Grandma and Grandpa need help

A little over a week ago my desktop computer (Lenovo XP Pro SP2) got infected with what we believe was either a trojan or spyware. Our best guess is the infection occurred when we briefly went to a game website to print out some instructions. It was our first experience with malware and a painful lesson was learned.

We're not experts with computers; we know the basics, and that's pretty much it. We worked with a MajorGeeks Admin in the Malware forum to get rid of the infection and our best guess is it is now gone. However, we've since noticed some features no longer work like they used to.

The two that we've noticed right away are:
1) We can access Power Options, but they no longer seem to work. In other words, the monitor will not turn off and the computer won't enter Standby or Hibernate mode after the specified time limits. We've tried changing the settings in Power Options, but it makes no difference.
2) The Autoplay feature (when you pop in a CD or insert a device via a USB port) no longer works. Before the infection, a pop-up window would ask what action we wanted to take immediately after we would insert a CD or USB device. Now, that pop-up window doesn't appear. We can work around this issue by clicking Start > My Computer > the applicable drive or device.

We can't help wondering what else may have been affected by the malware that we haven't yet discovered. Lenovo has a Rescue and Recovery feature where a hidden partition (presumably immune from malware) on the hard drive stores the factory settings. So we're wondering if perhaps the right thing to do is to bite the bullet and reformat the drive and start from scratch again. Our important files are backed up on an external drive. Most are music and Word and Excel files and, per a recent scan, they don't seem to have been infected.

Would appreciate opinions. If possible, try to use simple computer lingo. We're newbies at this, but we're learning.

 

Myself, I would start by running the System File Checker (SFC) What this does is scans the Windows files in your PC against the ones in your recovery partition. It replaces any missing or corrupted ones, with the originals. It will not harm any of your applications, music, or pictures. You will need to make sure all your Windows updates are all back up date again, after running this.
(You must be logged on as an Administrator)
You can run SFC by going to Start>Run and then typing cmd.exe
Then press Enter.
A command window will open.
Type sfc /SCANNOW (there is a space between sfc and /SCANNOW
Press Enter.

Once done running SFC and re-updating Windows, you will at least know that your windows files are intact and not the cause of your problem.
After that check into your services to make sure the ones that pertain to those options are turned on.

 

Thank you Musksnipe.

Couple of questions if I may:

1) I'm not sure I completely understand the following comment in your response: "You will need to make sure all your Windows updates are all back up date again, after running this". Can you clarify?

2) I've never used the sfc /SCANNOW command. It sounds like it might be a good first step. But it was my understanding that it prompts you to insert your Windows CD. I never got one since Windows was preloaded on my computer and, as mentioned, is stored in a hidden partition. So if I run sfc /SCANNOW, will it automatically refer to the hidden partition versus prompting for the Windows CD?

Thanks again. I appreciate your help.

 

Have you tried system restore ?
Find it by --Start, accessaries, system tools, system restore.
YOU WOULD NEED TO CHOOSE A DATE BEFORE YOU GOT INFECTED.

 

Quote' We can't help wondering what else may have been affected by the malware that we haven't yet discovered. Lenovo has a Rescue and Recovery feature where a hidden partition (presumably immune from malware) on the hard drive stores the factory settings. So we're wondering if perhaps the right thing to do is to bite the bullet and reformat the drive and start from scratch again. Our important files are backed up on an external drive. Most are music and Word and Excel files and, per a recent scan, they don't seem to have been infected., end quote.

To access the hidden partition, press F11,ON STARTUP.

Later versions-
The new method is to select IBM Recovery Program from the operating system Boot Menu

 

http://www-307.ibm.com/pc/support/s...ngpages/hintsTipsLandingPage.vm&validate=true

 

With a recovery partition, the command will automatically use that, instead of asking for the disc. (At least it works like that on my PC)
All you will have to do is go to the Windows Update site and have it scan your PC for updates. It will find the one's you need. SFC will actually change the Windows files, back to an exact copy of how they were when you first turned on your PC. So, any updates that you've received since then will need to be re-installed.
And once again, SFC will not change any of your personal data.
I have never used the Rescue and Recovery set-up on my PC, so I am not sure exactly how it would interact with personal things like music, pictures, and documents. I know you can repair drivers, software, and do a full system recovery, but I don't know if you can just repair your operating system with it, without losing your personal stuff, which includes programs you may have added and already configured. That is sometimes the worse part of a full system recovery.

EDIT: also if you don't know exactly when the infection occurred, you could re-introduce it with a system restore. It would be best to wipe them all and start with fresh restore points after setting your OS right.

 

It is possible to direct the sfc /scannow to the folder of the necessary files, already on your computer, but as novices, it might be more than you want to do.
Guide for systems with pre-installed Windows
http://www.howtohaven.com/system/createwindowssetupdisk.shtml

Good luck, let us know, how you progress.

 

As Musksnipr says, you are better not to use system restore, unless you know when you were infected, as those created afterwards would be infected , and definitely delete all, and create new restore point, when your system is up and running correctly.
Also, the reason that I used your quote was that you said everything is saved elsewhere that you value.

 

Musksnipe, Baklogic:

Great advice and much thanks.

When we were working with the MajorGeek Admin trying to ciean out the infection, one of the last steps involved purging my system restore points because there were indications that they got infected too. System restore is turned back on now, but as you've pointed out, using it won't fix my current problems.

Thanks for the explanation about SFC and Windows Update. I do use Windows Update (and Lenovo/ThinkVantage Update). I have the settings set to notify me when new updates are available to download. So if the only thing I have to remember after running sfc /SCANNOW is to run a new Windows Update, it sounds like it should be fairly simple and the best next step to take.

Just double-checking: My understanding is that if I run sfc /SCANNOW, then all my current settings, and documents, and music files, and programs (those that were preinstalled like WinDVD and those that I installed like CCleaner, ESET Nod32 antivirus, Spybot, wireless keyboard, iTunes, etc. etc. etc.), will remain unaffected. sfc /SCANNOW will only correct any missing or corrupt Windows files and remove the updates. Is this correct?

Thanks again for your patience. It's been quite a learning process!

 

Yes, sfc /scannow will only replace damaged files in Windows, and nothing else.
I think its a tool that fixes many problems, and should be written on the cd cover for all to know, and use - saves a lot of problems, particularly after uninstalling some problem programs.
As Musksnipe said to ensure that any files have not been replaced by a Microsoft update, jusy go to Windows update, and let it scan your system, after using it.

 

We ran sfc /scannow last night. Pretty simple to do. But, I don't think it fixed the problems I mention in an earlier post of this thread (Autoplay and Power Options not working correctly).

I'm assuming sfc /scannow ran properly. A progress bar appeared while it was running and it took about 20 minutes to complete. There was no message upon completion telling me anything. In addition, I checked for Windows updates immediately afterwards and none were needed (not too sure what to make of that since my understanding was the existing Windows updates would be cleared out as a result of sfc /scannow).

Anyway, I did some more testing in Power Options and discovered if I lower the monitor turn off setting from 15 minutes to less than 5 minutes, then the monitor does turn off and the hibernate function (currently set at 1 hour) works as well. But if I change the monitor turn off setting to anything longer than 5 minutes, then none of the settings (including hibernate) will work. Very frustrating.

As stated in my first post, the computer got infected a couple of weeks ago with some malware that we believe has been removed after working with MajorGeeks in the Malware forum section. None of the malware symptoms that we were experiencing are occurring (they included intermittent shutdowns of Internet Explorer and a.doginhispen, b.skitodayplease, and 88.80.7.66 mysteriously showing up in our IE7 history listing). In addition, our AV program (Eset Nod32) seemed to finally identify the malware and quarantine over 20 infected files several days after the initial infection. But I can't help feeling a little paranoid that maybe some bad stuff is still on our system evidenced by the Autoplay and Power Options problems we're having.

One more thing...I removed two programs as a result of the infection: Sonic RecordNow and Sonic DLA. I didn't need RecordNow since we use Windows Media Player. And I'm not sure what Sonic DLA was all about; could that have a connection with my Power Options or Autoplay issues?

Any opinions / suggestions are welcomed.

 

SFC does leave a log (not sure exactly where at the moment) but they are kind of complicated to read.
The important thing is now you can be sure your Window's files are intact and complete. If you have your automatic updates turned on, it will find any you may need. It's possible I got a hold of wrong info about SFC and the way it treats updates. Not to worry though.
Here's a link that may help you with you power problem's. (Something I noticed right away was, if you have a 3-D screensaver, that will affect your power settings, as will setting it over 45 minutes.)
http://www.kellys-korner-xp.com/xp_standby.htm

Hope this helps.

 

Musksnipe and Steve_East9:

Thanks for your responses and suggestions. Here's the latest.

Power options: Last night I decided to activate my screen saver. After doing so, I noticed that the my monitor did turn off and my system did go into hibernate mode. Not too sure if it's a fluke or not, and if/why there's a relationship between power options working and screen saver being activated. I didn't have time to delve deeper into it last night and will have to test it out more over the next few days.

Autoplay: I tried all the ideas so far without success. Autoplay won't turn on. Checked the settings...including in the registry (always careful messing around in there)...and everything looks correct. But, keep in mind I'm not too skilled with pc's and could very well be overlooking something. For now, I'll keep fiddling with it (and try not to mess anything else up).

Thanks again and let me know if you have any other ideas.

 

Here's a setting to check for restoring autoplay:

Goto Control Panel>Administrative Tools>Services>Shell Hardware Detection
Highlight the service, right-click, and choose properties
Set this service to Automatic.

 

I'll check it out, Musksnipe, and let you know. Thanks!

 

Getting there,
If musksnipe's fix does not solve the autoplay, there is an autoplay fix from microsoft
http://forums.majorgeeks.com/showthread.php?t=117678

 

Maybe success?

Musksnipe and Baklogic:

I made several attempts this evening to try to fix Autoplay and the last one may have worked. Baklogic referred to an Autoplay Repair Wizard on Microsoft's web site (I've pasted the link at the end of this post). I also saw the same repair wizard mentioned on www.watchingthenet.com. I tried it and voila...it seems to have worked. The wizard identified a problem with both drives (presumably in my registry) and apparently corrected them. I kept the text files as a reference. Anyway, I have since inserted some audio, picture, and data cd's and Autoplay pops up.

I'm cautiously optimistic. It seems like you can get your hopes up and then be disappointed again. But, so far so good. Thanks so much for your help! MajorGeeks is great and so are you.

If I may, I'd like to pick your brains a little more on two topics.

First, I'm still worried that my pc infection caused more damage than I've discovered. It seems to be running fine; as mentioned in a few posts down I haven't noticed anymore malware symptoms. And boot up time is now around 55 seconds...which is better than it has been. But I always have a nagging worry that something still lingers inside. So my first set of questions are, how do you know for sure all is well...and when do you decide to reformat your drive versus trying to work through the malware?

Second, I now have Spybot and SuperAntispyware on my system, in addition to Eset Nod32 antivirus. The Eset AV is a paid program, so I'm going to stick with that for now. Spybot and SuperAntispyware are free (you probably know that). I know that the most important thing you can do to stay out of malware trouble is to avoid questionable web sites...and we don't knowingly surf anywhere that's not safe. But, it's impossible to be certain that every web site you go to is completely clean. Do you think Spybot and SuperAntispyware are good programs to help protect against spyware?

Again, thanks much.

(Link to Microsoft's web site for the Autoplay fix)
http://www.microsoft.com/downloads/...b6-e8fa-45c4-a171-1b389cfacdad&displaylang=en

 

The guys in malware are very good. When they gave you a clean bill of health, you can be sure there was nothing still lingering.
Malware and it's removal can be tough on an OS. But, the effects can usually be repaired without reformatting and reinstalling your OS.
If you don't have many applications, have all your important personal stuff backed up on another HDD or discs, and have the time to sit and wait out a reinstall, then it's not really a problem. But if you have a lot of applications, (I have over 70 plus the Windows apps), lots of music and photos, (I have over 10GB), and no extra HDD to back up to, (10GB+ would take several DVD's or lots of CD's), then it becomes easier to NOT reformat and reinstall.
Not only do you have the long period of the reformat and install but then you have to reinstall and configure all your apps, replace all your personal data, and that takes alot of time and becomes frustrating and mind numbing. Oh yeah, and then there's the Windows updates, another long period of downloads and installs.
So, it is just really of choice, lots of work compared to what may be a simple fix.

I have used and like Spybot for a few years and have just started using it's Tea Timer function. It seems to a very good job. I have never used the other app and don't know anything about it. I have 3 or 4 other apps that I run on occasion because no one application will catch everything. The best malware protection is you.
I don't know if this Read Me was pointed out to you , but it has some good tips.
http://forums.majorgeeks.com/showthread.php?t=44525
Also visit the the Anti-Spyware downloads and browse through it. You may find something that fits you perfect. The freeware ones work as well as the pay-for ones. (Those usually have a few more features)
http://www.majorgeeks.com/downloads31.html

 

All,

Thanks for your responses. Our pc seems to be relatively stable now...so I'll end this thread. If we have more questions, we'll chime back in.

Regards.