Nasties ID'd - no Task Mgr. - no idea what's wrong

[stargazer777]

Hi all, thanks ahead of time for reading and possibly helping.

My situation in chrono outline form:

1. I'd had some 'slowness' probs recently, but nothing indicating an (obvious) infection.
2. My CA e-zTrust AV had run out, so I installed a trial version of Kaspersky, which on TopTenReviews.com came in 2nd only to Bit Defender. I did an update search as soon as it fired up.
3. As soon as I began scanning, it found a keystroke logger, ID'd as 'itchfltr' (can't remember the extension type). It told me it was in WINDOWS\system32; I located it, deleted it, then deleted from Recycle Bin. The file did not reappear in that location, but apparently it was still running.
4. I went to START > Run > msconfig and turned off all startup items, then rebooted.
5. At this point, Kaspersky AV began finding more things, and I got a warning message about a trojan (I'll return later and post its name).
6. In summary, my screen/mouse pointer would freeze in about 3 minutes. The really nasty thing about this is, things even freeze in SAFE MODE !!! How can I work with anything to solve this situation when things are equally whacked in Safe Mode ??!?
7. Worse yet, CTL-ALT-DELETE wouldn't even do anything, so I had no access to Task Manager .... I couldn't even shut down, I had to just do a hard power-off.
8. At this point, I don't even know where to start. The entire problem is aggravated by the fact that everything freezes in a couple of minutes (not to mention Safe Mode is useless). I don't have time in which I can fuss with my AV, or any other bug-finding app.
>>> Where do I go from here ?
Thanks,
Dave G. in Virginia, USA

P.S. My system and basic software profile is shown below (remember, my AV is now Kaspersky -- I'll change that in my sig later). I will happily provide (if possible) any info I've overlooked, if you ask me in your post. Thanks again!

[fink]

Do have enough time to run hijackthis before it freezes? (installing it and running it should take no more than a minute or so.)

instructions here...

http://discussions.virtualdr.com/sho...d.php?t=167915


You could save some time by downloading it on another computer and burning it to a cd to transfer over to the infected one.

If it refuses to run on the infected computer try changing the name of the program, after installed, from hijackthis.exe to scanner.com in case it's one of those trojans that recognizes it and tries to stop it from running.

[stargazer777]

Thank you, Fink, for your reply - I appreciate it.

I hate to disrupt the normal system of following suggested approaches to fix problems such as this, thereby helping others with similar problems. However, I was desperate to have my PC working ASAP, due to work I had to do for Monday AM.

Perhaps what I did do will help others as an alternative. I remembered I had a spare 30GB HDD:

1.) I disconnected my Maxtor 160GB, and connected the Maxtor 30GB as the sole HDD.
2.) I booted with the WinXP Pro SP2 (slipstream) CD, and completely "wiped" the drive clean. Then I deleted the old partition (it only had one), created a new one, and installed Windows XP Pro.
3.) I did not create multiple partitions since I will be using the 160GB HDD as my main disk for data, photo and music files. Also, it is my policy and preference to install major apps on a drive other than the C: drive.
It's a daunting, frustrating thing to have to wipe out installed (major) apps when deleting the C: partition to reinstall Windows. However, I was forced to (re)install MS Office onto my C: drive, since I didn't want to attach my previously-infected (160GB) drive until I know the best way to do it. Which brings me to another question, below:

NEW QUESTION:
***What is the safest procedure for re-installing the 160GB HDD, assuming it has some latent "nasties" floating around on it somewhere?
Now - I know a firewall keeps new (bad) stuff from coming in over the Internet, and Antivirus software finds and helps purge existing nasties that have already made it onto a HDD. But - I now have a supposedly clean, uninfected C: drive. What about internal existing viruses, etc. on the larger drive I'm reinstalling? Is all I can do scan the drive and hope to delete anything on it before it (possibly) "migrates" (by command) to my C: drive?

Thanks again, Fink. I appreciate your help and wisdom . . .

- Dave in Virginia, USA

[fink]

Install the drive as a slave and then format it unless you want to keep anything that's on it. Even just installing it as a slave initially will prevent any malware from infecting the main drive C: but dragging any infected files over could be a problem.

If you need to keep anything on the slave drive limit it to files that are non-infectable like multimedia (pics/movies/etc) for eg. If you really need to keep an executable or runable file first scan it/them here..

http://virusscan.jotti.org/

You can format the drive using windows computer management (control panel>admin tools>computer mgm't)

http://vlaurie.com/computers2/Articles/harddrive2.htm

[stargazer777]

Thanks again, Fink.

My objective for the 160GB HDD (which I wish to re-install) is to retain:

1.) All data files, including types such as MS Word docs, Acrobat/PDF files, Excel files, etc.
2.) Graphics and photo files such as BMP, GIF and JPG files
3.) Music and other sound files, such as WAV, mp3 and others

I wouldn't mind getting rid of installed apps and reinstalling them, but I'd want to be able to view them and make a small list of what I need to reinstall.

I really hate the thought of wiping the drive clean and reformatting. This is not only a terrible task in itself, but backing up the existing files (which I mentioned above) would be a tremendous job. My initial thought is to somehow put this off until I can buy a large (500GB?) USB HDD for archiving.

Just my $0.02 . . .

Thanks again,
Dave

[fink]

Scan it with your current a/v and let it delete or quarantine anything it finds then do a couple of online scans ...

http://www.pandasecurity.com/homeuse...s/activescan/?

http://www.ca.com/us/securityadvisor...info/scan.aspx

http://www.windowsecurity.com/trojanscan/

There have been some issues lately with the new housecall scan..

http://housecall.trendmicro.com/

I'd probably avoid this one.

I'm reasonably sure you can selectively scan a slave drive with these scanners.

So long as the slave drive isn't booted or any programs on it are run then no malware on it can do any damage on its own. A virus/trojan/etc would need to be activated by reinstalling it on the C drive or somehow be manually integrated into a running program.

Simply viewing the files on the slave drive is safe to do. Just don't open any executable files (exe, dll, com, pif, scr etc)

EDIT- doc and xls files can be risky too. Definately multi scan those at Jotti if you want to keep any.