January 11th, 2012, 07:23 AM
Infected PC - Full rebuild failed to resolve
I have an ongoing problem with my home PC which has been driving me crazy for a couple of months.
The PC is an HP desktop running Windows XP SP3 and it was protected by Windows Defender and the free version of Zone Alarm. Internet connection is a wired connection to a BT Home Hub 1.0. It has worked perfectly for 2 years.
Two months ago I received an email from BT saying that we'd exceeded our 10GB monthly download limit which I knew was not me. I suspected someone had hacked the BT Hub and was using our wireless connection. This was possible as it was using WEP which I've read can be hacked using brute-force!?
I then got a virus/malware which created loads of pop-ups in IE8 and kept re-directing the browser to dodgy sites. Google was afected too - it produced different results from the same search and the hyperlinks in the results didn't go to the right site. A full system scan by ZoneAlarm and Windows Defender reported nothing. Tried running MalwareBytes - it too found nothing.
Rather than downloading lots of free tools and risk making the situation worse I decided to archive all my files from the desktop PC to external disk and do a full re-install of Windows. I read up on securing the BT Home Hub and have disabled the wireless capability, switched from WEP to WPA2 and created a strong password so hopefully nobody can hack into the Hub now.
I also purchased and installed ZoneAlarm Extreme Security for £30. The only other software I installed on the new clean build was MS Office 2003 from my external disk. After doing a Windows Update and installing approx 100 updates everything seemed fine. A couple of weeks later the same thing happened.
Rebuilt again, same thing happened.
I've now rebuilt the PC 4 times and each time it seems OK for a week and then odd things start happening. Last night I tried to send an email from my hotmail account and it froze. Tried navigating away from the page and got a pop-up message:
Windows Internet Explorer
Are you sure you want to navigate away from this page? Can you wait a little longer? If you leave before your connexion is restored, the last action you took might not happen.
Press OK to continue or Cancel to stay on the current page.
Note the mis-spelling of 'connection' with an 'x' instead of a 't' in the popup.
Alarm bells started ringing again. I killed the iexplore.exe process in Task Manager and from that point on we lost all internet access and the PC wouldn't recognise the BT Home Hub.
Clearly there is something malicious working away in the background in IE and I'm worried that our activity is being monitored by a hacker. I've checked the IE settings and all seems fine - no dodgy looking add-ins and the security level looks OK.
What I can't understand is how these viruses/malware/trojans or whatever are getting onto my PC? It is connected to the internet over a wired connection with ZoneAlarm acting as the Firewall. I update the ZoneAlarm definitions daily and carry out a deep scan every day and it always reports no problems. I also perform a Windows update daily and keep the PC disconnected from the internet when not in use. I've installed no software apart from MS Office. How can it keep getting infected? Could it be that the external disk is infected and the install of MS Office is installing some kind of malware each time?
If so, how do I get rid of it? I've carried out a ZoneAlarm full scan of the external disk and it reports nothing. It's driving me mad and I'm actually starting to lose sleep over this now as I need the PC for work.
I've now purchased Norton Internet Security 2012 and I'm in the process of rebuilding the PC again.
Can anybody please advise what I can do to stop this happening? Any advice greatly appreciated.
Many thanks in advance.
January 11th, 2012, 12:02 PM
It sounds like it very well could be that external hard drive that's infected. If you have access to another computer, you could also try the Kaspersky Rescue Disk (Google it).
January 11th, 2012, 12:18 PM
> This was possible as it was using WEP which I've read can be hacked using brute-force!?
Have you also changed the default password for the router admin account?
> I then got a virus/malware which created loads of pop-ups in IE8
Personally, I would suggest either firefox (with say the noscript add-on) or chrome.
You white-list what really matters to you and the rest of the crud can be left behind.
Setting yourself up in windows with an "administator" account and a "user" account (which does NOT have administrator rights) would be a big help as well. Surfing the net in "god" mode is just asking for trouble. Even if some malware manages to hijack IE, it will have restricted privileges, so the damage will be far more localised.
Blocking Unwanted Parasites with a Hosts File
Blocks over 15,000 of the rather more dubious sites.
Since reinstalling windows doesn't clean everything from the disk, I would suggest you begin with http://www.dban.org/
Just in case some malware is hiding in the places windows cannot reach.
> Could it be that the external disk is infected and the install of MS Office is installing some kind of malware each time?
This is entirely possible.
Don't you have original CD's with Office?
You could otherwise try http://www.libreoffice.org/download/ , which will read MS-Office documents, and is perfectly adequate (for $0) for any home use of MS-Office.
January 18th, 2012, 08:33 AM
Thanks for the advise - very helpful.
I've made the following changes and the system has been stable so far:
1. Installed Norton Internet Security 2012. Update daily and run full system scan.
2. Created a new 'user' account rather than logging in as admin
3. Installed Firefox with the NoScript add-in
4. Replaced the hosts file with the one from the winhelp2002 web site
5. I'd already changed the default password on the router admin account to a strong password
6. Followed the instructions in the posting if-you-have-infection-issues-start-here-first-519852.html in this forum. This involves installing and running:
- CCleaner - no problems found
- SUPERAntiSpyware - 10 tracking cookies found and removed
- BitDefender - no problems found
Couldn't install ATF Cleaner. When trying to download the installer it navigated to an empty web page which reported 'This ID doesn't exist'.
7. Generally keep the PC off the web when not in use.
8. Disabled wireless on the Home Hub.
A few questions:
1. Is there an alternative place where I can download ATF Cleaner? Is it worth installing?
2. Should I still download and run HijackThis?
3. How often should I update the hosts file from the winhelp2002 web site
4. When running a Google search the results at the top of the list which are sponsored links/adverts don't work when clicked. I'm guessing this is correct behaviour due to the hosts file resolving the ad server to 127.0.0.1? Can anyone confirm?
5. To keep the PC off the web when not in use I go to the back of the PC and pull the network cable out. I'm slightly paranoid at the moment and may be using a sledgehammer to crack a nut but it's the only way to be sure! I'd prefer a switchable box on the desk that enables me to toggle the connection on/off without messing about round the back of the PC. What's a nice cheap way of doing this? PC World has a little router for £17. Would this be the way to go? The alternative is to pull the power cable out of the Home Hub but it's needed for BT Vision and takes ages to start up.
Any help much appreciated...