InfectedComputer
New member
Follow-ups on tasks; questions
Hi pskelley,
OK, some follow-ups on the tasks you requested. Sorry for the length of the post.
1) MDAC. I tried the custom Windows update, but there was nothing for MDAC in the list. I found the following information on the Windows “MDAC Utility: Component Checker” page:
“MCAC is installed with numerous Microsoft products and an also be redistributed using the redistribution program (mdac_typ.exe) that you can download from … Windows XP SP2 or later versions of Windows also installs MDAC as an ‘out of box’ system component of the Windows operating system. Since MDAC in windows XP SP2 or later is newer thant the version (MMDAC 2.8 SP1) in the last MDAC redistribution program, mdac_typ.exe no longer installs MDAC on Windows XP SP2 and later version.”
On my computer there is a version of MSADOX.DLL located in “[Drive letter]:\Program Files\Common Files\System\ado” and it has a file modified date of 4/18/2008, which I don’t understand because I installed SP2 for Windows XP in 4/2009. So I installed the MDAC Utility Component Checker (wasn’t easy to find and install), ran it, and it said I have MDAC 2.8 SP1 on Windows XP SP3. MDAC 2.8 SP1 is the most current version.
The version of MSADOX.DLL in C:\I386 dates back to the original installation of Windows XP that came with my computer – the modified date is 8/18/2001 and the creation date is 5/19/2002. PSI is not complaining about the version of MSADOX.DLL in “C:\Program Files\Common Files\System\ado”. PSI says if the installation path is not “[Drive letter]:\Program Files\Common Files\System\ado” but rather is in a backup area like c:\I386, then the user the Ignore Directories & Paths option so that PSI does not look in that location. PSI lists the Installation Path as c:\I386\MSADOX.DLL. Having said that, do you think I should tell PSI to ignore the version in c:\I386, or that I should back it up and delete it like I did for the shockwave files in c:\I386, or talk to Microsoft Support?
2) c:\I386\SWFLASH.OCX – I deleted the file as you instructed, after backing it up to CD.
3) c:\I386\SwInit.exe – I deleted the file as you instructed, after backing it up to CD.
4) McAfee. Regarding the 3 items in the Security Center, the first one (firewall) is green/ on. The second one (automatic updates) is yellow/ check settings. That’s because I prefer to have the updates downloaded but then I decide when I want to install them. The third (virus protection) one comes up red when I restart, but turns green some minutes after I re-enable the McAfee manually using a right click option on the McAfee icon in the systray. [As soon as I re-enable McAfee manually, it starts scanning – it takes awhile for the Security Center to recognize it.] Please note that this behavior was not happening with McAfee before the infection. I believe the McAfee was disabled entirely by the infection. It came back sometime after we ran ComboFix. I only noticed this behavior after we ran MBAM, so I don’t know whether this behavior started right after ComboFix, or later. This might be a moot question because I need to get a new antivirus program anyway?
Do I need a new antivirus program in place before doing the other steps, or can I make do for now by re-enabling McAfee manually?
As an aside, did I read somewhere that some malware can impersonate the Security Center?
5) Zofaziba – I deleted it and it has not regenerated itself (like it did with the first infection whenever I would try to delete it).
Before I start uninstalling ComboFix, run MBAM, etc., since it seems like we’re near the end, let me get some questions in while I can:
6) Related to deleting and reactivating the Windows restore, I also have Recovery Commander checkpoints as part of my Fix-It Utilities program. I don’t think those are protected storage, so I assume I don’t have to delete those?
7) Do I plug in and check my external HDs and flash drive after I get a clean MBAM report? Do I use MBAM and a virus scan to check them?
8) What about other user accounts? With the first infection in early April, after we had finished the forum thread, I discovered that there were still some stray startup entries in some user accounts. These were pointing toward malware files that we had removed, so when logging in to those accounts a popup would appear saying that the file they were pointing to couldn’t be found. Clicking “OK” would remove the pop-up. I have 2 administrative logins (plus “Administrator” in safe mode which I can’t get into because I lost the original password somehow), and 5 regular user accounts. How do we make sure there aren’t any remnants in other accounts?
9) Is the Window firewall sufficient or do I need something better? [If it’s just fancier feature options rather than stronger protection, it might not help me because I don’t even understand the features in Windows Firewall, I just use the defaults, I think.]
10) In addition to a real-time virus scanner, do I also need a real-time Malware scanner, such as is contained in the purchase version of MBAM or Ad-Aware? Do those clash with the real-time virus scanning? Are there combination products that scan in real time for all threats simultaneously?
11) Given the nature of this infection, will I need to change Windows user account passwords, online passwords (banking, Paypal, etc.), other passwords (for the ISP connection, email server, etc.)?
Regards,
InfectedComputer
Hi pskelley,
OK, some follow-ups on the tasks you requested. Sorry for the length of the post.
1) MDAC. I tried the custom Windows update, but there was nothing for MDAC in the list. I found the following information on the Windows “MDAC Utility: Component Checker” page:
“MCAC is installed with numerous Microsoft products and an also be redistributed using the redistribution program (mdac_typ.exe) that you can download from … Windows XP SP2 or later versions of Windows also installs MDAC as an ‘out of box’ system component of the Windows operating system. Since MDAC in windows XP SP2 or later is newer thant the version (MMDAC 2.8 SP1) in the last MDAC redistribution program, mdac_typ.exe no longer installs MDAC on Windows XP SP2 and later version.”
On my computer there is a version of MSADOX.DLL located in “[Drive letter]:\Program Files\Common Files\System\ado” and it has a file modified date of 4/18/2008, which I don’t understand because I installed SP2 for Windows XP in 4/2009. So I installed the MDAC Utility Component Checker (wasn’t easy to find and install), ran it, and it said I have MDAC 2.8 SP1 on Windows XP SP3. MDAC 2.8 SP1 is the most current version.
The version of MSADOX.DLL in C:\I386 dates back to the original installation of Windows XP that came with my computer – the modified date is 8/18/2001 and the creation date is 5/19/2002. PSI is not complaining about the version of MSADOX.DLL in “C:\Program Files\Common Files\System\ado”. PSI says if the installation path is not “[Drive letter]:\Program Files\Common Files\System\ado” but rather is in a backup area like c:\I386, then the user the Ignore Directories & Paths option so that PSI does not look in that location. PSI lists the Installation Path as c:\I386\MSADOX.DLL. Having said that, do you think I should tell PSI to ignore the version in c:\I386, or that I should back it up and delete it like I did for the shockwave files in c:\I386, or talk to Microsoft Support?
2) c:\I386\SWFLASH.OCX – I deleted the file as you instructed, after backing it up to CD.
3) c:\I386\SwInit.exe – I deleted the file as you instructed, after backing it up to CD.
4) McAfee. Regarding the 3 items in the Security Center, the first one (firewall) is green/ on. The second one (automatic updates) is yellow/ check settings. That’s because I prefer to have the updates downloaded but then I decide when I want to install them. The third (virus protection) one comes up red when I restart, but turns green some minutes after I re-enable the McAfee manually using a right click option on the McAfee icon in the systray. [As soon as I re-enable McAfee manually, it starts scanning – it takes awhile for the Security Center to recognize it.] Please note that this behavior was not happening with McAfee before the infection. I believe the McAfee was disabled entirely by the infection. It came back sometime after we ran ComboFix. I only noticed this behavior after we ran MBAM, so I don’t know whether this behavior started right after ComboFix, or later. This might be a moot question because I need to get a new antivirus program anyway?
Do I need a new antivirus program in place before doing the other steps, or can I make do for now by re-enabling McAfee manually?
As an aside, did I read somewhere that some malware can impersonate the Security Center?
5) Zofaziba – I deleted it and it has not regenerated itself (like it did with the first infection whenever I would try to delete it).
Before I start uninstalling ComboFix, run MBAM, etc., since it seems like we’re near the end, let me get some questions in while I can:
6) Related to deleting and reactivating the Windows restore, I also have Recovery Commander checkpoints as part of my Fix-It Utilities program. I don’t think those are protected storage, so I assume I don’t have to delete those?
7) Do I plug in and check my external HDs and flash drive after I get a clean MBAM report? Do I use MBAM and a virus scan to check them?
8) What about other user accounts? With the first infection in early April, after we had finished the forum thread, I discovered that there were still some stray startup entries in some user accounts. These were pointing toward malware files that we had removed, so when logging in to those accounts a popup would appear saying that the file they were pointing to couldn’t be found. Clicking “OK” would remove the pop-up. I have 2 administrative logins (plus “Administrator” in safe mode which I can’t get into because I lost the original password somehow), and 5 regular user accounts. How do we make sure there aren’t any remnants in other accounts?
9) Is the Window firewall sufficient or do I need something better? [If it’s just fancier feature options rather than stronger protection, it might not help me because I don’t even understand the features in Windows Firewall, I just use the defaults, I think.]
10) In addition to a real-time virus scanner, do I also need a real-time Malware scanner, such as is contained in the purchase version of MBAM or Ad-Aware? Do those clash with the real-time virus scanning? Are there combination products that scan in real time for all threats simultaneously?
11) Given the nature of this infection, will I need to change Windows user account passwords, online passwords (banking, Paypal, etc.), other passwords (for the ISP connection, email server, etc.)?
Regards,
InfectedComputer
