Topic: Has my PC been infected.

[Tony]

Right A friend of mine had probs with his PC, mouse all over the place, Active Desktop would not load. And before you could attempt to solve any thing or attempt to go into safe mode, Windows would just close down.

Anyway in the course of things I was going to restore a saved image of C: Drive, which ment putting his Hard Drive in my PC. Anyway, could not do for some reason, and nor would his hard drive, after reformatting, install a clean W2K. Anyway it was running late and as it was an old 5400rpm 8MB hard drive, I let him have my stand by 40GB hard drive, so as to get him up and running.

Anyway since then, my PC has been acting funny, like sometimes when closing down, a box comes up saying Outlook is running, even if I have not had it open. Plus some times when I try to open Outlook it will not load unless I reboot.

Also whilst browsing, sometimes hearing the 'shutting door' sound made by instant messager programs even though I do not use such programs or have any installed.

And when I look in the 'Computer Management' tab under 'Shared Folders' there are three folders listed as:

'Shares' containing "ADMINS$ C:\ WINNT [under properties tab/ comment, it says, Remote Admin]

also C$ C:\ [under properties tab/ comment, it says, Default Share]

IPC$    [under properties tab/ comment, it says, Remote Admin]

Also under "Shared Folders" it has two more folders named "Sessions" and "Open Files" [both of which are empty]

Does this mean my C:Drive is wide open
 
Now I have not enabled file sharing, and if I try to stop sharing. A message box comes up saying : "This share was created for Administrative purposes only. The share will reappear when the Server service is stopped and restarted or the computer is rebooted.

As I have not enabled File sharing, I'm sure that Folder should be empty, Right ?

I have run my Anti Virus program [Symantec] found nothing.

Also I have run the following "fix it tools"

Trojan.Qhosts
W32.Swen.A@mm
W32.Sobig.F@mm
W32.Dumaru@mm
W32.Welchia.Worm
W32.Blaster.Worm
Backdoor. Winshell.50

All said, non were found on my PC, but the Trogan. Qhosts said this:

The value "HostName" of the registry key
"SYSTEM\CurrentControlSet\Services\VxD\MSTCP"
is set to "Administrator".
The folder "C:\System Volume Information" was not scanned.
Trojan.Qhosts has not been found on your computer.
 
The Fix Swen tool came upo with this message:

The default value of the registry key
"SOFTWARE\Classes\scrfile\shell\config\command"
is set to ""%1" %*".
The folder "C:\System Volume Information" was not scanned.
W32.Swen.A@mm has not been found on your computer.

Right anybody got any thoughts on the above.


 

[Tony]

Oh, whilst I remember, on sending emails, I noticed the little box " Symantec scanning" was not coming up.

So I went into Symantec and notice "Auto Protect" and "Email Scanning" had been switched off!!!!!!! and I could not enable them with out rebooting.

[Clive]

That is usually a classic symptom of a virus isn't it?  I hope someone can help.

[Sandra]

Have you tried running a scan in safe mode Tony, I think 2K has system restore too so disable that before you scan.
It does sound like you have caught something off your friends drive even though it wouldnt allow you to copy it across.
I had that recently when putting another PCs drive in mine as a slave to copy its data and fortunately Norton found and quarantined 2 viruses (virii ?) before any harm was done.

The moral of the story is that unless you are certain that the other PC is not infected do not put its drive in your main PC if at all possible. I wanted to put it in my no 2 PC but that will only take a 65 gig drive and it was an 80 gig drive that I was saving data from  

[Sandra]

So I went into Symantec and notice "Auto Protect" and "Email Scanning" had been switched off!!!!!!! and I could not enable them with out rebooting.

Prior to doing what I have just suggested Tony, uninstall and reinstall Norton, it sounds like something has switched the auto protect feature off and may have corrupted your current Norton installation  

[Simon]

Sounds nasty, Tony.  I'm not going to try to offer any advice, as this is way over my head, but best of luck, mate!  

[Michelle]

I had some new info sent from ntl today .... well sometime but I only looked at it today. I doubt its news to you but you might wanna have a look anyway.

I think clive has already posted on these things but just in case .

http://homepage.ntlworld.com/virus.outbreak/

[Sandra]

I wonder why the XP version in that information didnt say anything about turning off system restore as I am sure that the original fixblast removal tool info suggested that as well as running it in safe mode  

[Simon]

Here are the instructions for the Norton FixBlast tool:

   1. Download the FixBlast.exe file from:

      http://securityresponse.symantec.com/avcenter/FixBlast.exe


   2. Save the file to a convenient location, such as your downloads folder or the Windows Desktop (or removable media that is known to be uninfected, if possible).
   3. To check the authenticity of the digital signature, refer to the section, "Digital signature."
   4. Close all the running programs before running the tool.
   5. If you are running Windows XP, then disable System Restore. Refer to the section, "System Restore option in Windows Me/XP," for additional details.

      CAUTION: If you are running Windows XP, we strongly recommend that you do not skip this step. The removal procedure may be unsuccessful if Windows XP System Restore is not disabled, because Windows prevents outside programs from modifying System Restore.
   6. Double-click the FixBlast.exe file to start the removal tool.
   7. Click Start to begin the process, and then allow the tool to run.

      Note: If, when running the tool, you see a message that the tool was not able to remove one or more files, run the tool in Safe mode. Shut down the computer, turn off the power, and wait 30 seconds. Restart the computer in Safe mode and then run the tool again. All the Windows 32-bit operating systems, except Windows NT, can be restarted in Safe mode. For instructions, read the document "How to start the computer in Safe Mode."
   8. Restart the computer.
   9. Run the removal tool again to ensure that the system is clean.
  10. If you are running Windows XP, then re-enable System Restore.
  11. Run LiveUpdate to make sure that you are using the most current virus definitions.


When the tool has finished running, you will see a message indicating whether W32.Blaster.Worm infected the computer. In the case of a worm removal, the program displays the following results:

    * Total number of the scanned files
    * Number of deleted files
    * Number of terminated viral processes
    * Number of fixed registry entries

[Tony]

W2K does not have system restore Sandra, but I do have Goback, but I uninstalled it before running the Fix It tools. I also run a scan as you suggested in Safe Mode, but still nothing. At the time I did not think my mates PC was infected Sandra, but that is the last time I put somebody elses HDD in my PC. >

Can anybody out there who has not enabled "File Sharing" confirm that there is no files in the "Share Files" folder under  the "Manage" tab in "My Computer" on their PC.

Thanks for your input guy's and gal's, but if I cannot find anything, and given all the unusual events with my PC since I put my mates HDD in my machine, I'm minded to do a reformat and reinstall. It's just the thought of the frigging hours of security downloads that p** me off   > Roll on Broadband.  

I'll wait and see what Adept or Dack have to say on the matter first though.

[Sandra]

I have shared folders on mine Tony but I think that the only ones that go in there are the ones you put in yourself, so if you havent shared any it should be empty  

[Clive]

I've just checked mine too Tony and there are no files there which I haven't put in myself.

[Tony]

I have shared folders on mine Tony but I think that the only ones that go in there are the ones you put in yourself, so if you havent shared any it should be empty  

Yes that's what I think Sandra, I can prove it either way, by doing a reformat and clean install, but it means hours of program installs an updating to prove it. As you an Clive do use File Sharing, I would have prefered somebody not File Sharing, just having a look on their PC and posting if that "Shared Folders" folder was empty or not, it's only a 3 second job.

It's times like these you get to know who your real friends are
   

[Adept]

It does sound suspicious Tony

But before you go wiping your drive, tell me something, do you still have a spare drive available, or even another PC?

Personally, I would remove the current drive from your PC, install the spare one and install W2K on it with up-to-date AV. Then re-install the "infected" drive as a slave or the secondary master and give it a good going over with your av program.

If it doesn't find anything, it ism't infected and you need to look elsewhere for the source of the problem. If it is infected, your av software should sort it out, allowing you to re-install the newly cleaned drive. Don't forget to re-install and update your av software once the PC is back to normal.

Hope this helps

[Tony]

Cheers Adept,

No I have not got a spare drive [gave it to my mate] But I'm hoping a replacement will arrive tomorrow some time. So I reckon I'll wait til it comes and do as you say. And as soon as I install W2K on that new drive, I'll be able to see if that " Shared Folder" is empty.

Thanks mate