• Welcome! The TrekBBS is the number one place to chat about Star Trek with like-minded fans.
    If you are not already a member then please register an account and join in the discussion!

GAAAH! VIRUS NASTIES!

Australis

Australis

Writer - Australis
Admiral
So, I downloaded a couple of apps on Friday night, amkv to avi converter, and a YT download toolbar. One of them, not usre which, think the toolbar, dl'd something nasty, to wit, a bunch of stuff including W32/Blaster. After 3 days of struggle, I've cleared everything bar one thing.

I used FFox , and it would randomly start up, even when closed, and diplay a page from somehting that had a name lie splendidsearchsystem.com, admirablesearchsystem.com, and similar grandiose manes. I deleted FFox... and now it does it with IE. So obviously it wasn't hiding inside the FF files.

Anyone got any suggestions as to where it's hiding and what I need to hit AND HIT HARD?!

Yeah, I'm a little frustrated.

Also: still amazed Blaster is still around, but there are good tools for getting rid of it, and a System Restore works well too.
 
Australis said:
So, I downloaded a couple of apps on Friday night, amkv to avi converter, and a YT download toolbar. One of them, not usre which, think the toolbar, dl'd something nasty, to wit, a bunch of stuff including W32/Blaster. After 3 days of struggle, I've cleared everything bar one thing.

I used FFox , and it would randomly start up, even when closed, and diplay a page from somehting that had a name lie splendidsearchsystem.com, admirablesearchsystem.com, and similar grandiose manes. I deleted FFox... and now it does it with IE. So obviously it wasn't hiding inside the FF files.

Anyone got any suggestions as to where it's hiding and what I need to hit AND HIT HARD?!

Yeah, I'm a little frustrated.

Also: still amazed Blaster is still around, but there are good tools for getting rid of it, and a System Restore works well too.
Click to expand...

STEP ONE:

Download MalwareBytes Anti-Malware: http://www.malwarebytes.org/products/malwarebytes_free
Download rkill (It's free): http://www.technibble.com/rkill-repa...l-of-the-week/
Download Spybot Search & Destroy: http://www.safer-networking.org/index2.html


STEP TWO:

Startup in Safe Mode. [Press F8 before the Windows boot up screen starts and select "Safe Mode"]
Run rkill (you'll see a window pop up for a brief second and disappear)
Install MalwareBytes AntiMalware
Run a deep scan
If it finds something, let AMB get rid of it.
Install Spybot S&D
Run a scan.
If it finds something, let SS&D get rid of it.
Enable Tea Timer from the options menu in Spybot S&D
Delete your HOSTS file: C:\Windows\System32\Drivers\etc\HOSTS
Replace it with this one (whichever OS you have):
Windows XP HOSTS File
Windows Vista HOSTS File
Windows 7 HOSTS File


Restart your computer in normal mode.
 
Thanks, Ill check it out now.

I was hoping Spybot would pick it up (I had that) but apparently not.
 
Last edited:
You're welcome! As much as I love Spybot, the more recent malware is just getting too much for SS&D to catch all of it on it's own.
 
And I'm back. Seems to have worked, though I had to install Malwarebytes twice to get it to work.

Curious thing about the HOSTS file. I had a look at the old one, and it had this:

127.0.0.1 localhost
# Start of entries inserted by Spybot - Search & Destroy
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com

5100 entries like that. Are they really part of Spybot?

Anyway, thanks again. :)
 
They're the modified HOST file addresses that the malware created, that Spybot blocks (it's kind of a blacklist). As for the rest, you're welcome. Glad I could help. :)
 
Spybot wouldn't be my 'weapon of choice'.
I found it to be inadequate for years now.

First off... which AV (antivirus) are you using (if you are using any at all)?
If you are interested in free solutions that are just as good as paid ones, consider ONE of the following:
MSE, Avast, Avira or Panda.
All of them are light, free and do not slow down the computer in any way.

If you use McAfee or AVG... I'd recommend you immediately replace them with one of the above.
McAfee is more of a virus than an anti-virus, and AVG is not the most reliable software (plus it's overly bloated).

I use MSE (Microsoft Security essentials) for active protection and Malwarebytes (free) as an on-demand scanner.
In case of Malwarebytes, you should install and update it.
Make sure MSE (or your pick of the AV) is also updated with latest definitions.
Restart the computer in Safe Mode and scan it in full from there with both MSE and MBAM.

One other piece of advice would be not to download various tool-bars (always pick 'custom' options during install of programs and opt out of installing a tool-bar or any addition that might be a useless one).
They have a tendency to do more damage than good.
If you must use something akin to it, simply use FireFox extensions (there are more than few to pick from that will do the job - but don't overdo it).

Also... make sure to scan your downloaded files with your AV of choice.
 
Yeah, Malwarebytes seems to be doing the job.

And yeah, McAfee is more virus than antivirus. :)
 
I like Spybot, but the golden rule of malware combat is: Never, ever, rely on just one anti-malware program. Always use at least two, because that way if you've got a malware designed to spoof one lot of AV, there's a chance it's vulnerable to the other.

Sort of, get it in a crossfire, kind of strategy.
 
Two more issues have arisen. Trying to run an exe, I get:
'windows cannot access the specified device path or file'

A rummage around on the net said I need to go in as Administrator and check a box allowing permissions under the security tab, which, even though I have admin privileges under my account name... I can't see.

Didn't work. I go back to Admin is Safe Mode... and it does.

Another msg I got at the same time:
'the instruction at 0x0 referenced memory could not be read'

I suspect it's MalwareBytes keeping a tight leash on things (antivirus was suggested as a possible blocker). Any thoughts?
 
Australis said:
Two more issues have arisen. Trying to run an exe, I get:
'windows cannot access the specified device path or file'

A rummage around on the net said I need to go in as Administrator and check a box allowing permissions under the security tab, which, even though I have admin privileges under my account name... I can't see.

Didn't work. I go back to Admin is Safe Mode... and it does.

Another msg I got at the same time:
'the instruction at 0x0 referenced memory could not be read'

I suspect it's MalwareBytes keeping a tight leash on things (antivirus was suggested as a possible blocker). Any thoughts?
Click to expand...

What 'exe' are you trying to run?
 
nero.

To explain it a little better, a site suggested I needed to take control of a folder... uhhhh... this one:
http://support.microsoft.com/?kbid=308421

So I went into Safe Mode (which was the only way I could log on as Admin), and that also meant when you looked at a folder's properties, the Security appears (doesn't otherwise). As itr says in the article, I selected the Replace owner on subcontainers and objects check box. This works. But only for Admin, and only that session. I log in as myself, can't run file. Log back in as Admin, still can't do it, have to set permissions again. I was able to burn the disks I wanted, but it was awkward.

So it seems the permissions get reset at the login session's end, and I'm yet to find a way to make them permanent.

O woe is me!

Or is that woe mule WHOOAAA!
 
I actually have a similar problem, because on my home computer (which is shared between all residents, most of whom wouldn't know a virus if it was labeled) I've managed to catch the AV Security virus. Except now my computer won't even start up. It's Vista.

It loads up the Dell screen, and after that it goes to a black screen with a flashing cursor in the top-left. If I put the System Recovery CD in, sometimes it'll ask if I want to boot from the CD. I've already tried using a restore point but that apparently hasn't helped. I can get to a kind of boot menu sort of thing from the Dell screen when it's still loading, but so far I have yet to see an option for safe mode, unless I'm missing something.
 
Uhm... wait a minute.
How are you running your standard Windows?
With limited privileges or as an Administrator?
Your lack of administrative access in Windows suggests you are running it with limited privileges.
May I suggest you create 2 accounts?
One that has administrator privileges enabled for sparse use with programs that need those privileges... and the second limited privileges account which you would use on a regular basis?
 
Deks said:
Uhm... wait a minute.
How are you running your standard Windows?
With limited privileges or as an Administrator?
Your lack of administrative access in Windows suggests you are running it with limited privileges.
May I suggest you create 2 accounts?
One that has administrator privileges enabled for sparse use with programs that need those privileges... and the second limited privileges account which you would use on a regular basis?
Click to expand...
Well, that's one of the weird things. My regular account appears as an Admin a/c, that's what it says on the label, but when you open a file's properties, the security tab is missing, And logging out (in Normal mode) doesn't show the Admin a/c at all. I have to restart in Safe Mode, choose Admin there, and then change file etc, then burn, then log out, because trying to run a monitor in Safe Mode is crapulent. And whatever changes I make don't stick, whether as Admin or regular (W/Admin privileges).

I can see a reinstall coming. One of my least favourite things. :(

Spinnerlys, I'll keep an eye out for those thanks. :techman:
 
You must log in or register to reply here.
If you are not already a member then please register an account and join in the discussion!

Sign up / Register


Back
Top