I have a virus. Can you help?
April 28, 2004 11:22 PM Subscribe
Virus Question: I have something nasty. It closes any type of anti-virus application I install, closes regedit if I try to get in there, prevents access to anti-virus websites, and yes, there's [more inside].
A friend suggested I use an online anti-virus program, but unfortunately the virus blocked my access to antivirus.com. I eventually got McAfee 8.0 to install in safemode, but I can't liveupdate any of the anti-viral software I install because the virus is blocking access to those sites. Luckily, I got into McAfee's help site, and they had a way to download a file to update 8.0 manually. Unfortunately, that download didn't work because of this virus blocking their site. I searched google and found the file on some foreign site, so I was saved... McAfee found several versions of the Gaobot virus. This still hasn't cleaned everything, because I ran the Panda online virus scanner I found online, and that found 7 more things. Now, after a brief period of being able to access anti-viral sites like the Panda online scanner, it seems I can't access them anymore, and the virus has taken over again.
Symptoms include 3 DOS windows that pop up in succession and disappear too fast to read them, closing of antiviral software and regedit within a few seconds of opening them (or not allowing their liveupdates to work), not allowing access to anti-viral internet sites, and slowing my computer down so it runs terribly. If someone knows what I have, please let me know. I've never run into anything this good. They got me on this one.
A friend suggested I use an online anti-virus program, but unfortunately the virus blocked my access to antivirus.com. I eventually got McAfee 8.0 to install in safemode, but I can't liveupdate any of the anti-viral software I install because the virus is blocking access to those sites. Luckily, I got into McAfee's help site, and they had a way to download a file to update 8.0 manually. Unfortunately, that download didn't work because of this virus blocking their site. I searched google and found the file on some foreign site, so I was saved... McAfee found several versions of the Gaobot virus. This still hasn't cleaned everything, because I ran the Panda online virus scanner I found online, and that found 7 more things. Now, after a brief period of being able to access anti-viral sites like the Panda online scanner, it seems I can't access them anymore, and the virus has taken over again.
Symptoms include 3 DOS windows that pop up in succession and disappear too fast to read them, closing of antiviral software and regedit within a few seconds of opening them (or not allowing their liveupdates to work), not allowing access to anti-viral internet sites, and slowing my computer down so it runs terribly. If someone knows what I have, please let me know. I've never run into anything this good. They got me on this one.
Response by poster: Yes I have actually, that seemed the most promising, its live update worked, but it hasn't been able to clean my system successfully.
posted by banished at 1:23 AM on April 29, 2004
posted by banished at 1:23 AM on April 29, 2004
Are you running windows ME/98/95? Are you running Windows XP/2K/NT with a FAT file system?
If so, you can clean all that crap up with F-Prot for DOS. It's free, too. Get it from ftp.datafellows.com
HTH. If you're running with NTFS, you're going to have to clean up the system in safe mode. If you can't access regedit, the virus has taken over the .exe definition. You'll need to replace the corrupt registry entries with good ones before things work again. I might be able to help more with more details.
posted by shepd at 1:24 AM on April 29, 2004
If so, you can clean all that crap up with F-Prot for DOS. It's free, too. Get it from ftp.datafellows.com
HTH. If you're running with NTFS, you're going to have to clean up the system in safe mode. If you can't access regedit, the virus has taken over the .exe definition. You'll need to replace the corrupt registry entries with good ones before things work again. I might be able to help more with more details.
posted by shepd at 1:24 AM on April 29, 2004
Oh, of course you'll need to run F-Prot for DOS from a DOS bootdisk to make it useful... :-)
posted by shepd at 1:25 AM on April 29, 2004
posted by shepd at 1:25 AM on April 29, 2004
Something will be residing in memory that shouldn't be there. You should be able to Ctrl-Alt-Del and see what's running in Task Manager > Process List. You'll need to know what *should* be there and what *shouldn't* be there but if you use a site like www.liutilities.com, it will let you know what's good and what isn't. Once you've found the culprit(s), say 'End Process' to get rid of them. That will only delete them for this session, though, so then run your anti-virus software to kill them permanently.
posted by humuhumu at 2:47 AM on April 29, 2004
posted by humuhumu at 2:47 AM on April 29, 2004
check the HOSTS file and clear the entries blocking the anti-viral sites. i just read here the other day where someone was dealing with something similar.
posted by quonsar at 7:30 AM on April 29, 2004
posted by quonsar at 7:30 AM on April 29, 2004
Yep, that was me.
1. Find a file called "hosts" (no extension) and use notepad to clear everything inside the file.
2. Do what humuhumu said, but also block those same programs from starting up on boot. To do this, go to Start... Run.. and type "msconfig." Click on the Startup tab, and uncheck those nasty little hobbitses.
3. Now reboot. You will have disabled the worm by now, and you can run your virus scanner. Don't forget to run Adaware and Spybot too.
posted by PrinceValium at 9:00 AM on April 29, 2004
1. Find a file called "hosts" (no extension) and use notepad to clear everything inside the file.
2. Do what humuhumu said, but also block those same programs from starting up on boot. To do this, go to Start... Run.. and type "msconfig." Click on the Startup tab, and uncheck those nasty little hobbitses.
3. Now reboot. You will have disabled the worm by now, and you can run your virus scanner. Don't forget to run Adaware and Spybot too.
posted by PrinceValium at 9:00 AM on April 29, 2004
These worms are particularly nasty. It's probably gaobot.gen, phatbot, polybot, or whatever they're calling it this week. What I'm going to suggest below is fairly advanced, and you may not feel comfortable doing it because there is a risk that you could cause the system to melt into a pile of goo, but, you know, c'est la guerre.
My advice would be to reboot into safe mode and open up regedit. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and see if you notice anything weird. If you do, delete it. Also take a peek in ...\RunProcesses (or something like that). I'm recommending using regedit in safemode as opposed to msconfig because I've only ever done it through regedit. Using msconfig to disable startup items seems less than permanent to me, for whatever reason.
Run McAfee (get Norton if you can), Ad-aware and Spybot in safemode. Turn on the firewall for your internet connection, also. You can do this by opening the control panel, selecting network connections, right clicking on your primary connection (ie, not the firewire port or whatever else you have going on; I'm assuming you're on some sort of broadband and not a modem) selecting properties, going to the advanced tab and checking the only box on that page. this prevents a large number of worm type things from getting into your box.
At this point, depending on how efficacious the scans were, you can either reboot into normal mode or safe mode w/ networking. Run Windows Update and install all the critical fixes.
After all that, set your antivirus program to update definitions and scan every morning. Leave the firewall up and you should be fine, assuming you actually nixed all the infections. Also, make sure that all of your accounts on the computer are password protected and you don't have any printers or anything that are being openly shared. Gaobot can spread through open SMB shares with weak passwords.
If you have any problems feel free to email me, the address is in my profile. I'm also available on AIM as 'hotel one actual'. Good luck.
posted by mmcg at 9:56 AM on April 29, 2004
My advice would be to reboot into safe mode and open up regedit. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and see if you notice anything weird. If you do, delete it. Also take a peek in ...\RunProcesses (or something like that). I'm recommending using regedit in safemode as opposed to msconfig because I've only ever done it through regedit. Using msconfig to disable startup items seems less than permanent to me, for whatever reason.
Run McAfee (get Norton if you can), Ad-aware and Spybot in safemode. Turn on the firewall for your internet connection, also. You can do this by opening the control panel, selecting network connections, right clicking on your primary connection (ie, not the firewire port or whatever else you have going on; I'm assuming you're on some sort of broadband and not a modem) selecting properties, going to the advanced tab and checking the only box on that page. this prevents a large number of worm type things from getting into your box.
At this point, depending on how efficacious the scans were, you can either reboot into normal mode or safe mode w/ networking. Run Windows Update and install all the critical fixes.
After all that, set your antivirus program to update definitions and scan every morning. Leave the firewall up and you should be fine, assuming you actually nixed all the infections. Also, make sure that all of your accounts on the computer are password protected and you don't have any printers or anything that are being openly shared. Gaobot can spread through open SMB shares with weak passwords.
If you have any problems feel free to email me, the address is in my profile. I'm also available on AIM as 'hotel one actual'. Good luck.
posted by mmcg at 9:56 AM on April 29, 2004
Response by poster: The virus will shut down MSconfig, and if I opened MSconfig in safemode, wouldn't the virus not be set to startup anyway because I'm in safemode?
posted by banished at 10:05 AM on April 29, 2004
posted by banished at 10:05 AM on April 29, 2004
Some programmes will re-insert themselves into the startup process even if you've deselected them using msconfig. I use a program called Startup Control Panel which can stop this happening. It might be worth a look.
posted by Blue Stone at 11:27 AM on April 29, 2004
posted by Blue Stone at 11:27 AM on April 29, 2004
I just got rid of the most innocuous yet troublesome little virus ever (Win.Parite32 B, which just randomly inserts four little characters P I N F into anything with an .exe attachment-- usually enough to BREAK the program in my case, as well as cause many unexpected system failure type things.)
AVG didnt help and very nearly locked me out of my computer entirely, and online virus scans just restarted my computer over and over.
Here's what I used.
Hijackthis - prints out logs of all running processes and registry entries. You can post this at places like security-forums or Lavasoft's Adaware forum, and experienced folks will diagnose you, like going to the doc's office. If you want to diagnose yourself, this tutorial will tell you what to look for in the log that HJT generates.
There are programs that are small and designed to attack one specific kind of virus/malware and its variants, like Antiparite (which gets Win.Parite32A-C, and saved my life), and CWS shredder. When you find out what you've got, search google and see if some security company has created a program that targets your specific problem. In my case, Antiparite cleaned things up to the point where I could use a virus scanner to do the rest.
Security Task Manager - some virii/malware love to hide from Windows' built-in Task Manager, don't ask -me- how they do it. Pretty insidious, huh? This gives you the inside skinny on what's *really* running. It also lets you delete stuff, but be careful with it. Really know what you're deleting.
Ad-a-ware, free version, lots of support, and works excellently. More info on Adaware at LavaSoft's web site.
Antivirus Of Your Choice - I suggest using an online scanner in safe mode w/ networking. Two good ones are Panda ActiveScan and Trend Micro's Housecall. I used the first, and afterward, I invested in Panda Titanium 2004. Lots of folks say Norton, and while it's probably indisputably the best, some of my friends with pretty fast systems say Norton slows 'em down. On my computer, it froze on start-up, and made things really, really, reaaaaaally slow.
Whatever you go with, it might be interesting to see if it passes the Eicar AntiVirus Test.
If you've got system restore running, turn it off! Windows won't let that part of your system be affected by virus scans, so all sorts of goodies can hide in there waiting to infect you again.
Get a firewall, if you don't have one. I chose Zone Alarm.
Get a pop-up blocker. Google toolbar, for example. Mmm, Google Toolbar.
Drink lots of Pepsi Blue(tm) while you're at it. --Oh, wait.
Hope that helps, and good luck!
posted by precocious at 3:36 PM on April 29, 2004
AVG didnt help and very nearly locked me out of my computer entirely, and online virus scans just restarted my computer over and over.
Here's what I used.
Hijackthis - prints out logs of all running processes and registry entries. You can post this at places like security-forums or Lavasoft's Adaware forum, and experienced folks will diagnose you, like going to the doc's office. If you want to diagnose yourself, this tutorial will tell you what to look for in the log that HJT generates.
There are programs that are small and designed to attack one specific kind of virus/malware and its variants, like Antiparite (which gets Win.Parite32A-C, and saved my life), and CWS shredder. When you find out what you've got, search google and see if some security company has created a program that targets your specific problem. In my case, Antiparite cleaned things up to the point where I could use a virus scanner to do the rest.
Security Task Manager - some virii/malware love to hide from Windows' built-in Task Manager, don't ask -me- how they do it. Pretty insidious, huh? This gives you the inside skinny on what's *really* running. It also lets you delete stuff, but be careful with it. Really know what you're deleting.
Ad-a-ware, free version, lots of support, and works excellently. More info on Adaware at LavaSoft's web site.
Antivirus Of Your Choice - I suggest using an online scanner in safe mode w/ networking. Two good ones are Panda ActiveScan and Trend Micro's Housecall. I used the first, and afterward, I invested in Panda Titanium 2004. Lots of folks say Norton, and while it's probably indisputably the best, some of my friends with pretty fast systems say Norton slows 'em down. On my computer, it froze on start-up, and made things really, really, reaaaaaally slow.
Whatever you go with, it might be interesting to see if it passes the Eicar AntiVirus Test.
If you've got system restore running, turn it off! Windows won't let that part of your system be affected by virus scans, so all sorts of goodies can hide in there waiting to infect you again.
Get a firewall, if you don't have one. I chose Zone Alarm.
Get a pop-up blocker. Google toolbar, for example. Mmm, Google Toolbar.
Drink lots of Pepsi Blue(tm) while you're at it. --Oh, wait.
Hope that helps, and good luck!
posted by precocious at 3:36 PM on April 29, 2004
I have used stinger to good effect in the past, when normal anti-virus software is not up to the task.
posted by dg at 4:25 PM on April 29, 2004
posted by dg at 4:25 PM on April 29, 2004
i'm curious - how do people get these things? honest question - you sound like smart people doing the same things i do (firewalls, scanners, etc) yet i've never had one (i have both linux and windows machines, and currently do most of my own stuff on a laptop running w2k).
posted by andrew cooke at 5:07 PM on April 29, 2004
posted by andrew cooke at 5:07 PM on April 29, 2004
With me at least, sheer stupidity. I didn't do all of those safety things until AFTER I got the virus. Because I thought that as long as I didn't open e-mail attachments, I was safe.
I consider myself pretty smart, but that was the equivalent of not putting a condom on my computer before I went fucking around on the internet.
posted by precocious at 6:16 PM on April 29, 2004
I consider myself pretty smart, but that was the equivalent of not putting a condom on my computer before I went fucking around on the internet.
posted by precocious at 6:16 PM on April 29, 2004
« Older Music Listener and Player | Milwaukee, MI | Spring... | Piano music for wedding reception Newer »
This thread is closed to new comments.
posted by PWA_BadBoy at 1:10 AM on April 29, 2004