Caught a virus.
June 19, 2006 3:01 PM   Subscribe

Seeking help trying to find a virus.

I'm pretty sure I've got a virus on my computer. Funny thing is that the only program that has identified it is AOL Spyzapper, and it identifies it simply as 'infostealer'. I've run Norton AV and AOL AV, and neither of them find the virus/location. Any suggestions on what to try? I'm running XP SP2, and I do apologize if I'm repeating a previous question (but I couldn't find anything speaking of 'infostealer'). Thanks.
posted by astorias to Computers & Internet (7 answers total)
 
Download Adaware or Spybot search and Destroy, run it and see what they show.

Adaware is included as part of the google pack set of add-ons.
posted by iamabot at 3:06 PM on June 19, 2006


Actually, I should clarify more I think....I have run Ad Aware as well (which did not find the bug either).
posted by astorias at 3:26 PM on June 19, 2006


According to Symantec (makers of Norton AV), this page lists the variants of the infostealer virus and how to remove each one. It looks like you will have to disable the System Restore function, then download all current updates for your software, then run the scan. The scan should identify the infected file(s) and prompt you for quarantine and removal.

Also, once you have run the virus scan (and also Ad-Aware after), make sure you set new passwords (use good ones, such as letter/number/symbol combinations).

If you can't view the link above, let me know and I can send you the plain text version.

Good luck.
posted by galimatias at 4:40 PM on June 19, 2006


galimatias--thx, I did see this link on symantec and did follow their lead (and no virus found). What I didn't do is try running the virus scan in safe mode. Perhaps that will work.
posted by astorias at 4:46 PM on June 19, 2006


Also try the online scanner from Trend Micro, it's usually does well.
posted by gemmy at 4:58 PM on June 19, 2006


RootkitRevealer

Yes, it happens more often than we would hope.
posted by adzm at 7:30 PM on June 19, 2006


Have your Windows XP cd? The best way to get around spyware that hooks into your operating system is to not run the OS while removing it. Unfortunately, I've had to do this a lot more recently due to the underhanded tactics spyware developers are using. Here are the steps, which require a little bit of DOS know-how:

In Windows:

1. Open "My Computer" and click on Tools/Folder Options. Under the View tab ensure that file extensions aren't hidden and that "hide protected/system files" is unchecked.

2. Navigate to your windows\system32 folder. Sort the view by date.

3. Scroll to the most recent files/changes. This will give you an idea of what's been added recently (they don't always end up in system32, but it's where i find 99% of em)

4. Right click on recent dll's and exe's and choose properties. Generally your bad dll's will have weird information under the version tab (or no version tab at all compared to good dll's/exe's) Cross reference the files with the list that galimatias posted.

(alternatively...before you reboot, grab a copy of SysInternals' procexp to see if you can find the dlls and take them out of memory. If you succeed then you can delete or rename them while in windows)

Reboot with xp CD:

1. Boot off of your Windows XP cd and enter the recovery console

2. Log into your Windows partition

3. Once at a C:\ prompt type "cd \windows\system32"

4. Type "del (dll or exe)" where your substituting the name of the dll or exe. You could also type "move example.dll example.bak" which will keep the file but break program so it doesn't load when you boot windows. If all else fails, you could then return here and rename it back to a dll.


It's an ugly way to approach it, but it's getting more and more like this for me as it's taking anti-spyware companies longer to script removal methods for the increasing number of spyware variants popping up. Good luck!
posted by samsara at 6:35 AM on June 20, 2006


« Older the entire state of Carolina waits for me   |   "You're going home with me tonight," baby! Newer »
This thread is closed to new comments.