bad virus

[Xray]

From: "Xray"<[email protected]>


| You seem to have contradicted yourself.
| You said you'd start by turning off email, and if its still spewing mass
| mailing worms 24 hrs later, the connection is terminated.

| How is it going to be spewing mass mailing worms if the ability to send
| email is terminated ?
| How is anyone else in danger of being infected, since this machine can't
| email ?

If it has its own email engine and connects to a third party SMTP server.

Well, all I can say is I use my connection basically to dl apps trying
to get rid of this thing, and post here.
I then pull the plug.
Looks like my NNTP connection was terminated, Xnews no longer works.

Sucks too, I was just about to send in my tax return via turbotax, I
think I should put that off until I get this cleared up

 

[Xray]

Not at all.


If 'twas me, I'd not even wait the 24 hours, 'cause ya know it's not
going to stop until something drastic is done.


You're showing your lack of knowledge on how these things work. Mass
mailers have their own SMTP engine and do not use your email client. And
it doesn't even need email (that's what the spammers do though). Your
trojan could also be pinging sequential IP addresses, looking for PCs
without firewalls.

Well, If I had such great knowledge of how these things work, I guess I
wouldn't be posting here, now would I ?

 

[Xray]

After reading dozens of replies and giving up on reading all of them
here is my take.
1. Make image backups of the os and sleep better for all sorts of reasons.
2. If you insist on downloading from a questionable source, run a multi
boot system where each os is completely isolated from each other.
Bootitng from terabyteunlimited will let you make such a system where
the partition table is only loaded with partitions you specify. That way
you can keep a throwaway copy of your main os.
3. If you go to the trouble of running AV software then at least pay
some attention to it's warnings.

I've never had a virus in years of computing, but I've accidentally lost
files and seen hd's go bad.

Well, we can all say a bunch of things from hindsight, obviously.
I'm gonna try asking at the Kaspersky forums and see what they have to
say, I guess this topic has run its course now.

Will update when I have anything worth posting - And if I ask about gay
sex or something, remember, its the virus talking, not me !

 

[David H. Lipman]

From: "Xray" <[email protected]>


| Well, we can all say a bunch of things from hindsight, obviously.
| I'm gonna try asking at the Kaspersky forums and see what they have to
| say, I guess this topic has run its course now.

| Will update when I have anything worth posting - And if I ask about gay
| sex or something, remember, its the virus talking, not me !

 

[FromTheRafters]

From: "FromTheRafters" <[email protected]>



| I have successfully used steel wool.


ROFLOL

I worked on optical media players for years (Laserdisc, CD) and
sometimes a scratch or scratches in the right direction prevents wild
swings in the "tracking" signal from causing skips. Information is
sometimes not lost behind the scratch because of Cross Interleaved
Reed-Solomon code (CIRC) and other error tolerance schemes providing
placement diversity.

Sometimes test discs with natural flaws (like cleaning them with steel
wool) work even better than the ones with the intentionally fabricated
flaws especially when troubleshooting sled or lens (tracking and focus
signal) problems.

 

[FromTheRafters]

Will update when I have anything worth posting - And if I ask about
gay sex or something, remember, its the virus talking, not me !

Ah, the old "plausible deniability" virus. D

 

[David H. Lipman]

From: "FromTheRafters" <[email protected]>


| I worked on optical media players for years (Laserdisc, CD) and
| sometimes a scratch or scratches in the right direction prevents wild
| swings in the "tracking" signal from causing skips. Information is
| sometimes not lost behind the scratch because of Cross Interleaved
| Reed-Solomon code (CIRC) and other error tolerance schemes providing
| placement diversity.

| Sometimes test discs with natural flaws (like cleaning them with steel
| wool) work even better than the ones with the intentionally fabricated
| flaws especially when troubleshooting sled or lens (tracking and focus
| signal) problems.


You mean -- You weren't joking ?

ROFLOL ^2

 

[Dustin Cook]

I worked on optical media players for years (Laserdisc, CD) and
sometimes a scratch or scratches in the right direction prevents wild
swings in the "tracking" signal from causing skips. Information is
sometimes not lost behind the scratch because of Cross Interleaved
Reed-Solomon code (CIRC) and other error tolerance schemes providing
placement diversity.

Sometimes test discs with natural flaws (like cleaning them with steel
wool) work even better than the ones with the intentionally fabricated
flaws especially when troubleshooting sled or lens (tracking and focus
signal) problems.

I knew it! You *are* an electronics geek!

 

[Xray]

So any advice to get rid of this thing ?
Edit - Did it again, all of those problems above, spybot is unable to
get rid of.
Oh, and tried system restore, virus has got that covered too.
Only 1 restore point, and thats today - Got this virus about 3am this
morning.

Edit - Booted into safe mode sucessfully, spybot found the infections
again, and deleted all but 1, which was apparently running.
1 is in a folder c/windows/system32/lowsec
I could see the actul files in safe mode, tried to manually delete them
but I couldn't.
In normal mode they aren't visible.

I may have the fix, Kaspersky moderators wrote up a custom script for my
system that is supposed to nuke all the baddies, will post back [if able].
Either this will work, or I will reinstall windows after complete format.

As a side note, I noticed spybot has a process viewer, which is nice since
the windows process view no longer functions.
The 1st 4 processes looked suspicious to me.

* System - No path
* csrss.exe - \??\c\windows\system32
* smss.exe - \systemroot\system32
* winlogon.exe - \??\c\windows\system32

I tried terminating csrss and winlogon, got immediate fatal errors and
shutdown on each one.
The ?? in their path, I would think, would mark them as bogus.
Can anyone cofirm or deny these as valid processes ?

 

[Dustin Cook]

So any advice to get rid of this thing ?
Edit - Did it again, all of those problems above, spybot is unable to
get rid of.
Oh, and tried system restore, virus has got that covered too.
Only 1 restore point, and thats today - Got this virus about 3am this
morning.

Edit - Booted into safe mode sucessfully, spybot found the infections
again, and deleted all but 1, which was apparently running.
1 is in a folder c/windows/system32/lowsec
I could see the actul files in safe mode, tried to manually delete
them but I couldn't.
In normal mode they aren't visible.

I may have the fix, Kaspersky moderators wrote up a custom script for
my system that is supposed to nuke all the baddies, will post back [if
able]. Either this will work, or I will reinstall windows after
complete format.

As a side note, I noticed spybot has a process viewer, which is nice
since the windows process view no longer functions.
The 1st 4 processes looked suspicious to me.

* System - No path
* csrss.exe - \??\c\windows\system32
* smss.exe - \systemroot\system32
* winlogon.exe - \??\c\windows\system32

I tried terminating csrss and winlogon, got immediate fatal errors and
shutdown on each one.
The ?? in their path, I would think, would mark them as bogus.
Can anyone cofirm or deny these as valid processes ?

Those are indeed valid processes. If the kaspersky thing doesn't work
out, I'd suggest you reformat and reload the system. If in the future you
run across something like this again, You can try the forums at
malwarebytes (I'm only recommending this site because I have personal
experience there and feel safe vouching for the help you would recieve by
qualified individuals). Post in the forums asking for help and follow the
instructions provided. Many other reputable sites offer pretty much the
same thing, I just don't have the urls memorized so I can't offer them up
right off ..

 

[FromTheRafters]

@news.eternal-september.org:


I knew it! You *are* an electronics geek!

Busted! D

I once had the "guts" of a CD player (made from parts of junkers)
hanging from a ceiling hook (like a "mobile"), and workng. Quite a
conversation piece. I eventually "found" a suitable cabinet for it. When
I was young, my mom was afraid to enter my bedroom with all the projects
involving tubes and wires in there.

 

[David H. Lipman]

From: "FromTheRafters" <[email protected]>


| Busted! D

| I once had the "guts" of a CD player (made from parts of junkers)
| hanging from a ceiling hook (like a "mobile"), and workng. Quite a
| conversation piece. I eventually "found" a suitable cabinet for it. When
| I was young, my mom was afraid to enter my bedroom with all the projects
| involving tubes and wires in there.


I built push-pull power amps via 6L6's and my favourite tube was the 4CX1000K.

Additionally I built Zenith/Heatkits. A 5MHz oscilliscope and a Colour Dot and Bar
Generator (to adjust colour convergence on TV sets).

 

[FromTheRafters]

I built push-pull power amps via 6L6's and my favourite tube was the
4CX1000K.

I never thought of a favorite tube - but I guess the reflex klystron,
the magnetron, and the travelling wave tube (radar and microwave). I
like the way circuits start to resemble tin cans and echo chambers in
the microwave region.

Additionally I built Zenith/Heatkits. A 5MHz oscilliscope and a
Colour Dot and Bar
Generator (to adjust colour convergence on TV sets).

Nice. Heathkit's are cool - and useful.

 

[Leythos]

I never thought of a favorite tube - but I guess the reflex klystron,
the magnetron, and the travelling wave tube (radar and microwave). I
like the way circuits start to resemble tin cans and echo chambers in
the microwave region.


Nice. Heathkit's are cool - and useful.

Do you remember the "Magic Eye" tubes used in AV hardware to show signal
levels (like recording levels)?

I built a lot of Heath kit Z-89 computers

 

[David H. Lipman]

From: "FromTheRafters" <[email protected]>


| I never thought of a favorite tube - but I guess the reflex klystron,
| the magnetron, and the travelling wave tube (radar and microwave). I
| like the way circuits start to resemble tin cans and echo chambers in
| the microwave region.

| Nice. Heathkit's are cool - and useful.


I thought the 4CX1000K was "neat" to say the least. It even looked cool.
If I remember correctly it was a 1KW ceramic tetrode transmitter tube with copper fins for
forced air cooling for up to 120MHz (?).

I used to love to rumage through an electronic's store's old crap they had in the attic.
They had lots of phun tubes I used to play with and study. Much Army surplus from US Army
CECOM.

I played with and studied many tubes but I never played with GHz Klystrons & Magnetrons.

HeathKits were phun. Learned a lot by actually building electronic test equipment. Even
tried my hand at etching my own copper circuit boards.

 

[David H. Lipman]

From: "Leythos" <[email protected]>


| Do you remember the "Magic Eye" tubes used in AV hardware to show signal
| levels (like recording levels)?

| I built a lot of Heath kit Z-89 computers

I do

I used them in capacitance checkers that used a bridge tuning circuit. The "Magic Eye"
would show a green phosphorous glow at 270 degrees and as you rotated the dial and "tuned"
the bridge the "Magic Eye" would go to 360 degrees. When it did, you read the value on
the dial, used the multiplier, and that was the Capacitance value.

G-d, I miss that Zenith/HethKit store. :-(

 

[Leythos]

From: "Leythos" <[email protected]>


| Do you remember the "Magic Eye" tubes used in AV hardware to show signal
| levels (like recording levels)?

| I built a lot of Heath kit Z-89 computers

I do

I used them in capacitance checkers that used a bridge tuning circuit. The "Magic Eye"
would show a green phosphorous glow at 270 degrees and as you rotated the dial and "tuned"
the bridge the "Magic Eye" would go to 360 degrees. When it did, you read the value on
the dial, used the multiplier, and that was the Capacitance value.

G-d, I miss that Zenith/HethKit store. :-(

We had a ATT salvage yard around here when I was growing up - they would
dump entire switching stations, in entire cabinets, meters, cards,
relays, etc... Other companies would dump their hardware there too - a
few years later they would not let us salvage anything.... it was great
while it lasted.

My first gig in the Navy was setting up CPM machines that no-one else
knew how to use, had been sitting for a year+, and to think I use to
build them from scratch - Here I was, an E2 working in an E6 position
all because I could build and program computers.

 

[FromTheRafters]

Do you remember the "Magic Eye" tubes used in AV hardware to show
signal
levels (like recording levels)?

Both the eye wedge style (on tuners for signal strength) and the linear
(mostly on magnetic tape recorders for audio level).

Okay, I've seen some awesome indicator tubes - some of my first computer
experiences involved "Nixie tubes", and I worked for years replacing
display tubes on high-end tuners (Sansui). Displays have come a long
way. I guess you notice that sort of thing more when you start out
interacting with a computer via an IBM teletype.

 

[FromTheRafters]

I thought the 4CX1000K was "neat" to say the least. It even looked
cool.
If I remember correctly it was a 1KW ceramic tetrode transmitter tube
with copper fins for
forced air cooling for up to 120MHz (?).

I worked for a time at the Naval Radio Transmitting Facility in Dixon
Ca. - next door was the Voice Of America transmitter site. My roommate
(the one I helped with his Altair) and I went for a tour there. This was
using some very old (eyecatching) mercury rectifier tubes to supply a
walk-in FPA stage. 250 kilowatts into a 17db gain curtain antenna.

I'm sure that you would have enjoyed such a trip. )

I used to love to rumage through an electronic's store's old crap they
had in the attic.
They had lots of phun tubes I used to play with and study. Much Army
surplus from US Army
CECOM.

I once had a laser transmitter tube (Siemens), but never hooked it up.
Good thing, I probably would have hurt myself with that one.

 

[Leythos]

Both the eye wedge style (on tuners for signal strength) and the linear
(mostly on magnetic tape recorders for audio level).

Okay, I've seen some awesome indicator tubes - some of my first computer
experiences involved "Nixie tubes", and I worked for years replacing
display tubes on high-end tuners (Sansui). Displays have come a long
way. I guess you notice that sort of thing more when you start out
interacting with a computer via an IBM teletype.

LOL, I still have a box of nixi tubes, they still work (or they did the
last time I checked). Do you remember the old 5x7 dot LED displays from
the HP 98437 "calculator" - had one with BASIC and math, thermal
printer, even a card reader and plotter....

After I got out of the service I had a 3B1 computer, while in the
service I had a Osborne 1, had a Commodore PET 2001 in the late 70's and
then a SX64 while I was in the Navy on a ship, the B128 prototype
directly from Commodore - still having wire-wrap sockets....

Man, those where the days, what we could do with 4K of RAM!