Infections Gone, but Problems Persist

[EXCellR8]

So my dad somehow managed to allow his computer to become highly infected with malware again. How he does this is beyond me, but that's for another time. Anyways, I quarantined about 60 infected files w/ Avira AntiVir and the detections have stopped since. They seemed relatively harmless until I tried fixing his theme/wallpaper...

It seems as if the malware has removed the themes and the window where you can select a wallpaper image is not interactive; it's grayed-out. The registry editor was also disabled but i ran some scripts and that's perfectly fine now. I can't figure out which entries control this stuff, but I found similar entries before when his tabs were missing from the Display Properties window as well.

So, I don't really know what to do for him as of now. The good thing is that he doesn't really care that he can't apply a desktop background, but it's not right and i would like to fix it. Is there any way I can reset the Display Properties? Computer is running XP Home service pack 3. Thanks in advance.

 

[captaincranky]

Why wouldn't doing a repair install of Windows be an option?

So my dad somehow managed to allow his computer to become highly infected with malware again. How he does this is beyond me, but that's for another time.

Um porn maybe? Well hey, it is legal for grownups ya know. Or a more innocent explanation might be accidentally clicking on one of those, "your order is ready" emails. Or possibly porn. No wait, I said that already.

 

[EXCellR8]

well it wouldn't surprise me if he was on some adult site and clicked on some bogus ad, but i thought he was smarter than that... i've told him time and time again not to click on ads, but i guess it just goes in one ear and out the other.

I was hoping I wouldn't need to run a repair install, but it's looking like I might have no choice at this point. I did run the Windows File Protection scan and nothing came up, which was weird to me but I suppose that doesn't correct any registry issues. If I can't figure anything out by the end of the day, I will run the repair install, but only if he wants me to because the computer is running fine as it is.

 

[strategic]

If you don't have a problem losing anything on the PC, do a repair, otherwise, have you tried the 8-step?

 

[EXCellR8]

honestly, it isn't worth going through the 8-step at this point. i figured i could restore the Display Properties settings via the registry after the infections were removed, but i can't figure out how. all of the entries hold correct values, so i can't really do anything. it's easy enough to perform the repair install but i just reformatted the computer less than 6 months ago... i think he needs someone to watch him at all times lol, so this doesn't keep happening.

EDIT: so i guess the infection isn't completely gone after all, Avira keeps picking up malicious .htm files in:

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files

If I leave this directory open, a bunch of files/cookies will start to appear without any internet browsers running. I can delete them but then they come back in a matter of minutes. It doesn't seem like this HTML script virus is dangerous, but it's very annoying. I'm going to run CCleaner and see if I can stop the files from being copied. If I could find a hidden process that would be ideal, but everything looks normal, even in Process Explorer...

 

[strategic]

Actually, (I know Captain will back me up on this too) when you reinstall / repair the O/S, install Firefox as the default browser and install the 'no script' add-on. If you do that, it won't matter if you click on those inks, they won't work (until your dad figures out how to "allow" the links to work.

 

[captaincranky]

Yes I agree, Firefox and "NoScript".

As a testimonial to this, I currently have 8 scripts blocked, and this site works just dandy. It's mostly from people and places that want to know your business, like "Google Analytics".

Assuming a reasonable attention and maintenance to security software, I could link up to some "photo sites" that don't seem to be harmful to computers and other living things.

Although actually, there is as good a chance of catching an infection on Facebook.

Oh, and f*** "stun", set the Email spam filters on "Kill". Anybody not in dad's contact list will have to learn how to take a joke.

As I recall, a repair install doesn't even effect the updates. So, it's relatively painless. However, for this very reason, it is a tad hit or miss, with respect to results

 

[EXCellR8]

Going to have to remember that no-script thing for Firefox, which he uses as the def browser. He does download and install a whole bunch of non-sense for it, like themes, buttons, and other little tidbits of wasted space, so i wonder if something got in that way.

The detections seemed to quiet down after I ran CCleaner, but when I went to explore C:\ there was a trojan sitting right there in the root, named "djos.exe." i have no idea how bad it is, but I quarantined it immediately upon finding it. no idea if that was responsible for all the .htm detections, but i'm surprised it wasn't picked up on earlier during the scan.

 

[strategic]

Another thing I'm experimenting with is the Windows HOSTS file.
It may not apply but hope to learn more about it soon.

 

[captaincranky]

Another thing I'm experimenting with is the Windows HOSTS file.
It may not apply but hope to learn more about it soon.

I think that the "Advanced System Care" program has some entries for the hosts files, above and beyond those in the Spybot SD hosts entries. It's on a different button than the clean function.

 

[strategic]

Hey Captain, call me a ******** but I don't think I understand what you're telling me.
I actually broke down and installed the HOSTS file just after I posted my other reply, I don't think I ever had Spybot ever since I upgraded the PC to XP Pro, but I have installed the Advanced System Care (once again, it works really well, thanks a lot), but the original hosts file was basically empty. I put in the hosts file I ran across on this site before (www.mvps.org). It's too soon to say but I think I'm not seeing the ads I used to see.

 

[captaincranky]

Use Advanced System Care in the "Diagnose System" mode, (button on the right). Then scan the system with the "Security Defense" function. (I believe) The results it returns are destined to become entries in the "Hosts File". Assuming you take it's advice.

Spybot S&D's immunize function is also tied to the hosts file, as Spybot puts hundreds of entries there to prevent access to known bad sites

This is my best understanding ATM. In any event, the immunization that both Spybot and Advanced System Care apply, seems to valuable to ignore.

 

[EXCellR8]

Ugh, the registry editor has been disabled again and the command that worked before isn't working the second time around. Repair install imminent... this is ridiculous.

 

[captaincranky]

Ugh, the registry editor has been disabled again and the command that worked before isn't working the second time around. Repair install imminent... this is ridiculous.

Don't shoot the messenger, but it's starting to sound like a reformat is imminent!

If something is still in the machine, causing ongoing and escalating problems, I am too superstitious to believe that the computer can still be used for critical issues like banking.

A reformat and a good stern talking to, may be what's called for here. Be firm but gentle, after all, a complete reformat is a punishment in itself.

 

[gguerra]

If you have constant problems with malware and you somehow keep getting infected I would recommend the following 2 part solution (using firefox). I do this at work and have installed it for several users here mainly the boss which kept getting infected much like your dad..
Sandboxie. Read more here http://www.sandboxie.com/
Web of Trust: a firefox add-on that will warn you of malicious sites.

This has worked well to keep my system (and others) pretty clean. I've even done some virus scans with Avira and it picked up some malware but it was all confined to the isolated sandbox.