[JulianeB]

Hello, I've never posted here, that I remember anyway!

I need help. I have a Dell Dimension 4400 running XP SP2. I have Ashampoo Firewall, Avast AV, Spybot, Spyware Blaster, AVG AS and Ad-aware SE personal (unsupported now so not updated). All have been run and updated recently. Wired cable connection, Linksys router, 2 other computers networked.

Last night I was on the 'net as usual, checking a few forums, etc. All of a sudden, my internet connection disappeared. According to the computer and the router and modem, I *was* connected, but I could not run IE or get my email. Weird. I tried to pull up the Linksys network analyzer, and it ran and ran and never fully loaded. Weirder. I tried right-clicking on the Avast logo to check it out, no response. I got a little message box that said "Ashampoo Firewall - Out of Memory!" and that is REALLY weird b/c ashampoo is not memory intensive. When I clicked OK on that window, it just kept popping back up.

I did not want to shut down so I put the computer on standby and went to bed, hoping that it would improve miraculously overnight.

This morning things continued to go south...as I tried to open My Computer to back up my latest files, at first it worked, but after I connected a USB backup drive, I tried to use the "explore" function to drag and drop files, but I then lost all my desktop icons after some weird memory error box asked if I wanted to debug. I tried My Computer again, and all the disk names were "Local Disk," not even C: or D:

OK, that was enough for me - I got the start menu up, sort of, and managed to click on the right area for the shut down screen...tried reboot, nothing happened, tried shutdown, nothing happened. I did a hard shutdown and it's still off.

My questions: Does this sound like a virus and if so, should I try to reboot in safe mode? I still want to get files off the HD so if rebooting is likely to do permanent damage, I'd rather not. Should I try system restore, assuming it was enabled? Is that the least harmful approach at this point? Also, I have thought of removing the drive and hooking it up to this laptop to see if I can get the stuff off of it before wiping it, but if it sounds like a virus I don't want to infect the laptop. If I remove the HD, get a new system, and replace the D disk with this one, will I be able to see and retrieve all my files? What would you try first? Thanks for your help. I have a bad tendency to continue trying until the system is FUBAR.

Edited by JulianeB, 06 March 2008 - 02:08 PM.

[Advertisements]

To backup the system while minimizing the risk of infecting another computer I would do the following: Use the following link to download BartPE. Follow the instructions and create a bootable cd.

BartPE is a windows based, very small operating system that loads into the computer's RAM.

To backup your data boot the computer with the cd, click GO, click PROGRAMS and then click A43 FILE MANAGEMENT UTILITY. Windows explorer will open and you can copy the necessary data and save it to a storage device.

Be very selective of what you backup. Do not backup anything that might contain malware. Move the device in which you stored the data and connect to another computer on which antimalwre programs are installed. Go to My Computer and right-click the new device. Run Several antimalware programs (Avast and AVG antispyware, in your case).

It's not 100% safe but it reduce to a minimum the chance of infecting the other computer.

[The Skeptic]

To backup the system while minimizing the risk of infecting another computer I would do the following: Use the following link to download BartPE. Follow the instructions and create a bootable cd.

BartPE is a windows based, very small operating system that loads into the computer's RAM.

To backup your data boot the computer with the cd, click GO, click PROGRAMS and then click A43 FILE MANAGEMENT UTILITY. Windows explorer will open and you can copy the necessary data and save it to a storage device.

Be very selective of what you backup. Do not backup anything that might contain malware. Move the device in which you stored the data and connect to another computer on which antimalwre programs are installed. Go to My Computer and right-click the new device. Run Several antimalware programs (Avast and AVG antispyware, in your case).

It's not 100% safe but it reduce to a minimum the chance of infecting the other computer.

[JulianeB]

Thank you very much. I have a good external HD that I can back up on, and I don't think it has anything else on it right now. I just need my documents, photos, and then I can play with the broken Windows!

Do I put the BartPE CD in the CD drive before I power up, and what happens after that? Will the computer ask "Boot to CD?" Or will it just be automatic? His instructions on that page are not self-explanatory! How do I burn this program onto the CD in the first place? Just drag and drop or do I need a burner?

Have you ever heard of this cascade of events before, where you lose IE or your internet connection (I wonder if something came in through IE) and then things go from bad to worse? This HD is OLD and had been reformatted once before, but it wasn't making any noise or doing anything unusual before all this started.

Edited by JulianeB, 06 March 2008 - 01:35 PM.

[pyrocajun2707]

Thank you very much. I have a good external HD that I can back up on, and I don't think it has anything else on it right now. I just need my documents, photos, and then I can play with the broken Windows!

Do I put the BartPE CD in the CD drive before I power up, and what happens after that? Will the computer ask "Boot to CD?" Or will it just be automatic?

Have you ever heard of this cascade of events before, where you lose IE (I wonder if something came in through IE) and then things go from bad to worse? This HD is OLD and had been reformatted once before, but it wasn't making any noise or doing anything unusual before all this started.

You have to boot from the CD; it runs a bit like a Linux "Live CD." To burn the CD, though, you have to run the BartPE application, which uses necessary Windows system files to build the disk image. Your copy of BartPE will then take on the same Microsoft license key as your specific copy of Windows (or whatever copy of Windows is on the computer you make the disk with).

BartPE is not an OS in itself, but an extremely simplified version of the same copy of Windows you make the disk itself with, and it has a couple of additional diagnostic and recovery tools. It sounds weird, but it's a very useful tool. If you really think your HDD is dying (a very high probability), BartPE should give you ample tools to find out for sure.

Edited by pyrocajun2707, 06 March 2008 - 01:42 PM.

[JulianeB]

OK, I think I understand! Does it matter if this laptop has Vista and the desktop has XP?

P.S. I have never used anything Linux, so your analogy was lost on me! I guess I just make the CD on the laptop, put it into the desktop, and power up, huh? and go from there.

Edited by JulianeB, 06 March 2008 - 01:50 PM.

[The Skeptic]

To boot with the bootable CD load it into a the cd drive and reboot the computer. The cd drive should be set as first priority boot device in the BIOS.

To create the cd please follow the instructions from Getting Started. This explains everything. Of the download options (after "getting started") download the first option (PE Builder v3.1.10a - self-installing package (3.15MB) - if you are unsure what you need to download, get this!).

I am not sure about the cause of the problem. It looks like a complete collapse of the operating system. If you succeed with BartPE then this in itself will give us a strong indication that the problem is not of a hardware origin.

Try to boot into last known good configuration and see what happens. If no improvement then try to boot into safe mode, if possible, and run few scans with antimalware programs. If still no good I would go to clear format.

[JulianeB]

I thought I'd let you know what's been happening...We went and got a USB to IDE cable this afternoon. We took out the D drive which has been slaved (no problem with it) and hooked it up to son's laptop to capture any remaining files from it. Next we will re-install this D drive as a new C drive, and install XP on it as a new install. (I don't think I have to completely clean it off, right - the install will wipe it anyway, correct?) Then we plan to take the C drive which is the problem (Maxtor) and slave it to the new C (was D) so we can get all the files off and backed up.

Does that sound like a plan? If there is a virus on C, and it is turned into a slave, it won't be able to jump from one drive to the other...I don't think...and if I have a new install of XP I can download Avast and scan it, and get rid of stuff. It won't be booting up and re-introducing the virus (if any), so I think this is a good plan. It will still have the Windows files on it, though - will that confuse the computer? I assume not, as it will no longer recognize that drive as the go-to place for Windows. And then I can always wipe out the windows files once I can get to them.

What do you think? That IDE to USB cable is brilliant!

Update a few hours later: Everything went smoothly and the old D drive is now the new C drive, with a fresh install of XP Pro. The old C drive is slaved and is visible through the new Windows...we're doing a virus scan on it now but all seems to be fine. At least all the files are there and the data can be imported to the new XP install. Of course all this takes time...have to reinstall programs and tweak settings, but what the heck - at least no data was lost and the drive is not corrupted. Wish I knew what happened!!

Thanks for any feedback on anything I might have overlooked or done wrong...other than not backing up often enough...

Edited by JulianeB, 06 March 2008 - 08:59 PM.

[The Skeptic]

Well done. The whole idea about BatrPE was to minimize the risk of re-infection, answering your request in the first post. The idea was to backup with an OS that is not installed on the HD, on the infected computer, without connecting the infected disk to another computer. Your approach is done very often successfully. However, sometimes the infected disk can damage the host computer (your son's laptop in this case). About two weeks ago I took the same procedure that you took and my computer was instantly infected by the disk I meant to backup. A trojan named win32: .....gamez (I don't remember the full name) infected my computer in the first boot after I connected the other disk. It took me hours to clean this awfull infection of which there was nothing to read about on the internet (seems as if it was originated in eastern Europe). Since then I have second thoughts about how to backup drives that are suspected of containing malware.

Regarding BartPE: I strongly recommend creating and keeping the bootable cd. It's a wonderful tool.

[JulianeB]

Wow, that's a drag! I guess we were lucky, huh? This has opened up one more problem - I can't find the files for Outlook Express to import into the new OS. Do you know where I could look? I sure hope those messages got saved...Outlook is still loaded onto that drive, so I can't see how they would have disappeared, but I can't find them. I hate OE! Why does MS make it so hard to find and back up your stuff???

Thanks again. Now I'm a bit nervous about using this HD at all...guess I will get my documents and then unplug it...but it's probably already attacked the new OS, yes? Going to run ALL the malware scans on the laptop...Your worm - the AV program didn't pick it up...that's troubling...what did it do to your computer?

Edited by JulianeB, 07 March 2008 - 09:32 AM.

[The Skeptic]

Click on My Computer > tools > folder options > view. Check "show hidden files and folders". Apply.

To find the address book of outlook express:

Click: My Computer > X (the drive letter where the old operating system is) > Documents and Settings > User Name > Application Data > Microsoft > Address Book. Copy the folder and paste it in a convenient place.

To find outlook express messages:

Click My Computer > X (the drive letter where the old operating system is) > Documents and Settings > User Name > Local Settings > Application Data > Identities > { .............. } > microsoft > outlook express. Copy the folder and paste it in a convenient place.

To retrieve the data open outlook express. Click on Files > Import. Follow the instructions for importing the saved folder into outlook express.

Before you retrieve the data scan the two saved folders with antivirus and antispyware.

[JulianeB]

Oh, THANK YOU!!!! That doesn't look so difficult when YOU write it out! I will be sure to scan those files thoroughly. At least there isn't any way for the virus to get onto the new C drive...is there?