This Super Virus is Mean

[nilesnormore]

I was asked to help a friend with his computer. He said it was slow. I
noticed it was running with all kinds of pop ups and was running slowly. I
tried to google for Spybot Search and Destroy. But the second I hit Enter in
Google the browser Vanishes. I can search other words but not for anything
that is related to antivirus, anti-adware, anti-spyware. It's as if the
computer is watching me. I said Ok Lets try the CD backup of Spybot S+D. I
put the CD in and tried the Explorer to view the folders on the CD. I had a
lot of Software burned on the CD. I could explore all the folders I wanted
but the second I tried to click on the folder with the Spybot in it the
window vanished. I can look at what I want but just not anything related to
Anti-Virus or Registry editing either. I tryed to drag the folder to the
Backround screen and I could do that. I just cold not open the folder. It
would just instantly dissapear. I tried renaming the folder to temp and then
I could enter the folder to access the installer for Spybot. I ran the
installer and it was instantly terminated. I'm baffled. I was not allowed to
access the task manager either or the security center. The computer had
norton AV installed but it also was not allowed to opperate. Any way I
tried a program called Ultimate Troubleshooter and I was able to access the
task manager. I tried to terminate various tasks and was eventually allowed
to access those folders and then installed Spybot S+D Ad aware SE and
Registry Mechanic. I scanned the computer with each of these and removed
hundreds of spyware. I rebooted the computer and The wierd thing is it
automatically did a scandisk and said it had a dirty partition. It did it's
thing and rebooted. Anyway the thing is back in force and none of the
installed Anti virus or Spyware programs work anymore. What kind of super
virus is capable of doing all this, does anyone have any idea what kind of
virus this is.

Niles



---------------------------------------------------------------------
"Are you still wasting your time with spam?...
There is a solution!"

Protected by GIANT Company's Spam Inspector
The most powerful anti-spam software available.
http://www.giantcompany.com

 

[David H. Lipman]

From: "nilesnormore" <[email protected]>

| I was asked to help a friend with his computer. He said it was slow. I
| noticed it was running with all kinds of pop ups and was running slowly. I
| tried to google for Spybot Search and Destroy. But the second I hit Enter in
| Google the browser Vanishes. I can search other words but not for anything
| that is related to antivirus, anti-adware, anti-spyware. It's as if the
| computer is watching me. I said Ok Lets try the CD backup of Spybot S+D. I
| put the CD in and tried the Explorer to view the folders on the CD. I had a
| lot of Software burned on the CD. I could explore all the folders I wanted
| but the second I tried to click on the folder with the Spybot in it the
| window vanished. I can look at what I want but just not anything related to
| Anti-Virus or Registry editing either. I tryed to drag the folder to the
| Backround screen and I could do that. I just cold not open the folder. It
| would just instantly dissapear. I tried renaming the folder to temp and then
| I could enter the folder to access the installer for Spybot. I ran the
| installer and it was instantly terminated. I'm baffled. I was not allowed to
| access the task manager either or the security center. The computer had
| norton AV installed but it also was not allowed to opperate. Any way I
| tried a program called Ultimate Troubleshooter and I was able to access the
| task manager. I tried to terminate various tasks and was eventually allowed
| to access those folders and then installed Spybot S+D Ad aware SE and
| Registry Mechanic. I scanned the computer with each of these and removed
| hundreds of spyware. I rebooted the computer and The wierd thing is it
| automatically did a scandisk and said it had a dirty partition. It did it's
| thing and rebooted. Anyway the thing is back in force and none of the
| installed Anti virus or Spyware programs work anymore. What kind of super
| virus is capable of doing all this, does anyone have any idea what kind of
| virus this is.
|
| Niles
|
| ---------------------------------------------------------------------
| "Are you still wasting your time with spam?...
| There is a solution!"
|
| Protected by GIANT Company's Spam Inspector
| The most powerful anti-spam software available.
| http://www.giantcompany.com
|

Virus ?

You indicated you ran anti spyware/adware software.

I didn't see that you ran *any* anti virus softwae only that NAV was disabled/crippled.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } 4 batch files, 6 Kixtart scripts, one Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend, Kaspersky and McAfee Anti Virus Command
Line Scanners to remove viruses, Trojans and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * *

 

[The Outsider]

I was asked to help a friend with his computer. He said it was slow. I
noticed it was running with all kinds of pop ups and was running slowly. I
tried to google for Spybot Search and Destroy. But the second I hit Enter in
Google the browser Vanishes. I can search other words but not for anything
that is related to antivirus, anti-adware, anti-spyware. It's as if the
computer is watching me. I said Ok Lets try the CD backup of Spybot S+D. I
put the CD in and tried the Explorer to view the folders on the CD. I had a
lot of Software burned on the CD. I could explore all the folders I wanted
but the second I tried to click on the folder with the Spybot in it the
window vanished. I can look at what I want but just not anything related to
Anti-Virus or Registry editing either. I tryed to drag the folder to the
Backround screen and I could do that. I just cold not open the folder. It
would just instantly dissapear. I tried renaming the folder to temp and then
I could enter the folder to access the installer for Spybot. I ran the
installer and it was instantly terminated. I'm baffled. I was not allowed to
access the task manager either or the security center. The computer had
norton AV installed but it also was not allowed to opperate. Any way I
tried a program called Ultimate Troubleshooter and I was able to access the
task manager. I tried to terminate various tasks and was eventually allowed
to access those folders and then installed Spybot S+D Ad aware SE and
Registry Mechanic. I scanned the computer with each of these and removed
hundreds of spyware. I rebooted the computer and The wierd thing is it
automatically did a scandisk and said it had a dirty partition. It did it's
thing and rebooted. Anyway the thing is back in force and none of the
installed Anti virus or Spyware programs work anymore. What kind of super
virus is capable of doing all this, does anyone have any idea what kind of
virus this is.

Niles

I don't know but once a PC is compromised it's better, and quicker, to
just do a format and reinstall the OS. I would do a secure wipe of the
HDD first too.

 

[tim]

I don't know but once a PC is compromised it's better, and quicker, to
just do a format and reinstall the OS. I would do a secure wipe of the
HDD first too.

I don't know about you, but a format and reinstall is by no means
quicker for me to do than a thorough cleaning.
Usually a computer I work on has no backups done, hasn't had recovery
disks made and any number of other things that make formatting more
troublesome.
Cleaning out spyware/adware, viruses or trojans takes a little reading
and patience while some software does it's job. Add some judicious
registry cleaning and it is quite a bit faster than formatting and
reinstalling the OS and all the Apps.

tim

 

[The Outsider]

I don't know about you, but a format and reinstall is by no means
quicker for me to do than a thorough cleaning.
Usually a computer I work on has no backups done, hasn't had recovery
disks made and any number of other things that make formatting more
troublesome.
Cleaning out spyware/adware, viruses or trojans takes a little reading
and patience while some software does it's job. Add some judicious
registry cleaning and it is quite a bit faster than formatting and
reinstalling the OS and all the Apps.

tim

And how do you know your computer is *completely* clean of a virus?
Any security expert will tell you the only way to be sure you are rid
of a virus is to do a secure wipe of the HDD. But you do it your way
and I'll do it mine.

 

[Roger Wilco]

Any security expert will tell you the only way to be sure you are rid
of a virus is to do a secure wipe of the HDD.

I doubt that many security experts would agree with this statement -
unless they are unfamiliar with viruses. They will agree with that
statement if the virus involved also brings other security problems with
it such as a backdoor or downloader which could have sticky security
issues. With most viruses it is not necessary to to go to that extreme.

 

[The Outsider]

I doubt that many security experts would agree with this statement -
unless they are unfamiliar with viruses. They will agree with that
statement if the virus involved also brings other security problems with
it such as a backdoor or downloader which could have sticky security
issues. With most viruses it is not necessary to to go to that extreme.

Wish I could fine the link from a security advisory site that states
exactly what I said but I've got better things to do. The state the
OP's computer is in needs a secure wipe. End of story.

 

[Roger Wilco]

Wish I could fine the link from a security advisory site that states
exactly what I said but I've got better things to do.

I guess there are always better things to do than back up ones claims.

The state the
OP's computer is in needs a secure wipe. End of story.

That's probably true, but what you said ... wasn't. Even if you found
that site, you would probably also find the author refers to
"compromise" in a more serious manner than just some annoying malware
that only does a known set of things.

End of story.

 

[The Outsider]

I guess there are always better things to do than back up ones claims.

No! The fact is I just can't remember the url. It does happen, you
know?

That's probably true, but what you said ... wasn't. Even if you found
that site, you would probably also find the author refers to
"compromise" in a more serious manner than just some annoying malware
that only does a known set of things.

Go back and read the OP's post. He is pulling his hair out trying to
solve the issue. I say do a secure wipe and you recommend that he
spend the rest of his life trying to reolve the issues. Pffft!

 

[Roger Wilco]

claims.

No! The fact is I just can't remember the url. It does happen, you
know?


Go back and read the OP's post. He is pulling his hair out trying to
solve the issue. I say do a secure wipe and you recommend that he
spend the rest of his life trying to reolve the issues. Pffft!

Fine, if you read back you will see that I didn't respond to the OP or
to your suggestion of using what is normally the last resort. I
responded to your assertion that "Any security expert will tell you the
only way to be sure you are rid
of a virus is to do a secure wipe of the HDD." which I don't believe to
be true at all. Most security experts will probably say that, but only
when the "problem" is more than just some annoying adware or virus which
can be removed without wiping.

Some time ago a poster had a problem with his browsers displaying porn
when he attempted to access legitimate sites. Suggestions were made for
downloading scanners of all sorts as well as LSP repair tools, new HOSTS
files, even IIRC a wipe and reformat of the harddrive. Luckily my
suggestion that he check his primary and secondary DNS settings in case
they were changed to point to a poisoned server was what he did -
problem solved. I suppose your 'security experts' would have had him
reinstall the OS and the ISP's settings onto a newly wiped and fomatted
drive to achieve the same effect?

It's so much easier to change the DNS settings back IMO.

 

[The Outsider]

Fine, if you read back you will see that I didn't respond to the OP or
to your suggestion of using what is normally the last resort. I
responded to your assertion that "Any security expert will tell you the
only way to be sure you are rid
of a virus is to do a secure wipe of the HDD." which I don't believe to
be true at all. Most security experts will probably say that, but only
when the "problem" is more than just some annoying adware or virus which
can be removed without wiping.

Some time ago a poster had a problem with his browsers displaying porn
when he attempted to access legitimate sites. Suggestions were made for
downloading scanners of all sorts as well as LSP repair tools, new HOSTS
files, even IIRC a wipe and reformat of the harddrive. Luckily my
suggestion that he check his primary and secondary DNS settings in case
they were changed to point to a poisoned server was what he did -
problem solved. I suppose your 'security experts' would have had him
reinstall the OS and the ISP's settings onto a newly wiped and fomatted
drive to achieve the same effect?

It's so much easier to change the DNS settings back IMO.

DNS is disabled on my PC so I wouldn't run into that problem anyway.
But obviously I am talking about a PC that is more messed up than just
adware.

 

[nilesnormore]

Well People, This is the origional poster of this thread, I managed to
defeat this virus without any special formating or anything like that. Since
I could not use CTRL ALT DEL I could not get to the task manager. And it
would not let me open anti virus software. I used a program called The
Altimate Troubleshooter It was unknown enough that the virus did not know
about it. I analized all the processes and as it turned out it was the
msmbw.exe process that was reponsible for not allowing me to run certain
software. I terminated that process imediatly.I then googled it and found
out it was associated with the W32/Croc.worm virus or with the alias of the
Fatso.a worm. It came through the MSN Messenger, so I uninstalled that. Then
I uninstalled the MSN Messenger and a bunch of other adware programs. I went
to the startups section of Altimate trouble shooter and prevented all
associated programs from running at startup. I then ran AVG and found over
35 instances of viruses mostly the Fatso worm. also the PSW.perflogger.ca
trojan and the Swizzor.XW key logger. I went to the folders where the
programs were located and manually deleted them. Also AVG got rid of many
more locations then I could possibly find. I then ran Adaware again and it
needed to scan again on the next reboot to get a few more. All this was
possible because of The ultimate Troubleshooter wich allowed me to kill key
processes associated with these viruses. I was then able to run the software
necessary to clean the Hard drive. And Norton Anti Virus was useless so I
uninstalled it.. I win Again.

--


---------------------------------------------------------------------
"Are you still wasting your time with spam?...
There is a solution!"

Protected by GIANT Company's Spam Inspector
The most powerful anti-spam software available.
http://www.giantcompany.com

 

[nilesnormore]

And a secon note about this I then used the program Registry Mechanic to
clean up the mess in the registry. It fixed over 200 problems. I must say
that computer runs mighty smooth now.

--


---------------------------------------------------------------------
"Are you still wasting your time with spam?...
There is a solution!"

Protected by GIANT Company's Spam Inspector
The most powerful anti-spam software available.
http://www.giantcompany.com

 

[David H. Lipman]

From: "nilesnormore" <[email protected]>

| Well People, This is the origional poster of this thread, I managed to
| defeat this virus without any special formating or anything like that. Since
| I could not use CTRL ALT DEL I could not get to the task manager. And it
| would not let me open anti virus software. I used a program called The
| Altimate Troubleshooter It was unknown enough that the virus did not know
| about it. I analized all the processes and as it turned out it was the
| msmbw.exe process that was reponsible for not allowing me to run certain
| software. I terminated that process imediatly.I then googled it and found
| out it was associated with the W32/Croc.worm virus or with the alias of the
| Fatso.a worm. It came through the MSN Messenger, so I uninstalled that. Then
| I uninstalled the MSN Messenger and a bunch of other adware programs. I went
| to the startups section of Altimate trouble shooter and prevented all
| associated programs from running at startup. I then ran AVG and found over
| 35 instances of viruses mostly the Fatso worm. also the PSW.perflogger.ca
| trojan and the Swizzor.XW key logger. I went to the folders where the
| programs were located and manually deleted them. Also AVG got rid of many
| more locations then I could possibly find. I then ran Adaware again and it
| needed to scan again on the next reboot to get a few more. All this was
| possible because of The ultimate Troubleshooter wich allowed me to kill key
| processes associated with these viruses. I was then able to run the software
| necessary to clean the Hard drive. And Norton Anti Virus was useless so I
| uninstalled it.. I win Again.
|

Thanx for explaining the steps you took, what was found on the PC and what you used. By
posting this valuable information, others can surely benefit from what you posted.

 

[John]

Registry Mechanic

Hoy Lipman!.... he ran Registry Mechanic!!

 

[Ron Lopshire]

Well People, This is the origional poster of this thread, I managed to
defeat this virus without any special formating or anything like that. Since
I could not use CTRL ALT DEL I could not get to the task manager. And it
would not let me open anti virus software. I used a program called The
Altimate Troubleshooter It was unknown enough that the virus did not know
about it. I analized all the processes and as it turned out it was the
msmbw.exe process that was reponsible for not allowing me to run certain
software. I terminated that process imediatly.I then googled it and found
out it was associated with the W32/Croc.worm virus or with the alias of the
Fatso.a worm. It came through the MSN Messenger, so I uninstalled that. Then
I uninstalled the MSN Messenger and a bunch of other adware programs. I went
to the startups section of Altimate trouble shooter and prevented all
associated programs from running at startup. I then ran AVG and found over
35 instances of viruses mostly the Fatso worm. also the PSW.perflogger.ca
trojan and the Swizzor.XW key logger. I went to the folders where the
programs were located and manually deleted them. Also AVG got rid of many
more locations then I could possibly find. I then ran Adaware again and it
needed to scan again on the next reboot to get a few more. All this was
possible because of The ultimate Troubleshooter wich allowed me to kill key
processes associated with these viruses. I was then able to run the software
necessary to clean the Hard drive. And Norton Anti Virus was useless so I
uninstalled it.. I win Again.

Niles,

Just a few thoughts:

1) I assume that this is the Product that you used and are happy with:
The Ultimate Troubleshooter
(http://www.answersthatwork.com/TUT_pages/TUT_information.htm)
When posting, be careful not to misspell anti-malware app names, as
many rogue products take advantage of this:
(http://www.spywarewarrior.com/rogue_anti-spyware.htm)

2) It is almost impossible to get rid of NAV. Even the Symantec Web
Site admits that its removal procedures leave remnants in the Registry
and/or on the hard drive. Don Pelotas has put together a good routine
for getting rid of NAV such that it no longer interferes with another
AV app installation:
(http://forum.kaspersky.com/index.php?showtopic=5233)

3) As Dave mentioned, thanks for the follow-up.

Ron