bad virus

[Xray]

(e-mail address removed) (David Kaye) wrote in

I think your computer can be saved without reinstalling Windows. It
doesn't sound like that bad an infection, just annoying as hell.

If you feel comfortable monkeying around in the registry, look at HKLM,
Software, Microsoft, Windows, CurrentVersion, Run and look at the first
key. It should say (default) and (value not set). If it doesn't say
(value not set) and instead is blank, delete that entry. I see this a
lot -- it'a a RUN entry that is masked by delete characters, making it
invisible. These infections that disable anti-malware tools and disable
certain Control Panel functions often hide themselves this way. I've
seen it a LOT.

Also, while you're looking at the RUN section, see what else runs at
startup. Are there any programs with random characters in the file
name? Do they reside in the user's localsettings/temp directory rather
than in Windows System32? Nothing legitimate should be starting up from
any temp or local settings directory.

Some ideas for you...

Finally, some words of optimism, thats what I like to hear.
It is annoying as hell, and insidious, but not unbeatable.

I have no problem mucking around the registry, been doing that since the
windows 95 days.
But can you run that key string again, everything starts with HKEY not
HKLM, and theres a bunch of software/microsoft folders.

I did have a bunch of temp files that I was unable to delete because they
were in use, very suspicious.
I used a handy little app called temporary file cleaner, which called for a
reboot to clean out the running temp files, so that helped.

Right now one of my main problems seems to be fraud windowsprotectionsuite,
which I believe is a trojan. Spybot detects it but is unable to kill it.
As far as viruses, not sure what I have as I have no functional virus app
right now.

 

[Xray]

You can also look at it this way. You have a problem with a program that
you downloaded and executed, contact the person that you got the program
from for help. If you cannot contact that person, you shouldn't have
trusted the file. Continuing to operate in this manner, it is only a
matter of time before you get something that the AV won't even
recognize.

Don't beat yourself up over ignoring the AV's warning - beat yourself up
over even allowing your AV to scan that program.

I can't say I will never download a usenet binary again, lifes too short to
get all tied up in knots about little things like that.

Up to date anti virus, heed its warnings, you should be fine 99% of the time.

The one caution I may take is not download certain binaries the day they are
posted, in case it contains new infections not yet in the AV database.

 

[Xray]

(e-mail address removed) (David Kaye) wrote in

I've seen this a lot; the malware appears to look at the size of the
file. There are some older tools I can use, such as a copy of
SpySweeper from about 3 years ago that most malware won't shut down,
though they'll shut down more recent versions.

But try installing it in safe mode and you might have better success.
Also, try rolling back the registry manually (copy and paste) to at
least a week before the infection was first noticed.

How can that be done ?

I usually have a reg copy handy, but this drive in only a couple months old,
after my old drive died a natural death after 3.5 years, and didn't get
around to backing the registry up yet.

 

[Dustin Cook]

@news.eternal-september.org:

[...]

Usenet binaries are FULL of injected trojans.
Either the binary is the trojan, a legitimate
application is repackaged with a trojan or some
other method but Usenet binaries can NOT be
trusted -- EVER.

[...]

Theres alot of crap out there, to be sure.
To say that every signle one is infected is clearly ludicrous,

No-one is saying that.

Saying "Usenet binaries can NOT be trusted -- EVER." comes pretty
close.

Usenet binaries can only be trusted if you are *looking* for malware.
The fact that malware is often dispensed through that channel makes
the entire channel untrustworthy. There is no accountability for
posters posting programs, and even many viruses are first injected as
germ files (mainly trojans) posted to usenet.

Yes.. that's true. Usenet is still the best route to take if you want to
make the wildlist... You find some warez, crack, patch or whatnot; add
your own little gift, repost it.. and wait...

Eventually, someone (usually lots of someones) will come along and take
the tainted candy. You just sit back and watch the fallout.

 

[Dustin Cook]

As per the OP, I was trying to download a game that I already owned on
DVD, not sure where your getting the freeware angle from.
The DVD had become unreadable, so my options were:
* Don't play the game ever

Crummy option...

* Buy a used copy on ebay

Another crummy option...

* Download an image from the usenet, and use my legit serial number

Technically illegal option.

Perhaps contacting the games publisher, and inquiring about a new dvd?

 

[David W. Hodgins]

I did have a bunch of temp files that I was unable to delete because they
were in use, very suspicious.

Another option to try, that I haven't seen mentioned so far.
http://www.gmer.net/

If the system can boot from a cd/dvd, you could try a linux
live cd, or a bart pe cd. Since you're not booting from the
infected hard disk, none of those files would be in use.

May take a little while to set up, and learn to use, but it's
useful.

You could also take the hd, and install it as a slave in a
second system, so you can delete those files.

Regards, Dave Hodgins

 

[Dustin Cook]

Lets hope.
I often do things i regret, and know as I'm doing them I very well
might regret it.
Somewhat of a risk taker, I guess you'd say.

Apparently.

But I must say, ignoring the warning of anti virus software, disabling
it, then clicking on the exe file, crosses the line from risk taking
into another realm.
Suffice it to say that I won't do that again.

I do enjoy your sense of humour... I had you pegged as a lowly pirate who
got bit and was going to trash on you accordingly, but.. I was just so
off with my analysis of you; Your not some little irrating pirate, your
just a fellow who tried to save a little cash...

 

[Dustin Cook]

From: "Xray" <[email protected]>

< snip >

| True, though my anti virus program is hosed, so I don't know what I
| have in the way of a virus.

| Here is what I seem to have, at least this is what spybot is
| detecting. A total of 21 infected files, spybot locks up with an
| error "cannot create file c/windows/system32/drivers/ect/hosts access
| is denied" when trying to delete any of these.
| Malwarebytes is unable to install, so they are known and located,
| removing them is the problem.


< snip >

Please stop using the term virus. It is specific implications on its
abilities to spread. You are infected with malware and highly probable
it is ONLY of type trojan.

As for Malwarebytes' Anti Malware.

First...

Kill as many running programs as possible then...

Download the 'mbam-setup.exe' and rename it to something lik;
xray.com Then run; xray.com

Don't allow it to update or run.
Then go to; "C:\Program Files\Malwarebytes' Anti-Malware"

Find; "mbam.exe" and the COPY it to something like; xray.com and
the run; xray.com .

Perform an update and then run a scan on your PC.

Side note.. Make sure Internet Explorer (even if you don't use it) is not
set to work in offline mode. Mbam will generate error 732 if it is when
you try to update.

 

[David W. Hodgins]

Regarding the original problem, with the unreadable dvd, have
you tried polishing it?
http://www.wikihow.com/Fix-a-Scratched-CD

The scratches on the bottom of the cd/dvd can sometimes be
polished out, allowing the data (on the top layer, usually
protected by the label), to be read.

I've succeeded polishing an old install cd this way, in the
past.

Regards, Dave Hodgins

 

[Dustin Cook]

Computer functions Ok, but god knows whats going on behind the scenes.
My ISP already stopped my ability to send email, it detected the virus
like behavior. Can still receive at least.
Can't connect to google, it also detected the shenanigans of the
virus. Pressing ctrl/alt/delete doesn't bring up the process box
anymore, other than that things seem normal.

Your PC is actually in danger at this point of assisting in infecting
other machines or possibly being a zombie box if it's not already.

At this point, I'd have to go with David lipmans suggestion. Seriously,
it's time to wipe and reload. If you hadn't of taken such ... drastic if
you will steps to try and stop this, it might not have taken much real
effort to fix; but at this point, I can't trust the machine at all.

Really man, your not just putting your information in danger, your being
a very irresponsible netizen by allowing that computer to continue with
an internet connection in it's current state. If your ISP has already
blocked outbound email, it should just be a matter of time before your
connection is disabled until you verify the machine is clean.

Atleast, that's what happens in this area. When your ISP turns you off,
you have to have a licensed technician contact them and claim it's clean
and is okay. And if it's not, it falls back on the tech who did the work.
Fines, etc are possible here.

Several years ago when I worked for an ISP, I'd start by turning your
email off, and then I'd give you 24 hours. If your machine was still
spewing trojans and mass mailing worms; your connection was terminated
until you cleaned up your mess or took your business to a less
responsible ISP.

 

[Dustin Cook]

(e-mail address removed) (David Kaye) wrote in

I've seen this a lot; the malware appears to look at the size of the
file. There are some older tools I can use, such as a copy of
SpySweeper from about 3 years ago that most malware won't shut down,
though they'll shut down more recent versions.

But try installing it in safe mode and you might have better success.
Also, try rolling back the registry manually (copy and paste) to at
least a week before the infection was first noticed.

You did notice he has a running (as in ,live, functional; it sets the
rules everyone else has to play by) TDSS rootkit right? They aren't viral
mind you, but they aren't a joke either. If you don't deal with it first,
everything else you do is a wasted effort. Rootkits hook at the kernel/OS
levels.

 

[Xray]

Regarding the original problem, with the unreadable dvd, have
you tried polishing it?
http://www.wikihow.com/Fix-a-Scratched-CD

The scratches on the bottom of the cd/dvd can sometimes be
polished out, allowing the data (on the top layer, usually
protected by the label), to be read.

I've succeeded polishing an old install cd this way, in the
past.

Regards, Dave Hodgins

Yeah, I have a top of the line cd polished, motor driven.
No joy, if it had worked this never would have happened.

 

[David H. Lipman]

From: "Xray" <[email protected]>


| Yeah, I have a top of the line cd polished, motor driven.
| No joy, if it had worked this never would have happened.


Does it ever work ?

 

[Xray]

Crummy option...


Another crummy option...


Technically illegal option.

Perhaps contacting the games publisher, and inquiring about a new dvd?

Ebays a good option, and in fact about the only one for alot of these older
games - Besides downloading an image on the usenet.
Only down side is you have to wait a while for it, obviously.

Highly unlikely any game publisher would feel obliged to send another copy,
and in fact probably do not even stock them.

 

[Xray]

Apparently.


I do enjoy your sense of humour... I had you pegged as a lowly pirate who
got bit and was going to trash on you accordingly, but.. I was just so
off with my analysis of you; Your not some little irrating pirate, your
just a fellow who tried to save a little cash...

Well, I used to dl alot back in the day, almost just because I could.
Loads of apps and games, most I never even used.
I gave that all up, and pretty much pay as I go - Plus, most of these games
its impossible to play online without a legit copy, pirated copies & serial
numbers used more than once are flagged and blacklisted and banned from the
server.

I didn't feel too guilty about dl'ing something I already owned.
True, its not their fault the DVD got messed up, then again all it has ever
did was just sit there, not like my kids were playing frisbee with it.
I got it, installed the game, and there it sat in its case and DVD cover
until I needed it again.
I have no idea how it got messed up.

 

[Xray]

Your PC is actually in danger at this point of assisting in infecting
other machines or possibly being a zombie box if it's not already.

At this point, I'd have to go with David lipmans suggestion. Seriously,
it's time to wipe and reload. If you hadn't of taken such ... drastic if
you will steps to try and stop this, it might not have taken much real
effort to fix; but at this point, I can't trust the machine at all.

Really man, your not just putting your information in danger, your being
a very irresponsible netizen by allowing that computer to continue with
an internet connection in it's current state. If your ISP has already
blocked outbound email, it should just be a matter of time before your
connection is disabled until you verify the machine is clean.

Atleast, that's what happens in this area. When your ISP turns you off,
you have to have a licensed technician contact them and claim it's clean
and is okay. And if it's not, it falls back on the tech who did the work.
Fines, etc are possible here.

Several years ago when I worked for an ISP, I'd start by turning your
email off, and then I'd give you 24 hours. If your machine was still
spewing trojans and mass mailing worms; your connection was terminated
until you cleaned up your mess or took your business to a less
responsible ISP.

You seem to have contradicted yourself.
You said you'd start by turning off email, and if its still spewing mass
mailing worms 24 hrs later, the connection is terminated.

How is it going to be spewing mass mailing worms if the ability to send
email is terminated ?
How is anyone else in danger of being infected, since this machine can't
email ?

 

[gufus]

From: gufus
Subj: Re: bad virusSun, 21 Mar 2010 14:45:27 -0600

From: David H. Lipman---? To: Xray
Subj: Re: bad virusSat, 20 Mar 2010 22:25:56 -0400

Hello, David!

You wrote on Sat, 20 Mar 2010 22:25:56 -0400:

??|> Looks like I'm looking at a fresh OS reinstall about now, this thing
??|> is insidious and is always one step ahead.

DHL> ** At this point, my advice is now to WIPE and RE-INSTALL the OS.

Can you suggest a /good/ wipe app?

Kev

 

[David W. Hodgins]

From: "Xray" <[email protected]>

| Yeah, I have a top of the line cd polished, motor driven.
| No joy, if it had worked this never would have happened.

Does it ever work ?

Yes, although it can take several days of polishing, when
done by hand.

Regards, Dave Hodgins

 

[David H. Lipman]

From: "David W. Hodgins" <[email protected]>


| Yes, although it can take several days of polishing, when
| done by hand.

The most I have ever done is warm water and dish detergent.

 

[David H. Lipman]

From: "Xray" <[email protected]>


| You seem to have contradicted yourself.
| You said you'd start by turning off email, and if its still spewing mass
| mailing worms 24 hrs later, the connection is terminated.

| How is it going to be spewing mass mailing worms if the ability to send
| email is terminated ?
| How is anyone else in danger of being infected, since this machine can't
| email ?

If it has its own email engine and connects to a third party SMTP server.