Viruses, please help.

M

Moose777

2[H]4U
Joined
Oct 10, 2004
Messages
2,741
I just got back online. I was offline for close to 3 years. I have two computers. One, I surf the web with. The other, I do nothing but play games on (such as HL2, BF2...etc...).

The one I expect to pickup viruses (the internet surfing computer) is sitting pretty. Updated nicely, runs pretty well. And has been tied to the internet for a week now.

The other one, that 3 years ago NEVER saw the internet except to play games has been on the internet for a total of 1 full day is rife with viruses. This rig (same as the one in my sig) has always had a firewall, always had anti-virus software has always had adaware software has always had spybot software whereas the other rig, the one that I surf the net on for most of its use has none of those things.

I'm beginning to get incredibly pissed off and am nearing my breaking point with this. Either I find a way to repair it short of reformatting it (which I believe won't work either) or I put a sledgehammer through it.

The types of viruses I have are mostly Trojans.

Two of them that I can name off of the top of my head are:

Trojan:Win32/conhook.D and Trojan:win32/vundo.AY as well as Trojan:win32/vundo.Gen1 and a few others.

I've run Windows Defender, aVast! I've even managed to get Windows Update working because it hasn't been and I can't get any of these (insert colorful explitive here) to work.

Does anyone have any ideas?

I've been fkng around with this thing for 2 days now and I'm about to just reformat this thing, although, if I can avoid doing that I'd really like to.
 
Beyond running the usual adaware and spybot (full scan options) several times I don't know of much to do other than re-format or manually try to remove the nasty bits.
 
First of all, describe your network topology. Modem - Router/Switch - Computers, yes?

If that's the case, we need to identify how that computer got infected in the first place. Are you running any...questionable...software ( cracks )? Those are often attack vectors. How about email? What browser do you have ( I know you said you don't browse with this system, but that doesn't mean the computer doesn't )?

Once we nail down the HOW, we can focus on the fix. But honestly, a wipe and reload is in the cards for you.
 
http://safety.live.com would be my first stop.

However, XOR is correct, if we remove the malware, but your topology/habits on that machine stay the same, then all the removal in the world won't solve it.

I also advise getting some realtime protection on that machine after the scan.

(The safest way is a wipe and reload, but if you're trying to avoid that..)

This posting is provided "AS IS" with no warranties, and confers no rights.
 
The modem is an Embarq 660. Probably means a whole lot of nothing to people who don't have Embarq.

The router is a Linksys Rangeplus Wireless from Cisco. Its locked so no one can access it without signing in. I've got two computers tied to it. One is a P4 and the other is in my sig.

The only surfing I do on the one in my sig is for updates it has Internet Explorer. I don't generally run any cracks or hacks but I am running a trainer for Diablo 1.

I am in the middle of performing a partial reinstall; I'm hoping it works, although I do think it'd be best for me to reinstall everything.

What do you guys suggest for protection?
 
Are you the only user? Thumbdrive brought over by a friend/family member?
 
Yes. I am the only user. My wife and step-son both know not to touch the gaming rig unless I'm around to log on.
 
As I've said on numerous threads, I prefer Microsoft Windows OneCare, but some might call me biased...

(I work on the Antimalware part of the product, signatures to be precise)

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Sounds like one of the recent ZLob variants (which run under the name Smitfraud, Virtomonde, etc). They're the widely spread ones over the past several months...

No need to format and rebuild....plenty of tools out there now to fully clean your system, just takes a bit of your time.

The tools I reach for most of the time with these infections......(use all of them..the shotgun approach works best)

Run CCleaner first..gets rid of lots of temp files, added benefit is if you had a lot of temp files, deleting them shaves tons of time off of your scan times.

Disable system restore so as to minimize chance of reinfecting system each time your reboot

Spybot Search and Destroy 1.6, update, immunize, scan in safe mode

SuperAntySpyware, update, reboot into safe mode...scan

MalwareBytes..same

Free trial of AntiVir

TCP Winsock repair utility
http://www.snapfiles.com/reviews/WinSock_XP_Fix/winsockxpfix.html

After scanning with S S&D, SAS, MB, and AntiVir...let another day or two go by..update again, scan again..if it comes up clean, uninstall all but S S&D

If your PC still seems infected...go for the big gun.... SDFIX.EXE (Google it and download from BleepingComputers)
 
YeOldeStonecat said:
Sounds like one of the recent ZLob variants (which run under the name Smitfraud, Virtomonde, etc). They're the widely spread ones over the past several months...

No need to format and rebuild....plenty of tools out there now to fully clean your system, just takes a bit of your time.

The tools I reach for most of the time with these infections......(use all of them..the shotgun approach works best)

Run CCleaner first..gets rid of lots of temp files, added benefit is if you had a lot of temp files, deleting them shaves tons of time off of your scan times.

Disable system restore so as to minimize chance of reinfecting system each time your reboot

Spybot Search and Destroy 1.6, update, immunize, scan in safe mode

SuperAntySpyware, update, reboot into safe mode...scan

MalwareBytes..same

Free trial of AntiVir

TCP Winsock repair utility
http://www.snapfiles.com/reviews/WinSock_XP_Fix/winsockxpfix.html

After scanning with S S&D, SAS, MB, and AntiVir...let another day or two go by..update again, scan again..if it comes up clean, uninstall all but S S&D

If your PC still seems infected...go for the big gun.... SDFIX.EXE (Google it and download from BleepingComputers)
Click to expand...

Zlob has been used to download everything from file infectors, to Virtumonde, to TaterF. I respectfully disagree, depending on what got downloaded by zlob, a wipe and reload might be the best option.

(Probably a safety.live.com scan will remove all the threats, but I'm not guaranteeing it.)

This posting is provided "AS IS" with no warranties, and confers no rights.
 
I've have Avast on it. Frankly, I'm disappointed by it. I managed to get rid of the virus only to have it reappear a day later. I did a partial reinstall of XP and the damn thing came back.

I'm to the point with it that I don't want to be bothered with running all sorts of removal tools to get rid of it. Hardly seems worth it to me. Especially since I wasted last friday, saturday and sunday trying to get rid of it (which included a partial reinstall). I've decided to pick-up Windows Vista and just start over. I'm also going to buy an anti-virus/malware program. Just not sure which one to go with.
 
Ranma_Sao said:
Zlob has been used to download everything from file infectors, to Virtumonde, to TaterF. I respectfully disagree, depending on what got downloaded by zlob, a wipe and reload might be the best option.

(Probably a safety.live.com scan will remove all the threats, but I'm not guaranteeing it.)

This posting is provided "AS IS" with no warranties, and confers no rights.
Click to expand...

I know you gotta pimp your product highly....but we don't have the need to wipe and reinstall. I work with a group of small business network consultants...we see this trojan almost every single day.usually several times a day, across the many clients we have.

The above tools that I mentioned are the tools we've learned to use effectively. They are the tools that have consistently proven to be able to keep up with the several new ZLob variants per day...and remove it. Using a shotgun effect of those tools. We have to do the job effectively, and completely, else in a few days that same client on the same computer will be calling us again to clean it. We lost money of that happens, doing the job correctly in the first place is desired.

Running for the panic button...and spending the majority of the day saving all their data, wiping with a format, reinstall, latest driver hunt, installing their applications, restoring their data, catching up on the vast amount of windows and office and other software updates....bah....not needed when one develops the knowledge and toolset to clean it in an hour or two.
 
I agree with YeOldStonecat. The tools he metions are very effective. If you decide you want to reformat the computer, use dban to wipe the drive. Google dban, download the iso and burn it to a disc. Then, reinstall a legitimate copy of Windows. Have Avira installer on a thumb drive and install it onto the computer before you ever connect it to the internet.
 
YeOldeStonecat said:
I know you gotta pimp your product highly....but we don't have the need to wipe and reinstall. I work with a group of small business network consultants...we see this trojan almost every single day.usually several times a day, across the many clients we have.

The above tools that I mentioned are the tools we've learned to use effectively. They are the tools that have consistently proven to be able to keep up with the several new ZLob variants per day...and remove it. Using a shotgun effect of those tools. We have to do the job effectively, and completely, else in a few days that same client on the same computer will be calling us again to clean it. We lost money of that happens, doing the job correctly in the first place is desired.

Running for the panic button...and spending the majority of the day saving all their data, wiping with a format, reinstall, latest driver hunt, installing their applications, restoring their data, catching up on the vast amount of windows and office and other software updates....bah....not needed when one develops the knowledge and toolset to clean it in an hour or two.
Click to expand...

I'm not pimping my tools, but I'm being honest. Zlob has been used to download everything from Reno variants, to Spyware, to File Infectors. If you remove Zlob, but don't remove what Zlob put there, you could be in a world of hurt. (File Infectors can be hard to clean without a minifilter to block reinfection while cleaning)

This is a board devoted to all sorts of people. For some, the easiest and safest way is a FFR (Fdisk, Format, Reinstall).

If you as a business consultant feel that you can guarantee that no rootkits were dropped, and no other threats were installed, feel free to make that guarantee. Without looking at his machine, I'm not willing to make that claim.

I still say that http://safety.live.com should do as well as all the other products you list, and if it doesn't, I would love to hear about it.

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Ranma_Sao said:
If you as a business consultant feel that you can guarantee that no rootkits were dropped, and no other threats were installed, feel free to make that guarantee. Without looking at his machine, I'm not willing to make that claim.

I still say that http://safety.live.com should do as well as all the other products you list, and if it doesn't, I would love to hear about it.

This posting is provided "AS IS" with no warranties, and confers no rights.
Click to expand...

Speaking of guarantee...I notice your frequent last night in any posts about the "Live"

It requires running the scan in normal mode (not safe mode), right? It's well known that scanning/removal tools are most effective in safe mode. Plus an infested machine is usually quite useless in normal mode, as the infestations don't usually run in safe mode.

It requires opening your browser...Internet Exploader non the less...to run ths scan. Heavily infested machines are practically as useless as tits on a nun when it comes to trying to do anything online with your browser...as your screen is quickly filled with exploading IE windows.

But one day for the puirpose of posting an answer to this question...I'll volunteer some time to try it. Have to say, running prior MS tools such as Defender, and its predecessor...Giant AS...weren't very effective in the past.
 
Moose777 said:
I've have Avast on it. Frankly, I'm disappointed by it. I managed to get rid of the virus only to have it reappear a day later. I did a partial reinstall of XP and the damn thing came back.

I'm to the point with it that I don't want to be bothered with running all sorts of removal tools to get rid of it. Hardly seems worth it to me. Especially since I wasted last friday, saturday and sunday trying to get rid of it (which included a partial reinstall). I've decided to pick-up Windows Vista and just start over. I'm also going to buy an anti-virus/malware program. Just not sure which one to go with.
Click to expand...

If you install Vista keep UAC turned on (you will see it when installing SW, changing important settings etc. - so it will be nuisance for first few days)

 
YeOldeStonecat said:
Speaking of guarantee...I notice your frequent last night in any posts about the "Live"

It requires running the scan in normal mode (not safe mode), right? It's well known that scanning/removal tools are most effective in safe mode. Plus an infested machine is usually quite useless in normal mode, as the infestations don't usually run in safe mode.

It requires opening your browser...Internet Exploader non the less...to run ths scan. Heavily infested machines are practically as useless as tits on a nun when it comes to trying to do anything online with your browser...as your screen is quickly filled with exploading IE windows.

But one day for the purpose of posting an answer to this question...I'll volunteer some time to try it. Have to say, running prior MS tools such as Defender, and its predecessor...Giant AS...weren't very effective in the past.
Click to expand...

I'm not sure what your first sentence is saying.

It does require a web browser. Alas, that's the part of being a webpage in this world.

As to your Safe Mode concern, yes, safe mode can be more effective at removal, but malware authors have definitely figured out it was 3 registry keys to allow their drivers to start in safe mode. I have seen lots of malware autostart in safe mode no problem. (Virtumonde is one of them.)

If you have cleaning problems with these products, please let me know, as that is my area of ownership.


This posting is provided "AS IS" with no warranties, and confers no rights.
 
Getting hot in here...:p

I've removed ZLob variants in the past also and have used the "shotgun" approach as well and have been successful. I usually hook the infected drive up to "virus removal" rig, take ownership of the drive, and do several scans with different programs..many of which Stonecat mentioned. Then I put the drive back into the original machine and run several more scans in safe mode, then eventually back into normal mode and rescan. It is time consuming but some clients are adamant about not having their OS FnR'd. Although if in my opinion it's really F'd up I talk them into backing up the data and FnR the biotch.
 
We give the client two options:

A. We format, reinstall, and reload data.

B. Sign a 2 page release form they understand we cannot and will not guarentee a clean or problem free machine after cleaning. We are not responsible for any security breach of their information, bank accounts, passwords, etc. etc. etc. etc.


No one has chosen option B so far. :D
 
You must log in or register to reply here.
Back
Top