got rid of the worm. or did I? help! devastation and treachery

  • Thread starter Johannes Enstad
  • Start date
J

Johannes Enstad

hello.

i recently found out I was infected with the Korgo.R worm. I got the
McAfee Stinger tool, I turned off System Restore, I rebooted in Safe
mode, I ran the Stinger, which identified the infected files and deleted
them, and I rebooted again.

But the problems are still here, even though my virus progs says my
system is clean - System Restore won't work (I just get a blank window,
or it doesn't start), Search Companion won't work (blank/grey window),
Help/Support function won't work, Windows Update won't work .....

Now I really don't know what to do. And I don't especially feel like
formatting right now.

I use XP, by the way.

Anyone able to help?

Thanks,

Johannes from Norway
 
N

null

hello.

i recently found out I was infected with the Korgo.R worm. I got the
McAfee Stinger tool, I turned off System Restore, I rebooted in Safe
mode, I ran the Stinger, which identified the infected files and deleted
them, and I rebooted again.

But the problems are still here, even though my virus progs says my
system is clean - System Restore won't work (I just get a blank window,
or it doesn't start), Search Companion won't work (blank/grey window),
Help/Support function won't work, Windows Update won't work .....

Now I really don't know what to do. And I don't especially feel like
formatting right now.

I use XP, by the way.

Anyone able to help?
Click to expand...

Have you read some descriptions?:

http://securityresponse.symantec.com/avcenter/venc/data/w32.korgo.r.html
http://spyblocker-software.com/IPB/...39c7ba63671b7e&showtopic=1244&st=0&#entry6433

As you can see, Korgo.R alters the registry in a destructive way to
many Windows functions. Seems to me that even if you had purposely
created a backup of the registry before getting hit, you could not now
restore it since you need access to System Restore. If you're brave
and knowledgeable enough, you might take a stab at manually rebuilding
that part of the registry before throwing up your hands and doing a
reformat/reinstall. But a reinstall may be your only realistic
alternative. I dunno if Symantec's utility for cleaning Korgo.R can or
will do the registry repair any more than Stinger apparently was able
to do.

BTW, this kind of malware really illustrates the value of using _real_
backups such as the use of a spare hard drive on a removable tray.
Much better to restore Windows from backup that reinstall it,
especially if you've put much work into hardening and patching it.

I hope you're familiar with XP survival guides and safe hex before you
go on line with a clean XP:

http://www.claymania.com/safe-hex.html


Art
http://www.epix.net/~artnpeg
 
G

GSV Three Minds in a Can

Bitstring <[email protected]>, from the
wonderful person (e-mail address removed) said
Have you read some descriptions?:

http://securityresponse.symantec.com/avcenter/venc/data/w32.korgo.r.html
http://spyblocker-software.com/IPB/index.php?s=09704b4a9de2aefd7639c7ba6
3671b7e&showtopic=1244&st=0&#entry6433

As you can see, Korgo.R alters the registry in a destructive way to
many Windows functions. Seems to me that even if you had purposely
created a backup of the registry before getting hit, you could not now
restore it since you need access to System Restore. If you're brave
and knowledgeable enough, you might take a stab at manually rebuilding
that part of the registry before throwing up your hands and doing a
reformat/reinstall. But a reinstall may be your only realistic
alternative. I dunno if Symantec's utility for cleaning Korgo.R can or
will do the registry repair any more than Stinger apparently was able
to do.

BTW, this kind of malware really illustrates the value of using _real_
backups such as the use of a spare hard drive on a removable tray.
Much better to restore Windows from backup that reinstall it,
especially if you've put much work into hardening and patching it.
Click to expand...

Any time you run NTBackup (or only if you backup the system state?),
ISTR that a copy of the registry hives is made under c:\windows\repair
(not that anyone ever tells you that). Details of how you get those put
back to replace damaged ones can be found at the MS site. If you didn't
run NTBackup recently, the registry backups will be the ones made just
after the system was first installed, thus pretty useless.

Spybot S&D resident extra supposedly protects the registry from evil
changes, but safe hex is probably a better bet.
 
J

Johannes Enstad

I wonder what goes on in the mind of a person who finds joy in using his
computer skills to create programs such as this Korgo.R, designed
only to make life hard for other people. Hmm...

Well, I'm not all that brave and knowledgeable, were I to go around
rebuilding the registry, I would have needed some proper guidance.

I've tried Symantecs utility too, it did nothing to fix registry problems.

Well, it seems I must do a format c: ... But you are suggesting
reinstallation - that is - reinstalling XP on top of the old one - will
that replace registry/system files and the like? Is it recommendable?
That way at least I won't lose all of my music, programs, patches, etc?

Thanks,

Johannes
 
N

null

Any time you run NTBackup (or only if you backup the system state?),
ISTR that a copy of the registry hives is made under c:\windows\repair
(not that anyone ever tells you that). Details of how you get those put
back to replace damaged ones can be found at the MS site. If you didn't
run NTBackup recently, the registry backups will be the ones made just
after the system was first installed, thus pretty useless.

Spybot S&D resident extra supposedly protects the registry from evil
changes, but safe hex is probably a better bet.
Click to expand...

Safe hex is without doubt the best bet. Along with _real_ backups on
removable media, just in case. The trick is to know that you're not
backing up malware. Backups must be done _very_ cautiously and
carefully. And that's where average users will have difficulty, since
both scanning and generic tests should be done.


Art
http://www.epix.net/~artnpeg
 
N

null

I wonder what goes on in the mind of a person who finds joy in using his
computer skills to create programs such as this Korgo.R, designed
only to make life hard for other people. Hmm...

Well, I'm not all that brave and knowledgeable, were I to go around
rebuilding the registry, I would have needed some proper guidance.

I've tried Symantecs utility too, it did nothing to fix registry problems.

Well, it seems I must do a format c: ... But you are suggesting
reinstallation - that is - reinstalling XP on top of the old one - will
that replace registry/system files and the like? Is it recommendable?
That way at least I won't lose all of my music, programs, patches, etc?
Click to expand...

Sorry Johannes, I'm neither a XP user nor repair technician. Hopefully
someone expert with XP will post recommendations as to how to best
proceed. Otherwise, I suggest posting to a MS XP newsgroup.

In any event, as a precaution, I'd backup all my data one way or
another.


Art
http://www.epix.net/~artnpeg
 
B

Bart Bailey

That way at least I won't lose all of my music, programs, patches, etc?
Click to expand...

Sorry, I haven't been following this thread, but did notice that line.

Burn the entire programs folder and start menu (program links) to a CD
so you can copy it back later, also the system32 or whichever folder has
all the DLLs*, so you can get whatever you need as your reclaimed
programs error for them. Try to save the INIs too, so you won't have as
much re-configuring to do. The music and patches can likewise be burned
to CD. Best bet with an XP system is to unplug the thing from the net
until you get everything running right, the patches re-installed and the
firewall enabled. If you need anything from the net, get it with another
machine.

*You are probably safe to copy the programs and start folder into the
new installation, but better just save the DLLs separate to pick from,
because one of them might be your culprit. It would be a good idea to
run an AV scanner through all your saved stuff before copying any of it
into the new installation.
 
Z

zyggy foist

hello.

i recently found out I was infected with the Korgo.R worm. I got the
McAfee Stinger tool, I turned off System Restore, I rebooted in Safe
mode, I ran the Stinger, which identified the infected files and deleted
them, and I rebooted again.

But the problems are still here, even though my virus progs says my
system is clean - System Restore won't work (I just get a blank window,
or it doesn't start), Search Companion won't work (blank/grey window),
Help/Support function won't work, Windows Update won't work .....

Now I really don't know what to do. And I don't especially feel like
formatting right now.

I use XP, by the way.

Anyone able to help?

Thanks,

Johannes from Norway
Click to expand...

Avast picked up the "W32/korgo.worm.t.virus in my
windows\system32\config\systemprofile\Local Settings\Temporary
Internet Files\Content.IE5*.*. I tried to delete it with Avast, Fprot
and Stinger to no avail. Now I'm getting concerned, however, as a last
ditch attempt I pointed Adware at it and voila!...it showed up and I
was able to get rid of it. Don't ask me how...I didn't think Adware
dealt with viruses. GO figure. Hope this is of some help.

ZyggyATmyrealboxDOTcom
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

How I Got Rid of Sasser -- Is It Okay? ... 39
Korgo.R worm! won't go away! 2
help! system restore doesn't work! 1
system restore doesnt even work 1
Can't get rid of Vundo, please help 5
I-Worm/Bagle.J 7
Blaster Worm 5
My dead computer just got deader, please help! 9

Top