 sj |
||
|
||
Tech: Re my: Help! Serious Virus Plea.
|
|
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: wilbyhillbilly Date: 02 Feb 10 - 04:35 AM Just for clarification! I start up and get the windows xp screen with the blue bar running to signify loading, then it goes to the "We apologise for the inconvenience" screen with options to start normally or last good config, or safe mode, safe mode with networking, or safe mode with command prompt. If I do normal or last known, it starts the same sequence over again and ends up back at the same screen, if I do safe mode it goes to a black screen with loads of lines of text and then stops completely. I haven't dared try safe with networking or safe with command prompt yet as I don't know if I will do more damage. If I do nothing, it just keeps trying to restart and repeating the sequence over and over. I tried booting from the windows disc and had option of reinstall or repair, chose repair and got a screen that said type exit so I did and ended up back where I started again. John |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: Mick Pearce (MCP) Date: 01 Feb 10 - 05:46 PM willy - how big are your disc drives. Stage 4 can take a long time with large disc drives. Can you start the system in Safe Mode; if you can, do so. Otherwise see if you can start from disc. Open a command window (Start/Run/cmd) and type the following command: >fsutil dirty query C: (or whichever drive failed the check). If this reports drive C DIRTY then chkdsk will always try to run at startup. You can prevent chkdsk from running with the command: >chkntfs /x C: (or C: D: .. if you have more) This prevents the disk being checked on startup, even if chkdsk should run on it. Then you can try running a quick chkdsk from the command line to try and clear the flag: >chkdsk /i C: This only checks the file indexes (and not thoroughly) and doesn't do the stage 4 and 5 checks. Hopefully this will clear the dirty setting and stop chkdsk running on restart. We still have to sort out your missing disc space! Did your drives show the full capacity or not? (If you want to take this off the thread or want more info on these commands PM me; I should be online for a while). Mick |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: wilbyhillbilly Date: 01 Feb 10 - 02:51 PM Here I go again. Doing a disccheck and it got to 4 out of 5 then froze. I had to switch off to get out, nothing else worked. When I reboot it comes up with the apology for incorrect start etc and choice of Start Normally, or Last good configuration, trouble is whatever one I try it starts on the normal startup screen then goes back to the same one Start Normally or Last Config etc. Just keeps going round in circles. How the hell do I get out of this? I think I'm on the verge of giving up computers full stop, for the benefit of my health and qall those around me! Very Weary John |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: olddude Date: 01 Feb 10 - 01:17 PM John in Kansas outstanding comment my friend |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: JohnInKansas Date: 01 Feb 10 - 01:06 PM Posted in Another Thread so I won't repeat it here, but some extracts from Symantec's White Paper on threats found in 2008 might be of interest. (There's a link at that post where you can look at the entire PDF report). That report doesn't go into relative performance of AV suites, but knowing what might be attacking you is of some importance in defending yourself. Separately, scattered sources are reporting an increased incidence of attacks via "third party programs" in which vulnerabilities in programs you install (not part of the OS or of "big name" productivity suites). Major vulnerabilities have been found in Adobe PDF readers, Flash, various Multimedia programs, etc; and most of the suppliers of these "extras" have rather poor records on patching vulnerabilities quickly when they are found. The absolutely worst thing you can do to expose yourself to infection appears to be careless use of FTP file sharing, with IM (instant messaging) and IRC (chat) systems growing to nearly the same frequency of infection. John |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: olddude Date: 01 Feb 10 - 12:15 PM I don't want to go on and on but this is important. My wifes friend diane got a bad one, she didn't want to bother me so she hired a girl to come to her house (cost her 150 bucks) her machine was protected by AVG ... 2 days later the virus was back, I went over and fixed it . this virus was attaching itself to adobe updater, scated right through AVG ... I loaded mcafee after I clean it and repaired all the files. 2 days later mcafee caught it trying to come in again .. took care of it ... I hate AVG I don't think it protects much of anything and I have a pile of examples. But like I said others may disagree but the act speaks for itself I think |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: wilbyhillbilly Date: 01 Feb 10 - 12:14 PM Dan, I was perfectly happy with Microsoft Essentials, it was great, but for some reason it wouldn't download again. I even tried to download a trial Mcafee and that just froze halfway through. However I've yet to try it since I became "clean" as it were, but I will definitely end up buying something other than AVG. John |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: olddude Date: 01 Feb 10 - 12:04 PM John just my personal thoughts, I took off several viruses last week from my friends PC's ... all protected by AVG ... I know people will disagree with me but AVG doesn't work IMHO ... please bite the bullet and buy mcafee. Every corp I work with uses it, I used it for years and I don't have virus issues and it has protected me from a host of them .. just my opinion ... if you still insist on a free one that panda cloud is getting some good press but I never used it .. Dan |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: olddude Date: 01 Feb 10 - 09:47 AM GREAT IDEA CHRISTINA!! |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: Mick Pearce (MCP) Date: 01 Feb 10 - 05:54 AM willy - having several ControlSet keys in the registry is normal (the CurrentControlSet is just a pointer to which one is currently in use and is set at system startup). They contain only configuration information and should not be responsible for a 50% loss of free space on your system. There are several possibilites: 1) You have a lot of things as temp files or files waiting to be deleted 2) You have lost some disc space - ie the system has lost track of it 3) The system thinks your discs are smaller than they are or the disc partitioning is not correct. For 1) You can use a utility like the SpaceSniffer BillD linked recently here: Tech: Where are your files? What takes space?. You can download and install that, run it for your disc and you'll see where your space is going. For 2) Right click on the disc letter in Explorer, select Properties/Tools and Error Checking. That should sort out any space that has been lost from the system records. For 3) You should probably have a look at this first and just check that your disc is showing at the size it should be: Select the disc letter in Explorer, right click and select Properties and see what the Capacity is. If it's what you expect that's OK. If not, then the disc partitioning may be wrong and you may have to adjust it to get the rest of the space on the disc (info on this later if needed). Have a look at these things and see where the problem lies - probably in the reverse order that I gave them! (One final thought - you new install didn't install a separate system somewhere else than the default location did it?). Mick |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: wilbyhillbilly Date: 01 Feb 10 - 04:24 AM I've just noticed that my hd freespace has gone from about 75% down to 27% since I did what I did. I looked in regedit and HKEY LOCAL MACHINE, SYSTEM, and it shows Control Set 002, Control Set 003,Current Control Set, and they all seem to contain the same things. Do I need all three, or could this be where I have lost all my freespace? Can I delete two of them? John |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: wilbyhillbilly Date: 01 Feb 10 - 02:13 AM I am a little wary of celebrating yet (after the last episode) but I THINK it's finally back to normal, and thanks to you all for the pride and satisfaction I now feel, just the fact that I managed to follow the "idiot proof" instructions and arrive at a satisfactory conclusion is great, BUT.... Please don't ask how it's ended up here. It has taken about two solid days of heartache, hair pulling, (not that I've got much to start with) and highly strung nerves. I finally started by trying to do a repair, after booting from disk, which all seemed fine until it looked like it was doing a complete re installation and I could'nt stop it, anyway, it said it would take about three hours so I left it to get on with it, when I returned about three hours later it had got to about ten minutes then asked what language I wanted and had waited for me to click English, so then I was feeling sick for the next two and three quarter hours thinking I had lost virtually everything and was going to end up with a new clean pc to start from scratch. When it had finished and rebooted it looked normal, everything was still there, the only difference was that the virus protection was turned off and a message saying computer at risk no virus protection,no problem I thought, just download microsoft essentials again, no go, kept coming up with an error code unable to load, investigated that, no luck, tried other progs no joy, none of them would install, tried onecare scans, still no joy, eventually tried my old AVG free which was still on there and it loaded, got rid of another infected file,took about an hour to update, then I got 59 updates from microsoft, then XP3 pack and after two days have now hopefully got back to normal, making sure that I have now backed up the whole thing onto my external drive and will do regular backups in future. Still have absolutely no idea how I got here but I just hope it lasts a bit longer than last time now. Grateful thanks to all, John |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: olddude Date: 31 Jan 10 - 08:21 AM no kidding for a normal home user ubuntu linux .. no more viruses. i switched my doctor buddy and he is hooked now along with my mom and sister. if it were not for my clients i would never use windows |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: olddude Date: 31 Jan 10 - 08:17 AM |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: GUEST,Jim Martin Date: 31 Jan 10 - 06:46 AM I would say most of all this hi-tech jargon is beyond most of us who are average computer users and in a similar situation, we will get an "expert" to fix the problem - I did this and finished up having to buy a new computer. It's all one big scam! |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: olddude Date: 31 Jan 10 - 12:27 AM i hope you are ok now and it all works again |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: JohnInKansas Date: 30 Jan 10 - 02:12 PM If your AV has quarantined the threat file, it should not be able to run the next time you reboot. The most probable reason why the AV could not remove an infected file is that the file was open/running. Most AV programs, however, as a "standard practice" do NOT delete files, but instead put them in quarantine so that, if necessary, you can restore them. Once the file is quarantined, if you just reboot normally you should be able to delete it from the quarantine file just by opening your AV program. Microsoft gives a specific "information" for the malware indicated at VirTool:Win32/Obfuscator.HW that may be of interest, but indicates that up to date AV should be able to remove it, and gives no other instructions. By putting the file in quarantine your AV has "removed" it. If you reboot and run a new AV scan, and the file is found again, it probably means that it's being reinstalled by a Registry entry or by a boot sector infection. John |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: olddude Date: 30 Jan 10 - 09:51 AM John go into your computers setup, that is usually F1 or F2 when it starts to boot. Here you see things like hard drives and other technical options, look for boot sequence, change the sequence to CD first then hard drive ... hit esc and save it will reboot but will look for the CD first |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: wilbyhillbilly Date: 30 Jan 10 - 08:26 AM I just did another scan with Microsoft Essentials and it came up with this "serious threat" VirTool:Win32/Obfuscator.HW which it says cannot remove but has quarantined it. I think I now have to try Villans method, but cannot seem to work out how to boot from disc. HEEEEEEEEElp! John |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: wilbyhillbilly Date: 30 Jan 10 - 07:53 AM El Thicko here again, how do I "boot from the windows cd". I put the disc in and went to "my computer" then double clicked on D drive and got the menu then looked at instructions which said restart with the disc in, which I did. It just started as normal, I can't find the repair option!!. I am obviously missing something |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: Rasener Date: 29 Jan 10 - 08:26 PM OK I understand Dan. Never the less its worth him checking. However its worth everybody keeping those instructions for future reference. It doesn't take long to do and it will save lots of time and effort, trying this and that and pulling your hair out etc. :-) You also won't lose any of your data. Les |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: olddude Date: 29 Jan 10 - 08:03 PM Les those are great instructions. But I am pretty sure he got rid of the virus from the oncare scan, what I think is the virus corrupted the boot files and they are broken even though it is gone. if it is XP he should just boot from the install CD and do the repair which will copy over the files with the proper onces leaving everything intact ... your instructions for manually removing the virus is very good indeed, especially those that did not do the onecare scan good job Dan |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: Rasener Date: 29 Jan 10 - 07:43 PM OK This is the way to remove the files that are causing the root kit virus. I did this and it worked. When you have done this, you still need to use you virus checkers to make sure there aren't any other viruses left on the machine. Please take the time to read it properly first and print it out so you have it by your side as you carry out each instruction. UACd.sys Trogan / Winpc Virus Removal It does require a level of skill. This is not recommended for beginners and requires an advanced set of technical skills.* Symptoms: - Programs like Spybot, Malwarebytes, Superantispyware, Windows Defender, etc. wont run or install. You double click, it looks like it is trying to open, but nothing ever happens. - Every time you try to search something on Google and click on the link of a result, it will redirect you to a site with the URL of gwww.windowsclick.com or something similar. - Your computer will be slow and will freeze. Removal: Instead of playing around and trying to get programs to work and to remove it, use this trick instead. 1. First you will need a copy of your Windows CD. 2. Boot your computer to the Windows CD. Let it boot to a blue screen and it will ask you if you want to repair your computer by pressing R. Press R on the keyboard. 3. It will ask you what Windows installation you want to log onto, select the appropriate one. (Most likely 1.) 4. If it asks for an Administrator password, enter it in. If you dont know the password, chances are it is blank so just press enter. If that still doesnt work, you will have to change or remove your administrator password. 5. You will see a black window and if you are successfully logged in, you should see C:\Windows in white text. Type the text after the word Type and then press ENTER C:\Windows Type cd system32 C:\Windows\system32 Type dir (Now you will see a long list of a bunch of files. Scroll down to the U's. If you are indeed infected with the UACd.sys Trojan, you should see files named UAC*random characters*.dll. Write down on a piece of paper all of the files that begin with UAC including guacinit.dll. Make sure you write them down exactly as they are (take your time on this and get it right). Now you can scroll to the bottom and you will be back at the C:\Windows\system32 prompt. You are now going to delete each item you have written down, so remember to tick each one off on your list as you succesfully delete them. So your first one you carry out the instructions after the word Type. C:\Windows\system32 Type del UAC*random characters*.fileextension (If the file is named UACdsferskwufy.dll that is what you type in.) If it is successful, it will just go to a new line with C:\Windows\system32 쳌as the prompt. Repeat the del process with the rest of the files that you wrote down. Once you have deleted all of them. Run the dir command again and scroll to the U's and see if there are any UAC files left. If you have done everything correctly, there shouldn't be. Once that is done, you will be back at a C:\Windows\system32 쳌 prompt. Follow these commands. C:\Windows\system32 Type cd drivers C:\Windows\system32\drivers Type dir Browse through the list till you come to UACd.sys. Write this down so you don't forget it. Now browse to the end of the list and you will be back at the prompt. C:\Windows\system32\drivers Type del UACd.sys If it is successful, it will go to a new line. You can then restart your computer by holding the power button or typing in exit. (Make sure to remove the CD so it doesn't boot to it again.) Let it boot into Windows. Once you are back into Windows, download Avenger from here http://www.downloadrage.com/avenger-antivirus-download.aspx Scroll to the bottom of the page to find the download link Extract the file and run the Avenger program. In the white text box, enter and run the following. Drivers to delete: UACd.sys Files to delete: C:\WINDOWS\system32\wJQs.exe It may ask to reboot, let it reboot your computer. Now run the usual spyware/virus removal tools to take care of the rest. I hope taht helps |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: Rasener Date: 29 Jan 10 - 06:44 PM Bernard Getting rid of a rootkit virus is possible. I know I did it for my wife about 9 months ago and I haven't had any problems since. All her data was retained. I actually talked with PC World first and they said, you will have to reformat etc, etc. Fortunately I didn't listen to them. I will have a look and see if I can find what I did. |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: JohnInKansas Date: 29 Jan 10 - 04:47 PM wilby et. al. Until you get fixed, it's not really certain what you've got; but according to The Red Tape Chronicles there are worse things out there than what we think you've got. GIVE ME YOUR MONEY, OR YOUR COMPUTER GETS IT Posted: Friday, January 29 2010 at 06:00 am CT by Bob Sullivan Could be worth a look, just to keep up on what the thieves are doing these days. John |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: Stilly River Sage Date: 29 Jan 10 - 03:31 PM That sounds like a good option, Dan. |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: wilbyhillbilly Date: 29 Jan 10 - 11:44 AM I bow to your superior knowledge people,it's great having you around. Mick is absolutely right about my expertise or lack of it and I fully expect to have to eventually take it somewhere, but in the meantime I am enjoying the experience of trying the simpler things and who knows, one of them might work. I know I keep saying thank you, but I really appreciate the time and advice given. John |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: olddude Date: 29 Jan 10 - 09:45 AM Ok, everyone is correct here, try this now, you got rid of 4 of them from the scan, probably all of them but the boot sector is messed up. get your windows CD and boot from it ... then choose repair instead of full install do the repair portion of the installation, this should repair corrupted files ... then you should be alright I think |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: Mick Pearce (MCP) Date: 29 Jan 10 - 09:35 AM Bernard - not all rootkits replace the boot sector, most just subvert operating system files. While replacing the boot sector would typically require booting from some other device - some kind of recovery CDrom as you say - that may not be necessary. The same behaviour willyhillbilly described after infection removal could easily be caused by malware installing Run or RunOnce keys in the registry to reinstall themselves on startup. If it was me I'd do the malware scan and removal followed by a HijackThis (or one of the other registry scanners) to check the Run keys in the registry and delete those if needed followed by sfc to recheck the operating system files. If I was still getting problems then I might try creating one of the scan and recovery discs (there are links and instructions for downloading isos and creating discs on the reputable antimalware sites - make sure its one of the recognised reputable sites!). But as willy has said above his level of technical expertise might not let him feel confident with some of these, so it may be better to bite the bullet and take it in to a store. (Stress that you want the system cleaned not the disc wiped and O/S reinstalled from scratch, or you need your data recovered if they do that). Mick |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: Bernard Date: 29 Jan 10 - 09:01 AM Let's be clear about this... a 'rootkit' is not a fix, it is a particularly pernicious form of malware that replaces the system drive's boot sector. It is therefore capable of circumventing any attempt to remove it, even in Safe Mode. The only sure way to get rid is by booting from another device (usually CDRom) and replacing the boot sector with a clean version. This could also be achieved by connecting the drive as a slave or external drive on another machine which is adequately nailed down. I repeat - disable autorun (autoplay) to prevent infected drives from installing their rootkit payload. If you have a network, they will spread like wildfire to any machine that has mapped drives with autoplay enabled. I've been there... |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: wilbyhillbilly Date: 29 Jan 10 - 03:03 AM Did the safety scanner bit, took 4 hours for complete service scan and it found 3 serious infections and got rid, as well as other stuff. Restarted and then up came that blasted shutdown window again, so, onto the next bit.... John |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: wilbyhillbilly Date: 28 Jan 10 - 04:06 AM More brilliant advice, thanks all, I will take time now to run through and digest it, then give them a try. Thanks again. John |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: Stilly River Sage Date: 27 Jan 10 - 03:44 PM I forgot to mention that I would never willingly turn of System Restore. It doesn't always work the way I want it to, but it has saved my bacon a couple of times. SRS |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: Mick Pearce (MCP) Date: 27 Jan 10 - 03:28 PM The utility JiK is pointing you to is the System File Checker. This can check system files and replace them if they are not the correct version. The command: sfc /scannow will do this - you can type it into the Run box of the start menu. (of course if malware is clever enough to rewrite the cache of correct files, this will not do anything useful). Mick |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: olddude Date: 27 Jan 10 - 02:27 PM forget spy sweeper, root kits etc, do the safety scanner in safe mode. the virus I took off my buddies PC skated through everything. Safety scanner nailed it removed it fixed all the files and took about 3 hours of run time ... now here is the problem, if you don't have a high speed line like a dsl or cable modem, I have no idea how long it will take ... |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: olddude Date: 27 Jan 10 - 02:20 PM boot to safe mode F8, use the free microsoft one care safety scanner. My friend had a bad bad virus yesterday. I tried a lot of things and finally nailed it with this one and it worked slick Microsofts safety scanner |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: JohnInKansas Date: 27 Jan 10 - 02:05 PM It was suggested in a previous post that turning off System Restore might be a good thing to do. It's not clear that it's widely understood why this may help, or just how System Restore works. If System Restore is turned on, each time the computer is shut down or rebooted, if anything in the setup has changed the System saves the configuration in a separate encrypted and inaccessible folder. This folder can hold about a half-dozen "restore points" but when a new one appears the oldest previous one is "pushed out" and gets discarded. Malware that gets on the system may make changes in the Registry before the original "infection" is removed. When your AV deletes the original infecting file, it may not delete entries made in the Registry, and some malware may copy the original infecting file under a "scrambled name" that's unlikely to be found by the AV. When the computer is rebooted, with System Restore on, the system looks at the last previous restore point, and if anything that "looks useful" is missing System Restore may automatically (and invisibly) put the Registry entry back into the system. The registry can "call for" the aliased/renamed original infecting file, and the infection reinstalls itself each time your reboot. Once you have rebooted a half-dozen times, with changes each time while you have tried to remove the infection, it becomes unlikely that System Restore contains a restore point that does not contain the instruction to reinstall the infection, so there is no harm in removing all the restore points. You remove them by turning off System Restore (which dumps them all). This does not remove the reinstall instruction from the Registry for the current configuration, but booting in Safe Mode lets Windows restart without reading all the Registry instructions, so the malware might not be put back. The KB article linked up above does give you somehwat more control over what starts, and what doesn't, in WinXP Safe Mode, which may be helpful in getting the computer up without turning on the infecting file(s). If all copies of the original infecting file can be removed by your AV while running in safe mode, but the Registry is not cleaned, the next normal boot should give a different error message when the registry attempts to open a file that doesn't exist. The new error message should give the name of the file that wasn't found, and you can then (sometimes) look in the registry to find the line that calls for that file, so that the Registry entry can be deleted. If you're not comfortable with working with the Registry, it should be fairly easy to find advice once the filename is identified. The only caution here is that you don't want to edit out the Registry line that calls for a file that is needed but is just missing. In the present case, where Windows Explorer fails repeatedly, it is possible that the malware has modified or replaced a file used by Explorer. The modification/replacement may have just corrupted the file so that it doesn't work, or your AV might have removed it because it was infected. My recollection is that WinXP usually includes a "Repair Windows" option in Control Panel, at the Add or Remove Programs location. If you don't find it there, it may come up if you boot from original installation disk (or a "Repair Disk" as some OEMs call them). In Vista, an OEM installer can have included the Repair module in the installation; but usually you have to boot from an original installation disk to get to it. If you can run the System Repair utility, it will theoretically look at all the necessary Windows files and will replace any that are missing or corrupted. Since the file(s) will be replaced with an "original" version, it may not incorporate patches issued after your computer was built, so Windows update should be run as soon as possible after any "Repair" that goes back to your original installation disk. (Even if you don't have to use the installation disk, the check will be against "CAB files" copied to your hard drive at the time of first installation, so you should still check for updates.) John |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: Bernard Date: 27 Jan 10 - 01:56 PM Yes, Mick - except that a rootkit can be capable of cloaking itself so that neither Malwarebytes nor Combofix can spot it unless the PC is booted from an alternative device, such as CDRom. That way the boot sector doesn't trigger the rootkit. If you boot from the infected device the 'fix' has already failed. The buggers are getting too flamin' clever! |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: Mick Pearce (MCP) Date: 27 Jan 10 - 12:27 PM willy - the tracking cookies your scan is finding shouldn't be the cause of your troubles: they're just small information files that websites you visit put on your computer. The tracking cookies saved on your machine can be read by the same/other websites and used to target adverts to you. In themselves they can't harm your machine and you can set your browser up to ignore them (ie not save them) or ask if you want to save them or not. For the symptoms you're getting I'd use malwarebytes rather than Spybot and if that doesn't work I'd try combofix (although that involves a bit more work to use, though the instructions are pretty clear). Mick |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: wilbyhillbilly Date: 27 Jan 10 - 11:49 AM That's if you dare!! John |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: Stilly River Sage Date: 27 Jan 10 - 09:56 AM IDE and SATA connections SATA connections and cables General instructions to install a SATA drive I have a couple of drive enclosures holding one backup drive I've used for a while and the previous hard drive for this computer from a rebuild last year. When I was first dealing with a SATA drive I realized, in poking around the mother board, that I had three free slots there that I'd never thought about using. It's really pretty amazing what you can find when you get under the hood. SRS |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: Bernard Date: 27 Jan 10 - 09:54 AM It's a minefield, innit?! Do you have a set of 'System Restore' CDs that came with the PC? It's not that difficult to replace the hard drive and reinstate it 'as new'. As for the apparently complicated terminology, it's not really so obscure, honest! A 'caddy' is a box you can put a hard drive into, then you can plug it into your PC (after disabling 'autorun', of course!) and use it as if it's an internal drive. PATA is the old IDE connection with the wide ribbon cable, SATA is the modern connection with a small (sometimes locking) plug. ISO means an image file (cd_image.iso for example) that most CD burning software can use to make a CD - and is an easy way of producing a bootable CD. As for disabling 'autorun', you only need to open 'My Computer'... right click on the drive icon, select 'properties' and you'll see an 'AutoPlay' tab. Click that tab and you'll see a few options. All you do is click the 'radio button' on 'Select an action to perform', scroll down to 'Take no action', make sure it's highlighted and click 'apply'. You DO NOT want to be propmted each time for an action, as this means the autorun.ini file will have already run... However, if the choices are greyed out, you're too late - the malware has beaten you to it! As yet I'm not sure about this shutting down business... I'll try to find out more, as it's a new one on me. Clearly it's the malware doing it, but why?! Okay, I know... 'because it can!' |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: wilbyhillbilly Date: 27 Jan 10 - 09:41 AM I've just done another scan with Spybot and it's come up with more files, but they all seem to be "tracking cookies" and relate to progs I didn't even know were there, all of a similiar nature i.e. Adviva,Doubleclick,Mediaplex,Rightmedia,Tradedoubler. Am I right in thinking these things must be "generating from within" as it were, because I'm sure they weren't there on the last scan, although there were similar.(tracking cookies). AAAAAAAAAAAArrrrrrrrgh. John |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: wilbyhillbilly Date: 27 Jan 10 - 08:32 AM Thanks Bernard, but I'm afraid this talk of Sata Iso Caddy etc is a foreign language to me. It's looking like I will have to take it to the "experts" to try and get them to do it. The thing is still trying to shutdown after 30 mins each time I power up, but at least it only does it once now as I took the advice from Mick Pearce and can abort the shutdown and it seems to then carry on indefinitely, (until I switch off then on again). Weary John. |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: Bernard Date: 26 Jan 10 - 12:38 PM Okay, back from a job... to add to what Bobad said: Buy a new hard drive and a caddy (making sure it matches what you already have - don't buy a SATA drive and caddy if you're still on a PATA drive). Rebuild the PC on the new drive, and all your old stuff will still be available via the caddy. As long as you've got adequate malware protection the rootkit can't transfer itself (you did remember to disable 'autorun', didn't you?!!), and you may even be able to clean the old installation that way if you prefer to revert to it. Another word of warning - if you use USB fobs or other removeable drives, it's just possible they may have been infected with an 'autorun' rootkit. As long as autorun is disabled, they won't work - but you need to delete (and empty the trash) the autorun.ini file AFTER you've opened it with Notepad to see what it loads - delete that folder and its contents, too. |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: Bernard Date: 26 Jan 10 - 09:59 AM Yes, what Bobad said! Often a much quicker answer! |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: Bernard Date: 26 Jan 10 - 09:58 AM Unfortunately, it could be a 'rootkit' infection, which cannot easily be cleared after the system has booted, even in Safe Mode. You may need to either use a solution that boots from a CDRom, or put your drive in a caddy and 'clean' it on someone else's machine which isn't infected and has every known protection available. A 'rootkit' infects the boot sector of the system drive, and often transfers itself to any other drives on the system via the 'autorun' feature. Turning off autorun on all drives before you've been infected is good protection, though not infallible. When you boot a system with a rootkit in its boot sector, the malware is able to 'cloak' itself so that even the best antivirus or antispyware cannot detect it - and is often disabled by it. Other clues can be the inability of the AV software to update, and even Windoze updates can be compromised. System Restore can also be disabled, and accessing Safe Mode itself may be blocked. There is no cover-all cure for these things - first you have to find out what you're dealing with, which is often the longest part of the cure. In my experience the symptoms one system has may be similar to another system, but they are often not caused by the same thing... so be careful about grabbing the nearest solution and expecting a miracle! One very handy tool is available from Trinity Rescue Kit, which involves downloading an ISO image from which you burn a bootable CDRom. However, information changes on their website alarmingly frequently, which shows how the malware threats are modifying to try to keep ahead of the cures... so make sure you read up as much as you can before attempting any 'cure'... each time you visit the site you may find they've changed their approach yet again! |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: bobad Date: 26 Jan 10 - 09:15 AM If all else fails do, or have done by professionals, a wipe of your hard disc, after backing up all the files you don't want to loose. I recently experienced problems with my computer, the cause of which was never found either by me or the staff at a very good computer repair shop. They finally did a wipe for me and my computer hasn't worked this fast and well since it was new. Hard drives tend to become bloated with useless junk and files get corrupted files over time, regular wipes are recommended. Mine had never been wiped in six years. |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: wilbyhillbilly Date: 26 Jan 10 - 08:40 AM Thanks to all. Hopefully I will find the cure shortly. John |
|
Subject: RE: Tech: Re my: Help! Serious Virus Plea. From: JohnInKansas Date: 25 Jan 10 - 07:01 PM Note that removing the check from the System Restore box Deletes ALL prior restore points IMMEDIATELY. This does mean that you will not be able to use System Restore to go back to a previous configuration once the box has been unchecked. You can save a Registry configuration manually, by recalling a config using System Restore and exporting the Registry from regedit, but it does require manually accessing the registry, and it's easy to confuse where you are with the configurations. John |
| Share Thread: |