Re: HELP!

From: Malke (malke_at_nospoonnotreally.com)
Date: 07/13/04 

Date: Mon, 12 Jul 2004 15:50:54 -0700

sophie wrote:

> My computer seems to infected with a worm (sasser?) or
> virus. It runs extremely slow, and I can't connect to
> windows update or symantec. I can use my yahoo e-mail
> account (again, very slow). How can I get rid of a worm or
> virus if I can't download the latest virus updates? I
> have't even run windows update for months. Any help
> appreciated--thanks.

The first thing you do is take the infected machine OFF the Internet.
Then you either a) go to a clean machine and download what you need and
burn to a cd-r; or b) take the machine to a good local repair shop for
cleaning. If you decide you want to try and fix this yourself, here are
some steps you can take:

a) For Sasser:
To stop the rebooting, go to Start>Run and type "shutdown -a" without
the quotes. For information about the worm, go here:

http://www.sarc.com/avcenter/venc/data/w32.sasser.worm.html

Get the worm off your system and then immediately patch XP:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx -
TechNet bulletin with download links
http://windowsupdate.microsoft.com

b) You may have a virus that immediately breaks any av installed. This
could happen if you had an older antivirus version, weren't updating
its definitions or didn't renew your subscription. The usual way to
deal with this is to:

1) Take the infected machine off the Internet and any lan immediately.
2) From a different, clean machine download Stinger
(http://vil.nai.com/vil/stinger/) and run it in Safe Mode. Stinger is a
limited virus checker, but its advantage is that it is standalone and
doesn't need to be installed.
3) Hope that Stinger cleans up the machine enough to be able to
reinstall your av or install a new, current one. Update its definitions
and do a full scan.
4) Continue the cleaning process by removing any spyware. Always read
the instructions before running a spyware removal tool. It is best to
run antivirus and spyware removal tools in Safe Mode.
5) After you've installed your full-featured av, update its definitions
and run a full system scan.
6) Make sure you are running a firewall.
7) Go to Windows Update and apply all security patches for your
operating system. Do not install drivers from Windows Update.

c) Your hosts files may be compromised so you can't get to antivirus
sites, etc. Check the hosts files as follows:

1. I'm assuming you have XP since while they can be carriers of the
virus, Win9x/ME are not affected by the virus. In XP's Search
preferences, set the files and folders handling to Advanced, and then
check the box that will make Search look in hidden files/folders.
2. Now enter the search term "hosts" without the quotes.
3. You will get several hosts and lmhosts files. Double-click each one
to open it. When you do this, you'll get a Windows dialog box saying
that Windows cannot open this file, do you want to use the web or
select from a list to find the proper program. Choose "select from a
list" and highlight Notepad. Make sure the box to always use this
program to open this type of file is not checked.
4. Now carefully examine the file. Lines that begin with a # are
comments and don't count. Leave them alone. Unless you know you use a
proxy server to get to the Internet or you added entries yourself, the
only uncommented entry that should be there is:

127.0.0.1 localhost

If you see any other entries, delete them and Save the file. Make sure
you scroll all the way down to the bottom of the window if there is a
scrollbar. Do this for each file you found. Now you should be able to
get to antivirus and spyware-fighting websites. Continue your cleanup
by removing spyware with Spybot Search & Destroy from
www.safer-networking.org and Ad-aware from www.lavasoftusa.com. Be sure
to update these programs before running them. These programs are free,
so run them both since they complement each other. You may also want to
run the latest CWShredder and HijackThis from
http://www.spywareinfo.com/~merijn/index.html. Although CWShredder is
no longer being updated, it will kill earlier varients of the malware.
Always read the instructions before running a spyware removal tool. It
is best to run antivirus and spyware removal tools in Safe Mode.

HTH,

Malke 

-- 
MS MVP - Windows Shell/User
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"

Relevant Pages

  • Re: Task Manager is gone
    ... > updating the system and there is no virus protection on ... probably with one of the viruses that immediately break antivirus ... reinstall your av or install a new, ... Go to Windows Update and apply all security patches. ...
    (microsoft.public.windowsxp.general)
  • Please Help on Computer Virus!
    ... so there is no firewall or antivirus or Windows Update on ... However, after I restart the computer, there is NO restart cycle. ... I downloaded the Sophos Antivirus with the latest virus ...
    (microsoft.public.security.virus)
  • Please Help on Computer Virus!
    ... Windows Update on ... the system restart in 60 seconds. ... I downloaded the Sophos Antivirus with the ... there is no virus detected in it. ...
    (microsoft.public.security.virus)
  • Re: Start-up problem
    ... The PC does not have virus protection on - ... If you do not have a current antivirus ... Do not install driver updates from Windows Update. ...
    (microsoft.public.windowsxp.general)
  • Re: Spider Virus?
    ... > WILL NOT let me load any ANTI virus software...each time i load ... > AROUND THIS THING to load the virus tool to find it and DESTROY IT! ... Always read the instructions before running a spyware removal tool. ... Do not install drivers from Windows Update. ...
    (microsoft.public.security.virus)