Father in law's computer has virus - advice needed

[Jon Beckett]

Hi all,

My father in law's new computer (XP Pro) has a virus on it, and it
appears to have had a real go at the operating system - meaning they
cannot boot up (it gets as far as the user profile selection screen,
then reboots when you choose a profile).

I haven't been able to visit them yet, but I have talked the most tech
savvy member of the house through trying to manually remove any worm
type virus - unsuccessfully so far. For informational purposes, they
had AVG Antivirus and ZoneAlarm installed, with a Speedtouch ADSL
modem.

Before the reboot issue started happening, they did manage to run AVG
and it reported the existence of a variant of the "AGOBOT" virus.

I talked them through getting into safe mode, but unfortunately AVG
Antivirus will not run (either it's been attacked or will not run in
safe mode). I then got them to take me through the contents of the
"windows/currentversion/run" branch in the registry - and removed
anything that sounded suspicious.

The machine is still not getting any further than the profile
selection screen - so I'm guessing the virus has hijacked one of the
other programs on the machine.

The catch 22 they face at the moment is that they cannot download a
fix until they can get back into "normal" Windows.

I'm wondering if the easiest way to solve this one is to burn a copy
of F-PROT to disk and take it round with me... and
remove/clean/re-install AVG - then find out what they might have done
that opened the doors to the AGOBOT virus...

Anybody else got any further ideas?

Jonathan

Jonathan Beckett ([email protected])
working on : http://www.pluggedout.com/penpals

 

[Juergen Nieveler]

Anybody else got any further ideas?

Build a boot-CD with PEBuilder, including the McAfee package and the
latest DAT-Files (or alternatively the Stinger-Plugin), boot from that
CD and clean the machine...

Juergen Nieveler

 

[Jules]

Build a boot-CD with PEBuilder, including the McAfee package and the
latest DAT-Files (or alternatively the Stinger-Plugin), boot from that
CD and clean the machine...

Juergen Nieveler

Hi Juergen Nieveler
yeah good idea i'd also recommend if you can get the pc to boot to load on
Trojan Hunter which can be downloaded from
http://www.misec.net/trojanhunter.jsp and install it then go in to C/program
files/Trojan Hunter and rename the Trojan Hunter exe to something else as
it appeares to me that the virus is picking up any trojan removing programs
therfore if you rename the exe to something like Rabbits it will let you run
and scan the system and remove the virus
Jules

 

[Jules]

Hi all,

My father in law's new computer (XP Pro) has a virus on it, and it
appears to have had a real go at the operating system - meaning they
cannot boot up (it gets as far as the user profile selection screen,
then reboots when you choose a profile).

I haven't been able to visit them yet, but I have talked the most tech
savvy member of the house through trying to manually remove any worm
type virus - unsuccessfully so far. For informational purposes, they
had AVG Antivirus and ZoneAlarm installed, with a Speedtouch ADSL
modem.

Before the reboot issue started happening, they did manage to run AVG
and it reported the existence of a variant of the "AGOBOT" virus.

I talked them through getting into safe mode, but unfortunately AVG
Antivirus will not run (either it's been attacked or will not run in
safe mode). I then got them to take me through the contents of the
"windows/currentversion/run" branch in the registry - and removed
anything that sounded suspicious.

The machine is still not getting any further than the profile
selection screen - so I'm guessing the virus has hijacked one of the
other programs on the machine.

The catch 22 they face at the moment is that they cannot download a
fix until they can get back into "normal" Windows.

I'm wondering if the easiest way to solve this one is to burn a copy
of F-PROT to disk and take it round with me... and
remove/clean/re-install AVG - then find out what they might have done
that opened the doors to the AGOBOT virus...

Anybody else got any further ideas?

Jonathan

Jonathan Beckett ([email protected])
working on : http://www.pluggedout.com/penpals

Hi Jonathan,
yeah good idea i'd also recommend if you can get the pc to boot to load on
Trojan Hunter which can be downloaded from
http://www.misec.net/trojanhunter.jsp and install it then go in to C/program
files/Trojan Hunter and rename the Trojan Hunter exe to something else as
it appeares to me that the virus is picking up any trojan removing programs
therfore if you rename the exe to something like Rabbits it will let you run
and scan the system and remove the virus
Jules

 

[Jonathan Beckett]

Build a boot-CD with PEBuilder, including the McAfee package and the
latest DAT-Files (or alternatively the Stinger-Plugin), boot from that
CD and clean the machine...

Juergen Nieveler

Thanks for that - I had not heard of PEBuilder before.

I've burned a PEBuilder ISO with McAfee and Stinger on it - hopefully
that will be enough to get rid of the main infection.

Something I didn't mention is that I suspect the virus has also
changed the administrator password; when they went to try and run the
repair wizard from the original XP CD it asked for an administrator
password... the don't have one.

I guess when I go to visit next weekend all will become clear.

 

[Shane]

Thanks for that - I had not heard of PEBuilder before.

I've burned a PEBuilder ISO with McAfee and Stinger on it - hopefully
that will be enough to get rid of the main infection.

Something I didn't mention is that I suspect the virus has also
changed the administrator password; when they went to try and run the
repair wizard from the original XP CD it asked for an administrator
password... the don't have one.

You mean the Recovery Console? The Admin password is blank. You just hit the
Enter key.


Shane

 

[Gabriele Neukam]

On that special day, Jonathan Beckett, ([email protected])
said...

Something I didn't mention is that I suspect the virus has also
changed the administrator password; when they went to try and run the
repair wizard from the original XP CD it asked for an administrator
password... the don't have one.

Time to apply Pnordahl's tool

http://home.eunet.no/~pnordahl/ntpasswd/

Download the diskette image, copy it onto a floppy disk using rawrite,
and boot the affected computer with this disk. Reset the admin password.


Gabriele Neukam

(e-mail address removed)