And in another thread near this one is titled "if you're not running windows 7 get it soon.". Not trolling, but wouldn't it be better to browse your facebook with linux?

It does sound like trolling, doesn't it? This problem didn't originate with Facebook.com. It was probably an ordinary trojan that was delivered in an email which seemed like a genuine communication from Facebook.

A Linux user WOULD have been safer because (1) most Linux distros nag you or prevent you from running as root, and Linux true-believers will taunt you (or worse) if they discover that you do run as root; and (2) there are fewer Linux users than Windows users, and many variations on the Linux theme, which means lots of original work with relatively little return. WinXP appears to have been vulnerable here because the user was working in an administrator account (i.e., as root) when the trojan was executed.

Linux isn't immune to hackers, my friend. That's why deliverables are signed.

 

I'm not sure we're on the same page here, Dr Guy. You can't use these keys to run an arbitrary program, unless of course you append your command to the command to start the shell, like the trojan did. I don't really know what will happen if HKEY_Current_User\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell is defined but doesn't start a shell. Windows may try to start the default shell, but more likely the active account will run without a shell at all. (If you're curious, add a standard user account and try it - you can always log into an administrator account and remove the key again if it borks the account.)

It only seemed useful in this case because the trojan is being started with the default shell, and seems to have repaired Avira's registry edit before the computer restarted. If the author of the trojan understood what s/he was doing, then s/he'll also be monitoring changes to the user key that starts a custom shell. I'm hopeful though that s/he didn't - this is a very noisy infestation, which suggests that the author wasn't very skillful.

Sorry, I overlooked this earlier. Yes, the trojan would be gone, but you'd have an unpatched 2002 WinXP operating system and no applications installed. You'd have to update XP with the service packs and security patches, then re-install your applications. The worst of it would be the lack of a functional Wireless Zero Configuration for your wireless card (it wasn't really very good until SP2), but all it really takes is time and patience.

If what you have is a rescue CD from the computer maker and not a WinXP installation disk from Microsoft, then you'll have to proceed cautiously. Some rescue CDs are just MS installation disks with a script for unattended installation. If so, you need only rename the directories that you want to keep to prevent them from being overwritten. If you have a rescue DVD, though, there's a good chance that it contains a sector by sector image of the HDD as it was shipped. If so, it will overwrite everything on the disk.

Hi Doc, Yrag, et el

I have the xp home edition 2002.  No rescue disk.  I will begin reinstall of windows xp,  and then go from there.  I don't ahve the service pascl burned on cd, as a friend suggested.

 

Any suggestions, wisdom, on the order I do all the things to get back some of  my system?

 

I will probably be off line for a few days as i do all this.  

 

 

be well, thanks for everything, all of you...   elana

Start with XP and update all the service packs 1, 2 and 3. Then, I'd suggest putting some protection in place and making a rescue disk. Then, Your software that you really need and use. After that, get rid of any bloatware,  defragment the disk and clone the disk to an external hard drive so that if in the future you get in trouble, all you have to do is format and transfer the clone back onto the original hard drive.

Do you have a brand name computer?  Or a white box?  If brand name, they often hide the recovery on the hard disk and you have to press a special key combination at boot up (before Windows starts loading) to access it.  A white box (generic computer from a small vendor) can also have that, but you would have to talk to the maker to find out what the key stroke is.

We are.  I understand a shell has to run.  But I had never thought of your trick (changing that registry entry). The problem with some of these bugs is they do not let you run any EXE programs, so even regedit will not run.

A big addition to the Doctor's recommendation - do it behind a hardware firewall!  If you connect an unpatched computer directly to the internet, it will be infected before you can patch or load anything on it.

No entirely true. If all he does is visit Microsoft's update site chances are very low no infection will occur.

kona,  I'm a girl, so please, no "he.'  (Thanks - I know you didn;t know...)   "e"  is fine.

All:  Can I get a friend to download the service packs from MS on their PC, and burn them into a CD, then bring the cd to My pc, to "update' my windows xp, before trying to get on Internet etc.?  Will the MS police let me / them do this?

 

How can I use a hardware firewall with a stand alone PC, and broadband internet access?

 

 

dr. guy,   my PC is from a kit.  guess thats a white box? the assembler became a bible thumper  (Christian version) so we don't talk anymore.  I won't convert, and "g-d told him I must or he can't see me, LOL.  So I cannot ask the guy who put it together.  i do have all manufacturers' disks, and nothing like people describe here is among them.  So, late tonight, (thanksgiving eve - lower web traffic) I will begin re-installing windows, and then the broadband inherent - from a proprietary flash drive (clever way to do it).  Then all the rest.

So, i guess the next question is, what can I do, to establish the PC in a better way than I did before. One thing I would like to try, is a disk that boots the PC to a non-windows OS, so I can both, scan and elim bugs in the future, and go to web using non-xp os.  Assuming my broadband will allow me to...

rescue disk... OK

You will be fine downloading the service packs without getting a virus. By the way reloading XP takes about an hour. Downloading the updates is the time killer.

the issue regarding the sp downloading is the SIZE of the offline versions eg sp1 is about 200mb, sp2 is 272mb and sp3 is 324mb.

harpo

 

I used the Bit Defender Live CD for issues I cannot solve in Windows by booting into safe mode or other methods. However there are more nasty viruses out there that prevent Live CDs from working all together.

You really don't need to download anything but SP3. if I remember correctly it includes all the previous fixes that SP1 and SP2 had.

I'm sorry that the registry hack didn't succeed. Don't worry about the service packs - Microsoft will deliver them via its Automatic Updates service once WinXP is installed and online again. Just be sure you have the Windows product key available.

I recommend that you

Reinstall WinXP without reformatting the HDD

(1) Disconnect the computer from the network. Unplug the Ethernet cable, or turn the WiFi radio off, as appropriate.

(2) Boot the WinXP setup disk and perform a repair installation. NOT a clean installation, and not a repair using the recovery console. Follow the instructions for "Method 2: Repair install of Windows XP by starting your computer from the Windows XP CD" (http://support.microsoft.com/kb/978788) When asked, overwrite newer system files with older system files from the CD.

(3) Disable Automatic Updates. Connect to the network just long enough to download SP2 (http://support.microsoft.com/kb/322389).

(4) Install SP2, then start the Windows Firewall. (It wasn't available until SP2, was it?)

(5) Reconnect to the network just long enough to download SP3 (http://support.microsoft.com/kb/322389). Disconnect and install SP3.

(6) Turn Automatic Updates back on, but DON'T set it to Automatic. (Otherwise IE7 too will be downloaded and installed automatically.)

Restore your old user account

(7) Rename your old user profile folder. If your account name was, say, ElanaAhova, then the corresponding profile folder was C:\Documents and Settings\ElanaAhova. Rename it to, hmm, C:\Documents and Settings\ElanaAhova_old.

(8) Create a new administrator account with the original account name (here ElanaAhova).

(9) Log out of the Temp account, and log into the new ElanaAhova account. (This creates a user profile for the new account.)

(10) Log out of ElanaAhova, and log back into Temp. Copy ALL the files and folders from the old user profile (C:\Documents and Settings\ElanaAhova_old) to the profile for the account you just created (C:\Documents and Settings\ElanaAhova).

Add a second, limited user account.

(11) Create a new administrator account and give it a new name, say, SuperElanaAhova. This will be your new administrative account, used only for installing programs and other work that involves fiddling with the OS. Give it a password, even if you don't intend to password-protect your everyday account.

(12) Log out of ElanaAhova and log into SuperElanaAhova. Change the ElanaAhova account from an administrator account to a limited account. (Backward, yes, but otherwise new limited ElanaAhova would be denied access to old administrator ElanaAhova's files.)

(13) Delete the Temp account. Password-protected SuperElanaAhova is the only administrator account now.

Scan the disk for trojans and viruses.

(14) Connect to the network. Download a fresh copy of Avira AV (http://www.avira.com/en/avira-free-antivirus) and install it.

(15) Log out of SuperElanaAhova, and log into (limited) ElanaAhova. (Since this is your new work account, you may as well get used to working in it.) Start a complete AV scan of all disks. (Yes, including that missing E: drive).

(16) When Avira is finished, log out of ElanaAhova and log into SuperElanaAhova. Download and install the security patches that Automatic Updates found.

I can explain my reasons, but I'm pressed for time just now. Let me know which bits you didn't understand, and I'll try to clarify them for you.

"Windows XP Service Pack 2 (SP2) or Windows XP Service Pack 1a (SP1a) must be preinstalled before you install Windows XP Service Pack 3 (SP3)."

How to obtain the latest Windows XP service pack ( http://support.microsoft.com/kb/322389 )

Actually turning off Automatic Updates is always a good idea. Otherwise the PC has a bad habit of restarting when it feels like it among other issues.

I'll bet the CD she is using already has SP2 included. Most of them did.

Agreed! It was only meant to assure her that shuttling service packs on a CD was unnecessary.

ElanaAhova has a 2002 installation CD. I think SP2 was released in mid-2004. Of course, I also recall that Windows Firewall wasn't available until it was released with SP2, but I could be wrong about that, too.

Uh, no, that is what worms do.  I made the mistake of trying to patch my Aunt's computer over a dialup connection.  She was infected within 10 minutes of connecting to the Internet.

With a router.

If you're really worried, then install security software, and update it as well as the XP on the net through a wireless router.

Most "Wireless Routers" contain a crude but very effective firewall (you can go out, but bugs cannot come in unless invited).  That was my original suggestion - do it behind a hardware firewall/gateway.

^ And I agree.

I've never encountered an infection on a fresh Windows install while just getting updates.

Consider yourself lucky - and forewarned.  Worms do not rely on a user's actions.  They actively seek out unpatched systems and infect them.