Not what you are looking for? Ask the experts!
Help fixing aftermath of invasion
This occurred about three hours ago. My Norton Anti-Virus and Internet Security were showing as up to date and running. I also had Ad Muncher (registered) running.
Steps of what happened:
1. I was on Yahoo! Answers, looking at the question on this URL (http://answers.yahoo.c_m/question/index;_ylt=AmZzt6y9cidlEEVTFnZeZu7sy6IX;_ylv=3?qid=20080814042844AAFAcYC), about web proxies. I clicked on several of the answerers' links to see what a web proxy site was, and I believe that's when the invasion happened, but I'm not sure which of the links it came from.
2. The first alert I had was a pop-up saying rnAV was trying to access a DNS server. It never tells you why, you know? I clicked " Block this instance" before I realized it was talking about the anti-virus program. (Question 1. Why does the AV try to access a server when an attack is happening?)
3. Right after that, I got another pop-up from Norton saying it had successfully blocked Trojan.Blusod. I realized at that point, I should get offline and run a virus check, but I stupidly read a couple of emails first, then logged off.
4. When I closed my browser (IE 6.0.2900.5512.xpsp.080413-2111), my desktop wallpaper had disappeared and the background was white. I think it was at this point that I disconnected my cable modem so nothing more could get to the web.
5. I ran a quick scan, and it turned up Adware.CWSIEFeats. I clicked Fix. (I got this even though I had Ad Muncher running.
(Question 2. How did it get past Ad Muncher?
Question 3. Was Fix the right thing to choose? My only other option was Exclude, which sounded like it would exclude it from being mentioned in future virus scans.) I turned off Ad Muncher around this time.
6. I aborted the scan, reopened my browser, and erased the cookies, history and temporary Internet files, including the offline ones.
7. I re-ran the quick scan, and nothing else showed up.
8. Then I realized I should run a full system scan. About 1.4 of the way through that, it suddenly stopped and went to the Welcome screen, which I have set up as password protected.
9. I clicked shut down instead, fearing something would record my password and hoping the cold reboot would wipe that. I got a message saying, "Other people are logged on to this computer" (I was logged on as HP_Administrator, it wasn't connected to the Internet, and it's not networked to anything but my printer) and that shutting down would close that. !!!! I continued the shutdown, then rebooted.
10. The screen before the Welcome screen was the normal shade of blue for my XP Home OS. The Welcome screen was normal. The desktop loaded with a royal blue background, but that didn't stay. It turned white by the time the boot finished.
11. I ran the full system scan again, and the same thing happened, only this time when I went to shut down, the message said there were two user accounts running for HP_Administrator.
12. I continued the shutdown, waited 2 minutes, then rebooted. This time, the desktop stayed that royal blue color, no white. I wentto My Computer/Control Panel/User Accounts. The only ones showing were HP_Administrator, Guest (offline) and a SQLDebugger account. These all seem valid. (Question 4. What do you think?)
13. I decided to uncheck the Fast Switching check box, which had been checked. I'm the only user of this computer, and I don't know if this was a default setting or something the invading program did. (Question 5. Anyone know?)
14. I reran the full system scan, and this time, it ran completely. It didn't find anything more.
15. I shut down, to see what would happen with the change in fast switching. Some program shutter window flashed by, then it shut down. On reboot, everything looked normal except for my desktop.
16. I right-clicked on the desktop and selected Properties to put back my wallpaper. Three tabs are still there (Themes, Appearance and Settings), but the ones for my wallpaper and screensaver are missing. (Question 6. How do I get them baaaaaack?)
17. I went back to My Computer/Control Panel/ User Accounts to test whether adding back Fast Switch would cause the "other user account" to show again. A message came up saying, "Fast switching cannot be used because Offline Files is currently enabled." I clicked OK and the Offline Files tab appeared. I check My Computer and My Network Files for any shared offline files, but there weren't any. I de-selected the offline files box. (Question 7. If there's no virus or trojan, why are these changes happening? )
18. Then I re-selected Fast Switching, re-ran the Full System Scan, got the same interruption and move to the Welcome screen, and the same message about 2 HP_Administrator accounts running. I did the cold boot, unchecked Fast Switching, and came here hoping for help.
The big questions:
a. Could I still have some kind of infection, even those NAV says no?
b. If so, what is going on here? What to do? Could this be progressive? I do not want to wipe my system and reinstall everything if I can avoid it.
c. How do I get the 2 user accounts thing to go away? I assume there's some code doing this.
d. How do I get my two desktop Properties tabs to come back?
e. Anything else I should know?
Please help - I'm really freaked out. Thanks.
[edit: broke link, to prevent accidental clicking.]Message Edited by Allen_K on 09-24-2008 12:24 AM