Topic: virus?

[mackbig]

I have never had a pc virus. 

I run CA antivirus, all my windows updates have been done. 

Today my IE 6 started crashing  for no apparent reason.   I could pretty much do a google, then soon after clicking a link it would dr watson.   So I cleared cash and cookies etc...  Did not help.

So I downloaded FF.   FF worked fine till a few minutes ago.   Searching for norton av returned proper sites, but clicking took me to fake sites.

Also my CA updater was stuck earlier, I tried manually running, and it could not connect.  According to the AV software, my definitions are from yesterday.

Anyone got a quick workaround or ideas about this.  I have a mac downstairs, I can dump files onto my file server, but I assume even if I download another virus checker, if I have a smart virus, it will block installation.

I am running CA antivirus scan right now, but I assume it is just going through the motions.

Andrew

[wxkpt]

Have you tried to run the virus scanner in safe mode? sometimes that works

[mackbig]

Its pretty much non responsive.  I have a ghosted image from 3 months ago.  it is uninfected.  So I am updating the antivirus on it.  Then I will slave the other drive, and scan it. Hope that works.

Thanks
Andrew

[jmcmurry]

Here's a link I saw on another forum that supposedly will let you know if it's Cornficker.

http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

- Jim

[Mark / Ohio]

Might see if you get this program downloaded and to scan..

http://www.malwarebytes.org/index.php

[mackbig]

thanks I will try.

here is a question.   I have the old drive loading now.  Its clean.   Both drives are bootable.  How do I fire up the pc, so that the bad drive loads as secondary drive?   Back in the IDE days, I knew how to do this...

I tried just plugging the sata cable into it, but it does not show up in windows... 

Andrew

[mackbig]

Well 2 hours and 15 minutes and 641367 files scanned. ca av running on good drive, with bad drive as drive F, found nothing.

I rebooted with just the bad drive, and used safe mode for win xp

I could see all the logos on the eye chart.  I was pretty sure it was not conficker due to having all the updates.  Of course I also thought my CA aV would have also protected me against other stuff.

I was somehow able to download malwarebytes without ff crashing.  Of course it would not update its definitions files due to the site blocking.   Luckily I was able to install the programs on my work laptop, download the def's, send the def file to my mac by email then form mac to pc via nas... wow that was long.

Anyway it found three on its first pass with old defs
rogue.installer
rogue.drivecleaner
adware.mywebsearch

It found 1 more after def's updated in registry, and 2 in file system.  Using quickscan.
Trojan.Daonol
Torjan.Agent
Trojan.Agent

Thanks a billion Mark .  Even if this is not the end.... way further ahead than with CA. (and jim for the conficker test, and wxflint for the safe mode, forgot all about that... oscar speech anyone)

Other than wasting a few hours of my life, this pisses me off.  Missed a few hours of weather data... and I had my strikestar uptime 99.8% of something, but now I will drop below 99, and just be very good rather then excellent.


Andrew

[Mark / Ohio]

Glad to hear your on the road to recovery.    

I heard about Malwarebytes from a computer repair guy on a tractor forum of all places.  Plus some other people there and other places have said good things about it.  I added it to my arsenal a couple months back and keep it updated regularly along with Lavasoft's Adaware and Spybot Search and Destroy.  I've heard some rumblings about those latter two that I've used for ages not being as good as they once where and Malwarebytes working better for some now.  Very seldom I ever have any problems but i still keep them all loaded and ready just in case.  This new stuff floating around now some they say are written by professional criminals worries me more then the older antics by kids with nothing better to do.  For better or worse I'm doing more financial work on line now then I used to as well which has added to my paranoia.     Currently I'm using Avast free version for my AV on all 3 of my computers after having some operational issues with my old standby of AVG free version.  So far so good with it.

[mackbig]

Thanks again Mark.  Wish I had tried it 3 hours ago.  Must have been a pretty fresh virus since the April 6th defs did not catch it.  And for whatever reason the april 16-17th CA definitions did not catch the deploy or upon scan.  Gotta love when a free piece of software trumps something I have paid a fair price for over the years.  Pretty much a whole night and part of an afternoon wasted.  I just thought IE was messed up till the new install of FF started doing the same thing.  Luckily did not do any finances today.  I was going to be finishing my taxes today, but chose to focus on the IE issues.... My bank has mfa, anyway so even if they got my passwords, they would not have had the backup up questions. 

Andrew

[Mark / Ohio]

I did some googling on what you found and looks like the Trojan.Daonol is/was probably the real problem.  Looks like some people are having trouble getting rid of it and it showing back up on additional scans.  Keep an eye on it.    

[SlowModem]

You don't have to answer this if you don't want to, but how do you think you got it?  An attachment to an email, or visiting a bad web site or what?

[mackbig]

Greg,
Dont mind answering.  I have to assume it was email payload based on descriptions.  I dont use my pc for email but my wife does (did....)   I am going to toss outlook.  All our email is accessible via webclients, and she can use the mac email client downstairs if she really has to.

Andrew

You don't have to answer this if you don't want to, but how do you think you got it?  An attachment to an email, or visiting a bad web site or what?

[mackbig]

well Mark, like you said it tends to come back, but like the million dollar man, he is bigger and stronger....and so far undetectable aside from the symptoms.

same symptoms. wife reported that IE started crashing yesterday morning.   She could however still download new virus defs for malwarebytes. a couple of scans nothing. 

by the time I got home it was blocking updates to malwarebytes and ca antivirus, and redirecting some virus related google searches... then ff stopped working consistently (it works hit and miss)

I did my virus def workaround for malwarebytes last night and this morning (amazing how many new defs they add every few hours, and they all seem to be trojan related, but no luck.  about 8 scans now and nothing... hmmm   I even tried SAS....

between scans last night I deleted everything in ..\temp directory and deleted temporary internet files again...

Perhaps the defs created today will find something.  Any other ideas.

Andrew

[sam2004gp]

MackBig, the only way to get rid of it, is copy your data off only, format the hard drive and reinstall windows or your system recovery disk from a know good clean source.  If you had an image backup of your machine before you got the virus, you can format the hard drive and blast the image back on.

Once you have the machine virus clean, make sure you ALWAYS do windows updates, install Firefox as your default browser; with the Adblocker plus and NoScript extensions, install anti-virus software (I don't recommend Mcafee or Norton, they are resource hogs) and then most importantly set up the wife a "restricted user account" in windows.  The "restricted user account" will slow down anything if it gets past any of your other defenses.

The viruses are too tough to remove and once you get one on they invite others on your machine.  It is not worth the trouble "trying" to get rid of it, when another variant will be back the next day. 

[mackbig]

thanks Sam.  I am going to keep fighting it for a bit.  I do have an image that is clean, but its 4 months old.  I used it on saturday for a bit.  Gotta clean up the website stuff, it was pre new site, so for a while my page went back to really old format, I think vws was still doing my ftp'ing, and all my lightning stuff striketar and wasp had not been installed yet.  I have all my data backed up daily as well.  So I can rebuild.   I am just pissed that all my windows updates were good, and I thought I had a good and daily updated virus checker installed, and still got infected.

Last resort I will start from the old image.  I kept meaning to go get some cheap HD's from tiger, but something always came up, would really rather use a month old image, then 4 months, if I have to go that route.

Wife "restricted" profile wont work, its actually the weather pc, so I need it to boot right into main profile so all the weather stuff starts auto.  I will just ban her from it, we have a mac to play on (lots of news on mac's being targetted now but only with respect to pirated software), and she has a laptop for work, there is no reason for her to use my pc.

Andrew

[sam2004gp]

Sounds like you got a good handle on it there Mack.  Let us know what happens, good luck.

[mackbig]

I think the answer to this will probably be NO.  What about going back to a "xp restore point"  then doing a scan.  Would this reset the "blocking properties" that the trojan has placed xp internet connectivty on seeing av sites?

Andrew

Sounds like you got a good handle on it there Mack.  Let us know what happens, good luck.

[andro700]

Have you tried Spybot Search and Destroy and or Superanitspyware. I had a computer that I had to use those two plus AVG anti-virus and run them for a total of 6 times before I got them cleaned of the the computer. It was not my computer, it was a friends. Never hurts to uses more than one Spyware program, especially in this case. Sorry if I came in to late.

Good luck with this.  Hopefully you can get rid of it without reformatting. Is is not letting you update or install any spyware or anti-virus programs.

Chuck

[mackbig]

Thanks for your thoughts Chuck,
Yes I was able to install Superantispyware last night. And update the definitions.  ran a "quick scan" before bed, and a full scan overnight.

it is blocking updates on Malwarebytes and CA Antivirus.  I have a workaround for malwarebytes to get the new rules.ref onto the affected pc.

I will try spybot search and destroy tonight, if it lets me.

Anyone have comments about "restore point"  Someone at work unsolicity said to try that....   I know the bad file would still be there, but perhaps if windows has not processed it yet....???

Andrew

Have you tried Spybot Search and Destroy and or Superanitspyware. I had a computer that I had to use those two plus AVG anti-virus and run them for a total of 6 times before I got them cleaned of the the computer. It was not my computer, it was a friends. Never hurts to uses more than one Spyware program, especially in this case. Sorry if I came in to late.

Good luck with this.  Hopefully you can get rid of it without reformatting. Is is not letting you update or install any spyware or anti-virus programs.

Chuck

[andro700]

I have never heard of doing a restore point. I use AVG and have never got a virus on any of my computers. I know it is a long shot maybe if you have time and it would let you install AVG and run it. You might have to uninstall CA because there might be a conflict between the two. I seen earlier in the thread someone mentioned using safe mode. I was wondering if you tried using the safe mode. Sorry if I am asking to many questions.

Chuck

[mackbig]

Chuck,
No such thing as too many questions.

I will also try AVG tonight.  I was ready to toss CA anyway as it obviously failed me hard on this one.

I did try Safe mode upon Mark's suggestion.  It was from within safe mode that Malwarebytes found and the removed the original trojan.  Last night I tried both safe and regular modes.

Oddly enough I found on a forum (i know everyone has an opinion) "never use safe mode, virus might not be active in safe mode as not all drivers load"  of course just as many hits say  "use safe mode".  One of them is probably correct, sometimes, maybe sort of kind of....

Andrew

I have never heard of doing a restore point. I use AVG and have never got a virus on any of my computers. I know it is a long shot maybe if you have time and it would let you install AVG and run it. You might have to uninstall CA because there might be a conflict between the two. I seen earlier in the thread someone mentioned using safe mode. I was wondering if you tried using the safe mode. Sorry if I am asking to many questions.

Chuck

[andro700]

I had a buddies computer he gave me and he told me it full of crap. It took me 8 runs total to get rid of all of the crap in his computer, that was with the three programs I mentioned before. I know spybot if it detects spyware, sometimes it will tell you to restart the computer and will run on next start up before everything gets loaded sort of like safe mode since none of the apps are loaded.

Chuck

[sam2004gp]

Again, you can try a "restore point" but many viruses also disable that to keep you from going backwards.  A Clean install is the only 100% fix.  One of the side benefits is you get a faster machine, because you don't have any of that "install and use only once programs" that you accumulate over time on your machine.

[mackbig]

Clean is good.  Finding my xp cd in the basement from my move a year ago is another issue.  restoring all my weather stuff.... as I said, will if I have to....

Andrew

Again, you can try a "restore point" but many viruses also disable that to keep you from going backwards.  A Clean install is the only 100% fix.  One of the side benefits is you get a faster machine, because you don't have any of that "install and use only once programs" that you accumulate over time on your machine.

[ironton]

I have battled a few virus/trojans in the past and have also thought I had them erased only to find they reinstalled themselves the next day. 
I discovered in some cases the AV software will remove the virus but the computer also has a start up command that finds a file buried on the hard drive that re-installs the virus.  Often these commands are in the registry. 

A program I've used with some success is called hijackthis (trendmicro) and it is a free download.  Their webpage says hijackthis - "quickly scans your Windows computer to find settings that may have been changed by spyware, malware or other unwanted programs. HijackThis creates a report, or log file, with the results of the scan. 
It does not determine what is good or bad. and warns you "Do not make any changes to your computer settings unless you are an expert computer user."
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

With that said, I have used the reports to search google for clues on what is good or bad.  There are also tech support forums where you can post the hijackthis log for others with experience to review and give advice.

The trend micro web site also has a free on-line virus scan.  If you are blocked from that site by the virus, I could D/L the hijackthis file and place it on my server for you to grab.
Good Luck - hope you can avoid the reformat!