user profile.
De-installed superfluous 3rd party software that was never
to be used.
Chkdsk resulted in "bad clusters for C:\windows\service~1
\i386\MSGSLANGS.DLL
Ran DEFRAG.

Plus..what is the significance of the C:\Windows\prefetch
folder and its contents.

Those are associated with malware. Run these programs to check for
spyware/malware. After installing update them, then boot into safe mode
and run them. You should update and run them weekly.

Cwshredder
http://aumha.org/freeware/freeware.php#cwshred

Ad-aware SE
http://www.lavasoftusa.com

Spybot Search and Destroy
http://www.safer-networking.org

Bazooka Adware and Spyware Scanner
http://download.com.com/3000-2144-10247783.html

Pest Patrol Free Pest Scanner
http://www.pestscan.com/ScanOrTrial.asp

If you’re still having problems after running these then run HijackThis
and post the log to one of the specialty forums, _NOT_ this one.

HijackThis
http://www.majorgeeks.com/download.php?det=3155

Forums to Interpret HijackThis Logs:

http://www.spywareinfo.com/forums/
http://forum.aumha.org/viewforum.php?f=30
http://forums.tomcoyote.org/
http://www.wilderssecurity.com/

After your system is clean use these programs to help keep it clean:

Spywareblaster
www.javacoolsoftware.com/sbdownload.html

Spywareguard
http://www.javacoolsoftware.com/sgdownload.html

IE-SPYAD
http://www.staff.uiuc.edu/~ehowes/resource.htm

For viruses:

Online and Downloadable Virus Scanning:

Panda ActiveScan
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Bit Defender Online Virus Scan:
http://www.bitdefender.com/scan/license.php

Symantec Online Virus and Security Scan:
http://security.symantec.com/ssc/home.asp

TrendMicro:
http://housecall.trendmicro.com/housecall/start_corp.asp

McAfee Online Virus Scan:
http://www.mcafee.com/myapps/mfs/default.asp

RAV AntiVirus - Scan Online
http://www.ravantivirus.com/scan/

F-Secure:
http://support.f-secure.com/enu/home/ols.shtml

McAfee AVert Stinger Virus Removal Tool
http://vil.nai.com/vil/stinger/

[Note: Stinger looks only for a limited number of specific viruses.
It’s not intended for full strength virus scanning and removal, but it
can help eliminate enough threats to allow you to install and scan with
a full featured AV program.]

Make sure you have a firewall active at all times. If nothing else use
the one built into XP, but there are a variety of free third party ones
that do a better job from Sygate, Zone Alarm or Kerio.

Sygate Personal Firewall
http://smb.sygate.com/products/spf_standard.htm

Zone Alarm
http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp?lid=staticcomp_za

Kerio Personal Firewall
http://www.kerio.com/kpf_download.html

Lastly check your system for vulnerabilities. Make sure you have all
the latest security patches from Windows Update too.

Websites which will check for vulnerabilities:

Browser Security Tests:
http://www.jasons-toolbox.com/BrowserSecurity/

Symantec Security Check
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym

http://bcheck.scanit.be/bcheck/
https://testzone.secunia.com/browser_checker/
www.pcpitstop.com

 

[Alex Nichol]

Plus..what is the significance of the C:\Windows\prefetch
folder and its contents.

Separate from the other matters:

When a program is loaded, a record is put, or updated, in the
corresponding file in Prefetch, detailing what files it uses, in what
order. Boot of the system has such a record, too

From that two things happen.

One - when a load is started in future, the system arranges to get the
expected files into RAM straight away, without waiting to be asked, and

Two - every three days, a sort of semi-defrag run is done in a quiet
period, which arranges files so that such sets will be able to load as a
smooth stream without need to hunt around the disk for them. The boot
side of this speeds load of the system: the Bootvis program does a
preliminary optimisation of their layout, but it will take place, and
better, through the automatic process. The details of the best layout
are kept in the layout,inf file which is checked and updated each time
this optimisation runs, for the best overall performance. This can be
used for optimisation alternatively by some third party defrag programs,
eg Perfect Disk Pro

Two points:

Contrary to what is said it is *not* necessary to empty prefetch. Any
program that does not get used for a week or so will have its file
dropped out anyway: ones that are rarely used get low priority in
optimisation

and:
The optimisation at regular intervals is initiated by task scheduler so
you need to have it running for this to work (also for System Restore
to make its daily restore point) even though no scheduled task appears
if you look in control Panel - Scheduled tasks. Check the Advanced menu
there, and if it says 'Start Using. . ' click that so it says 'Stop
using . . .' It then looks for a time when the system is quiescent (I
think it waits for 15 mins of no disk activity, but am not sure on
that). This is one reason for the query 'my hard disk goes chattering
when I am doing nothing'; the other being search engine indexing.