Chkdisk

Mullenkamp · January 6, 2008, 10:30am

You guys, I know ya’ll don’t know me all that well but if you can help me out here you don’t know how much it would mean to me.

My McAffee stuff expired and I was cool with it because I’m usually able to determine what would lead to spyware…except that myspace comment saying that someone had died. -__-

Long story short, even when I got McAffee to work for a second somehow and it uninstalled about 20 programs that had been forcefed on my computer nothing changed. I keep getting this weird message that says Explorer.exe is essentially corrupted and to run this chkdisk thing. Turns out that running it doesn’t change much.

I’ve got a backup harddrive and I guess I could learn how to do a system restore deal, but if anyone knows a program or the like that could make it easier on me that would be a big help.

Cless_Alvein · January 6, 2008, 12:18pm

If you already ran the executable, the easiest way around it is to back up all your data, bookmarks, and passwords, and then do a reformat on your OS partition. Then get <a href = “http://www.avast.com/eng/download-avast-home.html”>Avast</a>.

Khalbrae · January 9, 2008, 4:39am

Back up all of your data before doing any of this anyway.

Spyware problem...

Usually there will be another program in memory that will do so, but that program will be well hidden due to the registry, as you have said.

For that, there are 3 tools.

Hijackthis:
http://tinyurl.com/2vhrjo

Autoruns:
http://tinyurl.com/rnl5p

Process explorer:
http://tinyurl.com/y6nw5d

You must run Combofix and Smitfraudfix BEFORE running these programs mind you.

There are some nasty malware variants that disable the copying and pasting of file on any profile and will nuke the profile you’re working in.

So, you use Autoruns to determine which processes (roughly) have files running in them. In autoruns, once it finishes its first scan, click options up on the top, than click “Verify Code Signatures” and “Hide signed Microsoft entries.” You can now browse by section to see what starts up when the PC runs (Logon = standard startups in msconfig, Winlogon = in winlogon, LSA = Lsass, ect) You should also doublecheck with Hijackthis.

Don’t fix ANYTHING until you have used process explorer.

If Process explorer hit CTRL + F to bring up a find menu. Search for the suspicious files (example: ohnoes.dll <- Yes, that exists). Find out which processes they are running in (Most likely are explorer.exe, iexplore.exe, lsass.exe, winlogon.exe and svchost.exe). Programs and files that run in process explorer that are a deep purple are usually bad files (Packed files). Just make sure they’re not one of your virus/spyware scanners.

Regardless, keep Hijackthis open while you perform these steps. In process explorer, right click on the program that is infected with the file. Left click on properties. Finally, click on “threads”. From there you should look for all signs of your suspicious file. Left click on them, than click on “suspend” down below. That will keep it in stasis as long as too many of its friends aren’t running. Hunt down all malicious processes you can in this manner. If a ctrl-f search says a file is in a program but it’s not in threads view, that is not something to worry about.

Once everything is suspended. KILL THOSE MOTHER BUGGERS in Hijackthis.

Kill all the suspended threads in the processes in Process Explorer.

If ones are in autoruns that are not in hijackthis, right click on them and delete them there. Use a program like NotMyFault to cause a bluescreen, than shut your PC down. Load windows back up and check for signs of infection to be sure. If there are none, reboot twice more to see if any symptoms come back. If not, you’re in the clear.

If iexplore.exe itself if corrupted beyond the point of no return. Pop in your windows CD, open a command prompt box and type into it “sfc /scannow” and that should verify the file integrity.

One last thing to note. chkdsk /r should be run in the recovery console. You need to boot into the windows CD (when the PC starts, before it loads windows) and press “r” when prompted. Type “1” and enter. Than type in the administrator password (usually nothing, so just press enter).

Best of luck! Backup your data first anyway to be safe. But if you can learn the tools I provided you here today you can actually consider yourself nearly an expert on the subject as you will be better at removing malware than 90% of Geek Squad. (which often resorts to full reinstall of the operating system, Some managers appearantly joke “they should have bought a Data backup with that”)

Mullenkamp · January 11, 2008, 3:57pm

Thanks dudes! I’m going to try to fix it tonight and I have a heck of a better chance thanks to the both of ya’ll!

Mullenkamp · January 15, 2008, 1:10am

Double post, I know, but I have to say how awesome Khalbrae and Cless are. I’ve only just finished using Combofix and the swath of ads is already gone. That stuff is like alcohol on an open sore; except without all the nasty pain. I’m still going to go through that whole process that was posted just in case, but I’m already enjoying the results; my internet isn’t running as slow as molasses and that stupid lovercalculator isn’t popping up whenever I try to go on to another link.

I’m downloading avast right aferwards of course. Again, ya’ll are the bomb.

Khalbrae · January 15, 2008, 4:13am

Glad to be of service.

I hope my instructions were clear enough.

Especially look for programs trying to execute in places the shouldn’t be (like the root of C:\ or C:\Windows\Fonts)

Also, suspect files will have very strange names like jhhkkd.dll. Best of luck!