Infections Gone, but Problems Persist

By EXCellR8 ยท 14 replies
Aug 27, 2009
  1. So my dad somehow managed to allow his computer to become highly infected with malware again. How he does this is beyond me, but that's for another time. Anyways, I quarantined about 60 infected files w/ Avira AntiVir and the detections have stopped since. They seemed relatively harmless until I tried fixing his theme/wallpaper...

    It seems as if the malware has removed the themes and the window where you can select a wallpaper image is not interactive; it's grayed-out. The registry editor was also disabled but i ran some scripts and that's perfectly fine now. I can't figure out which entries control this stuff, but I found similar entries before when his tabs were missing from the Display Properties window as well.

    So, I don't really know what to do for him as of now. The good thing is that he doesn't really care that he can't apply a desktop background, but it's not right and i would like to fix it. Is there any way I can reset the Display Properties? Computer is running XP Home service pack 3. Thanks in advance.
  2. captaincranky

    captaincranky TechSpot Addict Posts: 13,005   +2,532

    Why wouldn't doing a repair install of Windows be an option?
    Um porn maybe? Well hey, it is legal for grownups ya know. Or a more innocent explanation might be accidentally clicking on one of those, "your order is ready" emails. Or possibly porn. No wait, I said that already.
  3. EXCellR8

    EXCellR8 The Conservative Topic Starter Posts: 1,835

    well it wouldn't surprise me if he was on some adult site and clicked on some bogus ad, but i thought he was smarter than that... i've told him time and time again not to click on ads, but i guess it just goes in one ear and out the other.

    I was hoping I wouldn't need to run a repair install, but it's looking like I might have no choice at this point. I did run the Windows File Protection scan and nothing came up, which was weird to me but I suppose that doesn't correct any registry issues. If I can't figure anything out by the end of the day, I will run the repair install, but only if he wants me to because the computer is running fine as it is.
  4. strategic

    strategic TechSpot Paladin Posts: 1,020

    If you don't have a problem losing anything on the PC, do a repair, otherwise, have you tried the 8-step?
  5. EXCellR8

    EXCellR8 The Conservative Topic Starter Posts: 1,835

    honestly, it isn't worth going through the 8-step at this point. i figured i could restore the Display Properties settings via the registry after the infections were removed, but i can't figure out how. all of the entries hold correct values, so i can't really do anything. it's easy enough to perform the repair install but i just reformatted the computer less than 6 months ago... i think he needs someone to watch him at all times lol, so this doesn't keep happening.

    EDIT: so i guess the infection isn't completely gone after all, Avira keeps picking up malicious .htm files in:

    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files

    If I leave this directory open, a bunch of files/cookies will start to appear without any internet browsers running. I can delete them but then they come back in a matter of minutes. It doesn't seem like this HTML script virus is dangerous, but it's very annoying. I'm going to run CCleaner and see if I can stop the files from being copied. If I could find a hidden process that would be ideal, but everything looks normal, even in Process Explorer...
  6. strategic

    strategic TechSpot Paladin Posts: 1,020

    Actually, (I know Captain will back me up on this too) when you reinstall / repair the O/S, install Firefox as the default browser and install the 'no script' add-on. If you do that, it won't matter if you click on those inks, they won't work (until your dad figures out how to "allow" the links to work.
  7. captaincranky

    captaincranky TechSpot Addict Posts: 13,005   +2,532

    Yes I agree, Firefox and "NoScript".

    As a testimonial to this, I currently have 8 scripts blocked, and this site works just dandy. It's mostly from people and places that want to know your business, like "Google Analytics".

    Assuming a reasonable attention and maintenance to security software, I could link up to some "photo sites" that don't seem to be harmful to computers and other living things.

    Although actually, there is as good a chance of catching an infection on Facebook.

    Oh, and f*** "stun", set the Email spam filters on "Kill". Anybody not in dad's contact list will have to learn how to take a joke.

    As I recall, a repair install doesn't even effect the updates. So, it's relatively painless. However, for this very reason, it is a tad hit or miss, with respect to results
  8. EXCellR8

    EXCellR8 The Conservative Topic Starter Posts: 1,835

    Going to have to remember that no-script thing for Firefox, which he uses as the def browser. He does download and install a whole bunch of non-sense for it, like themes, buttons, and other little tidbits of wasted space, so i wonder if something got in that way.

    The detections seemed to quiet down after I ran CCleaner, but when I went to explore C:\ there was a trojan sitting right there in the root, named "djos.exe." i have no idea how bad it is, but I quarantined it immediately upon finding it. no idea if that was responsible for all the .htm detections, but i'm surprised it wasn't picked up on earlier during the scan.
  9. strategic

    strategic TechSpot Paladin Posts: 1,020

    Another thing I'm experimenting with is the Windows HOSTS file.
    It may not apply but hope to learn more about it soon.
  10. captaincranky

    captaincranky TechSpot Addict Posts: 13,005   +2,532

    I think that the "Advanced System Care" program has some entries for the hosts files, above and beyond those in the Spybot SD hosts entries. It's on a different button than the clean function.
  11. strategic

    strategic TechSpot Paladin Posts: 1,020

    Hey Captain, call me a ******** but I don't think I understand what you're telling me.:confused:
    I actually broke down and installed the HOSTS file just after I posted my other reply, I don't think I ever had Spybot ever since I upgraded the PC to XP Pro, but I have installed the Advanced System Care (once again, it works really well, thanks a lot), but the original hosts file was basically empty. I put in the hosts file I ran across on this site before ( It's too soon to say but I think I'm not seeing the ads I used to see.
  12. captaincranky

    captaincranky TechSpot Addict Posts: 13,005   +2,532

    Use Advanced System Care in the "Diagnose System" mode, (button on the right). Then scan the system with the "Security Defense" function. (I believe) The results it returns are destined to become entries in the "Hosts File". Assuming you take it's advice.

    Spybot S&D's immunize function is also tied to the hosts file, as Spybot puts hundreds of entries there to prevent access to known bad sites

    This is my best understanding ATM. In any event, the immunization that both Spybot and Advanced System Care apply, seems to valuable to ignore.
  13. EXCellR8

    EXCellR8 The Conservative Topic Starter Posts: 1,835

    Ugh, the registry editor has been disabled again and the command that worked before isn't working the second time around. Repair install imminent... this is ridiculous.
  14. captaincranky

    captaincranky TechSpot Addict Posts: 13,005   +2,532

    Don't shoot the messenger, but it's starting to sound like a reformat is imminent!

    If something is still in the machine, causing ongoing and escalating problems, I am too superstitious to believe that the computer can still be used for critical issues like banking.

    A reformat and a good stern talking to, may be what's called for here. Be firm but gentle, after all, a complete reformat is a punishment in itself. ;)
  15. gguerra

    gguerra TS Guru Posts: 319

    If you have constant problems with malware and you somehow keep getting infected I would recommend the following 2 part solution (using firefox). I do this at work and have installed it for several users here mainly the boss which kept getting infected much like your dad..
    Sandboxie. Read more here
    Web of Trust: a firefox add-on that will warn you of malicious sites.

    This has worked well to keep my system (and others) pretty clean. I've even done some virus scans with Avira and it picked up some malware but it was all confined to the isolated sandbox.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...