ReallyReallyStuck! said:
Used one of the virus scanners, found 5 instances of the Sasser Worm.
Disinfected them. Problem still there. Any more ideas? Thanks for the
help, Tom
Hi, Tom. You certainly haven't given us much information. Your computer
is undoubtedly still infected, probably with one or more of the Gaobot
Agobot family. To clean up your computer:
1) Take the infected machine off the Internet and any lan immediately.
2) From a different, clean machine download Stinger (http:/
vil.nai.com/vil/stinger/) and run it in Safe Mode. Stinger is a limited
virus checker, but its advantage is that it is standalone and doesn't
need to be installed.
3) Hope that Stinger cleans up the machine enough to be able to
reinstall your av or install a new, current one. Update its definitions
and do a full scan.
4) Continue the cleaning process by removing any spyware with Spybot
Search & Destroy (
http://www.safer-networking.org) and Ad-aware
(
http://www.lavasoftusa.com). Be sure to update these programs before
running them. These programs are free, so run them both since they
complement each other. You may also want to run the latest CWShredder
from
http://www.spywareinfo.com/~merijn/index.html. Always read the
instructions before running a spyware removal tool. It is best to run
antivirus and spyware removal tools in Safe Mode.
5) After you've installed your full-featured av, updated its
definitions and run a full system scan.
6) Make sure you are running a firewall.
You may also need to fix your hosts files. Here's how:
1. In XP's Search preferences, set the files and folders handling to
Advanced, and then check the box that will make Search look in hidden
files/folders.
2. Now enter the search term "hosts" without the quotes.
3. You will get several hosts and lmhosts files. Double-click each one
to open it. When you do this, you'll get a Windows dialog box saying
that Windows cannot open this file, do you want to use the web or
select from a list to find the proper program. Choose "select from a
list" and highlight Notepad. Make sure the box to always use this
program to open this type of file is not checked.
4. Now carefully examine the file. Lines that begin with a # are
comments and don't count. Leave them alone. Unless you know you use a
proxy server to get to the Internet or you added entries yourself, the
only uncommented entry that should be there is:
127.0.0.1 localhost
If you see any other entries, delete them and Save the file. Make sure
you scroll all the way down to the bottom of the window if there is a
scrollbar. Do this for each file you found.
Malke
