Re: help! nasty virus that wont let me run antivirus software!!

From: cquirke (MVP Win9x) (cquirkenews_at_nospam.mvps.org)
Date: 07/03/04

  • Next message: Bullwinkel J. Moose: "Re: HAS THIS BOARD HELPED?" 
    Date: Sat, 03 Jul 2004 06:11:08 +0200

    On Wed, 30 Jun 2004 05:54:55 -0700, Malke <malke@nospoonnotreally.com>
    >seehar wrote:

    >> Hey i think i have a really nasty virus because i cant run any anti
    >> virus software or open any antivirus websites, they just close
    >> themselves! even if i type in "virus" on google it closes :( anyone
    >> know what i can do?

    >> BTW, ive got windows XP but my antivirus software (avast) has run out
    >> coz i didnt register it (duh!)

    Malke's advice will be pretty much best-case if you are on NTFS, but
    if you are on FATxx, you can do better (as annotated along the way)

    >The usual way to deal with this is to:

    > 1) Take the infected machine off the Internet and any lan immediately.

    If FATxx, at this point you should do a formal virus check as per
    http://cquirke.mvps.org/9x/virtest.htm using a Win98xx boot diskette
    and free DOS-based av from www.f-prot.com, www.nod32.com and/or
    www.sophos.com - the last two are free for evaluation and won't offer
    updates; the first is free with free updates, which you should
    download at the same time.

    If NTFS, then it's a lot harder to do a formal virus check because MS
    denies you access to the only native maintenance OS NTFS has. See
    http://cquirke.mvps.org/whatos.htm for your much-reduced options, or
    as Dirty Harry says, "Do you feel lucky?" you can skip the formal av.

    A limitation of most, if not all, formal av methods on XP will be an
    inability to clean up registry references. For this reason, and
    others, it's imperitive that you save logs of everything the av
    scanner finds and does.

    There's a case to be made for doing the formal scan in "report only"
    mode, or as an automatic rename so that changes can be undone (e.g. if
    you need to put the malware back to ward off a face-hugger dependency)

    At this point, you hopefully have a list of malware that you know you
    are after. Use the same clean PC you used to download the av,
    Stinger, etc. to read up the malware you found at reference sites such
    as http://www.f-secure.com/v-descs etc. You do this in case there are
    caveats in cleaning the malware, and to what additional settings need
    fixing or patches need installing to close holes the malware exploited

    > 2) From a different, clean machine download Stinger (http:/
    >vil.nai.com/vil/stinger/) and run it in Safe Mode. Stinger is a limited
    >virus checker, but its advantage is that it is standalone and doesn't
    >need to be installed.

    > 3) Hope that Stinger cleans up the machine enough to be able to
    >reinstall your av or install a new, current one. Update its definitions
    >and do a full scan.

    Hope that any active malware doesn't strike back as soon as your av
    tries to come after it. Safe Mode Command Prompt Only is the option
    least likely to run active malware, but even that can run active
    malware that resides within existing code or is patched in through
    methods other than those Safe Mode bypasses.

    > 4) Continue the cleaning process by removing any spyware with Spybot
    >Search & Destroy (http://www.safer-networking.org) and Ad-aware
    >(http://www.lavasoftusa.com). Be sure to update these programs before
    >running them. These programs are free, so run them both since they
    >complement each other. You may also want to run the latest CWShredder
    >from http://www.spywareinfo.com/~merijn/index.html. Always read the
    >instructions before running a spyware removal tool. It is best to run
    >antivirus and spyware removal tools in Safe Mode.

    > 5) After you've installed your full-featured av, updated its
    >definitions and run a full system scan.

    > 6) Make sure you are running a firewall.

    Also, make sure you don't have File and Print Sharing bound to your
    Internet connection, and that you are not full-sharing the whole of C:
    (even on the LAN). Consider killing XP's hidden admin shares.

    Only at this point, do you reconnect to the 'net

    > 7) Go to Windows Update and apply all security patches for your
    >operating system. Do not install drivers from Windows Update.

    >You may also need to check your hosts files, as follows:

    > 1. In XP's Search preferences, set the files and folders handling to
    >Advanced, and then check the box that will make Search look in hidden
    >files/folders.

    > 2. Now enter the search term "hosts" without the quotes.

    I'd say, with the quotes - else Search may find things like HOSTS.SAM,
    LMHOSTS.* and other things you don't want to pick a fight with

    > 3. You will get several hosts and lmhosts files. Double-click each one
    >to open it. When you do this, you'll get a Windows dialog box saying
    >that Windows cannot open this file, do you want to use the web or
    >select from a list to find the proper program. Choose "select from a
    >list" and highlight Notepad. Make sure the box to always use this
    >program to open this type of file is not checked.

    What is LMHosts, anyway?

    > 4. Now carefully examine the file. Lines that begin with a # are
    >comments and don't count. Leave them alone. Unless you know you use a
    >proxy server to get to the Internet or you added entries yourself, the
    >only uncommented entry that should be there is:

    > 127.0.0.1 localhost

    > If you see any other entries, delete them and Save the file. Make sure
    >you scroll all the way down to the bottom of the window if there is a
    >scrollbar. Do this for each file you found. Now you should be able to
    >get to antivirus and spyware-fighting websites.

    >And renew your antivirus subscription and this won't happen again.

    Correction: This *may* not happen again.

    >-- Risk Management is the clue that asks:
          "Why do I keep open buckets of petrol next to all the
          ashtrays in the lounge, when I don't even have a car?"
    >----------------------- ------ ---- --- -- - - - -

  • Next message: Bullwinkel J. Moose: "Re: HAS THIS BOARD HELPED?"

    Relevant Pages

    • Re: Pixelsrvr.exe wont load on bootup
      ... Sounds like you got yourself a virus,. ... Adds the following line to the [windows] section of the Win.ini file: ... antivirus products, including the Symantec AntiVirus and Norton AntiVirus ... Disabling System Restore ...
      (microsoft.public.windowsxp.video)
    • Re: alcan A or a dropper?
      ... pro and norton antivirus 2006, ... interest in malware cleanup - it won't be every tech's thing. ... I'll mainly work around Windows XP, as that is what the bulk of this ... The system restore feature is a useful - first appearing in Windows ...
      (microsoft.public.windowsxp.general)
    • Re: Do I have TOO MANY antivirus, antispyware, etc
      ... >>computer is retarted again and I ran the Windows Live Safety Center Scan, ... > antivirus, if the Service Pack level of XP is older than SP2. ... > all active malware. ... > that you know what "opening" a file can do in terms of risk. ...
      (microsoft.public.windowsxp.security_admin)
    • Re: I need a free antivirus program for Windows 98 system!
      ... AVG 7.5 is no longer supported and you can no longer get virus updates ... Antivir is no longer offered nor supported for Windows 98/Me. ... I looked into this antivirus further and it looks like, ... Sadly Avast's support for Windows 98/Me will end in December 2009. ...
      (alt.comp.anti-virus)
    • RE: Microsoft Phishing Filter Add-in for MSN Search Toolbar
      ... Windows account has the access denied to the Adm Windows account ??? ... > the malware.If it is rootkit it is less likely to be only in that folder. ... > They will scan it for malware with almost ALL antivirus softwares with the ...
      (microsoft.public.security)