The lesson I've learned is to back up my harddrive somewhere else before I start messing with the innards of my computer by trial and error.
Having suffered a complete meltdown of my computer functioning, I formatted the harddrive and replaced all of the programs from scratch. Even then, a virus managed to infect my computer.
I am happy to report that by using Hijack This to see what viruses were operating in my computer, and then using the Hijack This log (printout) and Googling one of the suspicious entries I found operating in my computer, I was able to find out that an antivirus program called ComboFix could remove the virus. I used ComboFix following the instructions (downloading ComboFix to the desktop, shutting off all other programs and antivirus programs, and letting ComboFix do its work.)
I was initially afraid to download the Windows Recovery program offered in the free ComboFix antivirus program, but I did download the Windows Recovery system and it didn't cause any problems.
(I am a fervently self-taught person and I would generally prefer to make a mistake myself then pay someone else to make a mistake for me. And yet, there are people online who will analyze your Hijack This printout for you for free, and then tell you exactly what virus(es) your computer has and what you must do to remove them. Here's an example, but it's in Portuguese. The same kind of thing is available in English.)
Now my computer works much better. I only wish I had backed up all of my data of a different computer, or on a DVD, before taking the steps that you can see below.
Keep Antivrus programs in a separare "Antivirus Folder",
so you can find then quickly in an emergency.
I have known for a couple of weeks that my computer has some viruses in it because:
- it suddenly locks up when I'm using the Internet;
- the RAM measurement tells me that my browser (Firefox) is using practically all of the RAM that my computer has available
If I paid someone else to format my computer that would be even less cost-effective because they earn their money by letting my computer get gummed up so that I have to return to format my computer once again. Few computer technicians will take the time to explain how to use antivirus programs effectively to avoid getting the same or other viruses again.
I know how to format my computer myself, (completely clearing out everything in the harddrive and then replacing all of the formatting and programs one step at a time), but I just don't want to do that. To me, formatting a computer is like getting a lung transplant because you have a cold. It's a lot less work and less intrusive to just clear out the cold without replacing or nuking your whole respiratory system.
Anyway, getting a lung transplant won't prevent you from getting a cold again. Instead, I want to figure out exactly what virus I have and then find out what medicine will kill or remove that virus.
(Windows XP has a "Restore Systems" function, but it's actually dangerous to try to use it to remove a virus. Hackers have learned that the first thing inexperience computer users do when the have a virus is to try to use the Restore Systms function to put back the computer the way it was before. So, they hide new viruses within the files that restore the system, and these new viruses assert themselves as soon as you use the restore systems function, like bank account hacker that sets your computer to send him more money from your bank account every time you use the "report fraud" function.
I would say to NEVER try to "Restore System" if your computer starts acting strangely, because there will probably be new and even more devastating surprises waiting for you. This is especially so because restoring the system requires rebooting the computer, and many viruses are designed to get even worse when the computer is rebooted.
So, here's another tip: If your computer starts acting strangely, do not reboot it until you have identified the problem and removed it. Otherwise rebooting the computer might actually make the problem worse, like turning on a self-cleaning function on your stove because your stove is on fire.
Usually, I can avoid getting viruses or remove them by using free software available online, including a "firewall" that stands as a sentry between my computer and the Internet and blocks threats to my computer, controlling both incoming and outgoing traffic, and mine is called "Online Armor".
I also use a "registry protector" that prevents viruses from changing the DNA of my computer's brain without my permission, and the program I use for this is also free, called "SpyBot Search and Destroy." (Most people just call it "SpyBot.") The registry protector supervises all activity constantly to prevent viruses from making a mess of my computer.
If you haven't installed some protective programs like these before your computer goes crazy, it will probably be too late when you discover that your computer is full of viruses. The viruses will take over the computer completely, preventing you from accessing the Internet, and so you won't be able to download the programs and tools that you need to get rid of the virus. Like the human body, you have to have at least SOME antibodies and white blood cells and other immune system to protect you beforehand, or ANY kind of little virus will put you in the intensive care unit.
Even using these two programs (Spybot and Online Armor), sometimes a virus gets past my defenses and then I need to find a way to remove it, so that I won't have to format my computer. Spybot tells you that something is trying to invade your computer and lets you make a choice, "yes" or "no". If you make the wrong choice, you can let in a virus from which Spybot ws designed to protect you. Spybot makes threats knock on your door, but YOU still have to make a decision whether there is a threat and whether to let it in or not.
If all of the above doesn't prevent a virus from getting into my computer, I have another program called "Hijack This," that helps me to look at everything that is going on inside of my computer, all of the processes, and figure out which ones are caused by viruses that are causing my computer to be slow or useless.
None of these programs will help you unless they are already loaded to your computer and have saved them in a place where you can easily find them when you need them. What good is a fire extinguisher if it's hidden among mounds of other crap in your attic or garage?
That's why I have placed a folder in my harddrive called "Software" and, within that folder, I have another folder called "Antivirus Software" (see graphic above). Whenever I think I have a virus, I go to that antivirus folder and I know all of the tools that I have are there to help me work through the problem.
Unfortunately, new and sneaky viruses are created every day, so there are often viruses that my standard programs won't identify or kill. That's when I need Hijack This, which analyzes the computer's running programs and automatically saves a detailed list on my desktop.
Now's where the "fun" begins, because viruses are often disguised to hide in seemingly innocuous folders, or with names that the average computer user will not identify as a virus. So, what I do is I Google the name of each process that is running and see whether the expert volunteer computer forums online have identified these as viruses or not and, if so, the steps I need to take and the programs I need to use to remove the viruses.
Now, I have run used Hijack This, by pushing the button that says "Do a system scan and save a logfile (to the desktop)." Here is the program census that Hijack This has provided to me, and the census seems to the untrained eye to be almost as complex as the computer itself. But don't get scared. By Googling the items in the list, you can discover exactly what they are, whether they're safe and necessary or not, and what to do if one of them indicates a virus. (I don't usually try to read the entire post, but only the description of the problem and then, down at the bottom, whether the "experts" say a running process is a problem and, if so, what to do about it.
Next to each running process below, I'm going to put a link to a forum that tells me what it is and whether it's a problem or not, but I know some forums are just sneaky hacker sites that temp the unwise to download viruses that they didn't already have, so I only use advice from the sites I recognize, and I'm very leary about downloading "free" software. If they recommend using a certain well-known virus removal tool, I'll go directly to that tool's main site and download the tool.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode:
Running processes:
C:\WINDOWS\System32\smss.exe
The smss.exe that is in C:\WINDOWS\System32\
C:\WINDOWS\system32\csrss.exe
Spybot Forums says the above "appears not to be [a virus], however to be certain we would need to see a log (like this log we're examining right now]. (Now it's back to Google to see what I can learn about the next process below.)C:\WINDOWS\system32\winlogon.exe
Kapersky.Com antivirus program and forum says, "Winlogon.exe, in system32 is the "Windows NT Logon Application". It's a vital component."
Although most antiviruses and virus removal tools are in the same professional, they do not all use the same professional tools and provide the same results. Some anti-viruses kill or remove virus "A" but don't identify or remove virus "B", and vice versa. So, depending upon the virus that the computer has, online skilled virus removers (there are free message boards for this purpose) will recommend one antivirus tool while recommending a different tool for removing a differnt virus. Therefore it's possible to have ten antivirus tools saved to your Antivirus Folder and still have to download one more in order to get rid of a specific virus. Remember, too, that the databases of these anti-hacker tools have to be constantly updated, or they become like dishwashing sponges with no soap or hot water.
Now, I'm downloading Kapersky Online to see if it can identify AND remove the virus I have found: dbi.exe But, kapersky online finds no viruses
C:\WINDOWS\system32\lsass.exe
Neuber.com says,"lsass.exe" is the Local Security Authentication Server. It verifies the validity of user logons to your PC or server. Lsass generates the process responsible for authenticating users for the Winlogon service. This is performed by using authentication packages such as the default, Msgina.dll. If authentication is successful, Lsass generates the user's access token, which is used to launch the initial shell. Other processes that the user initiates then inherit this token. More info
Note: The lsass.exe file is located in the folder C:\Windows\System32. In other cases, lsass.exe is a virus, spyware, trojan or worm! Check this with Security Task Manager.My lsass is in C:\Windows\System32, so I guess it's ok.
C:\ARQUIV~1\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\ARQUIV~1\AVG\AVG8\avgrsx.exe
C:\ARQUIV~1\AVG\AVG8\avgemc.exe
C:\Arquivos de programas\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\RunDll32.exe
C:\ARQUIV~1\AVG\AVG8\avgtray.exe
C:\Arquivos de programas\Tall Emu\Online Armor\oaui.exe
C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Arquivos de programas\Skype\Plugin Manager\skypePM.exe
C:\Arquivos de programas\Skype\Phone\Skype.exe
C:\ARQUIV~1\AVG\AVG8\avgnsx.exe
C:\Arquivos de programas\Nonoh.net\Nonoh\Nonoh.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\winmine.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\Arquivos de programas\GbPlugin\gbieh.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG8_TRAY] C:\ARQUIV~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [OnlineArmor GUI] "C:\Arquivos de programas\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Nonoh] "C:\Arquivos de programas\Nonoh.net\Nonoh\Nonoh.exe" -nosplash -minimized
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB499F3F-BB05-43DD-B2B8-41C82A69D7EC}: NameServer = 200.225.197.34 200.225.197.37
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Arquivos de programas\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: GbPluginBb - C:\Arquivos de programas\GbPlugin\gbieh.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\ARQUIV~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Gbp Service (GbpSv) - - C:\ARQUIV~1\GbPlugin\GbpSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Arquivos de programas\Tall Emu\Online Armor\oasrv.exe
--
End of file - 3946 bytes
