Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
'Dad, I've got a virus and I can't get rid of it!'
I had him shut down and I looked at it later. On reboot, I found several messages of suspicious behavior. Some of these related to 'Wild Tangent' which I was able to take care of with Ad-Aware while in safe mode. I was also able to remove 'The virus he couldn't delete'. This was a collection of files in the root directory with names such as 'cool', 'picture of me and you', 'me drunk.jpg' and others which all linked to the same uncomprehensible file.
In msconfig I removed 7 references to 'Isass'. Yes I know, Sasser worm, but on a Win98?
At this point, the computer is almost normal. There is no mouse in normal mode (fine in safe mode). Zone alarm seems to be blocking nearly everything. Spybot cannot find any updates, despte being version 1.2. Avast, reports it's own updating as suspicious. I don't know if this is related, Avast does not complete a scan in safe mode (Can't run it in normal - no mouse). I've just tried again and it has been scanning Windows\temp\msgame.cab for at least ten minutes, keyboard and mouse frozen.
I'm thinking maybe I should put his harddrive in my computer and use up to date programs to scan it. Else bite the bullet and reformat.
Any ideas?
From Symantec
W32.Sasser.Worm can run on (but not infect) Windows 95/98/Me computers. Although these operating systems cannot be infected, they can still be used to infect the vulnerable systems to which they are able to connect. In this case, the worm will waste a lot of resources so that programs cannot properly run, including our removal tool.
If you can connect to the infected machine via NIC you can scan the disk using your 'good' AV program.
By chance, is some sort of IM installed on his computer?
I'm not insensitive, I just don't care.
0 
Thanks jboy,
"By chance, is some sort of IM installed on his computer?" You name it, he uses it! At least I've been able to keep him away from P2P.
We have a wireless lan. Zone Alarm has changed my status to forbidden. I've tried to access my shared folder (where I download all the useful tools to) and been blocked. I've tried to transfer from my computer and also been blocked. Actually this makes me feel a little safer.
Another hurdle, my version of Kaspersky won't scan network drives. Not even if the network dive is physically located on my C: drive.
0
That's too bad - I wasn't aware that Kaspersky was limited in that way. Just a little easier (and possibly safer) method of scanning than slaving the drive.
I'd mentioned IM since there's an MSN worm making the rounds which dumps similar sounding 'sucker files' and possible reports of something from AIM as well.
I suppose an online scan may also be compromised?
I'm not insensitive, I just don't care.
0
I wouldn't use MSconfig to configure the startup. Clean the startup properly by dumping the registry keys, otherwise the items are still on your computer. Dump the items out of the startup folder, and follow the instructions on the following link on how to properly fix your startup. Msconfig is not the right way to do it. Also, if you can't delete a file in safe mode you can use a program called killbox that is a free utility found at www.majorgeeks.com to delete the files during reboot. It's sort of an easy shortcut to having to manually do it in recovery console.
http://www.pacs-portal.co.uk/startup_content.php
0
Thanks again jboy, The major infection does sound like a varient of the MSM worm. sexy.jpg was one of the files I deleted. Further questioning revealed that the file he ran was 'she's got such a big ass... .jpg'.
buff nasty, thanks for your input. Could you narrow down which part of that site you suggest I read? I suspect that you think I'm more of a noob than I really am. I don't see any problem with using msconfig to eliminate possibilities. I really feel that the sasser worm should not be permitted to run on any computer, let alone one in my own house. My aim is to re-establish enough services to allow me to run removal software. This is difficult to achieve when I do not have use of a mouse or network services.
I'd like to visit panda, but I can't.
0
I hope that Spybot S&D 1.2 was a typo. That version has not had updates for a long time. Even version 1.3 is long overdue for replacement.
You may need to download some files and copy them onto a CD-Rom to transfer them to his system. Download SpyBot_S&D_1.3 at_MajorGeeks and the latest off line Reference Update package. And Ad-Aware_SE Personal at_MajorGeeks and its Referencefile update.
Also download McAfee Stinger while you are at it. It is small enough to transfer on a diskette. While limited to a small number of virus that it checks for, it does go after the ones that have been recently active.
Once on CD, copy them to a temp folder on his system and then boot it into Safe Mode so you can use the mouse to install them, and use the update packages. (If you have these versions of the programs already installed, you can still use the update packages on his system if it will not download updates.) Then run Ad-Aware SE in safe mode. Then go into normal mode and attempt to update both. (Spybot 1.3 needs to be updated on line once before it works correctly.)
When you get it cleaned up a little more you can boot into Safe Mode and go to Device Manager and locate the Mouse device and "Remove" it. With luck it will find and install itself again when you boot into normal mode.
0
Re: using MSCONFIG to remove virus startup entries.
I think his concern may be express wrong. One problem that people run into with MSCONFIG and removing programs, is that their Registry entry is not gone, just moved to a different place.
But then later if they uses MSCONFIG's selective startup on some versions of Windows and then uncheck it, MSCONFIG restores these moved Registry entries, and the programs can become active again.
The point being, is that after using MSCONFIG to disable startup entries, you need to go into the Registry and locate these disabled entries under the RUN- entry and delete them from the system. Then locate the programs and make sure they are gone to.
0
Thanks Jack! I don't believe that we have actually met before. I have seen your input around these forums and have no reason to suspect that it is not top notch.
I'll reread and try your susgestions in the morning when I can think without a teenage kid punctuating my thoughts. Miss I'm 14 and am always right just got home after a trip to Canberra to see her favourite band, Good Chalotte.
Alas Spybot 1.2 was not a typo. He really has kept everthing up to date like he assures me!
0
Well, it really does sound as if there is more than one thing going on for sure.
It must be disconcerting to be deprived of the mouse, but (of course) you recall all your keyboard shortcuts ; )
Stinger sounds like it might be helpful - manually, you may have luck using HJT! to strip out bogus reg entries and also check win.ini for 'run' entries
I'm not insensitive, I just don't care.
0
Downloading now. I'll be burning a CD shortly.
Yes, it's quite a bummer not to be able to use a mouse. While most things can still be done via keyboard, a few things can't. Tab doesn't seem to work in Avast or ZA. If only I could find the blighter which disables it!
Jack these reference updates, are they a culminative update that will bring an old install up to date? Quite a bit smaller than I would have expected.
0
Does anybody hnow any good plasterers?
I've been beating my head against the wall since I tried Scanreg /restore.
Currently downloading panda online scan.
McAffee Stinger found nothing.
0
Sorry about the delay in responding, work has been absolutely overwhelming.
OK, regarding the msconfig startup issue, JackG hit the nail on the head essentially. The first thing I would do is reboot your computer into safe mode and delete as much spyware as possible, and for a good anti-virus program I would suggest the free version of antivir or AVG, as both have done extremely well in their definitions updating. I would then go to msconfig and select "normal startup" to reset all the items back into the startup - don't worry, reboot back into safe mode and then clean the startup the proper way by going to the following locations:
Startup folder in the programs list - delete everything that is absolutely unnecessary.
Registry:
the following locations are where you will find what programs are running at startup:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Rundelete any unnecessary startup items listed in those two locations. You may also notice folders next to them called run services or run once, etc.. Clean those out as well.
Deleting the items from the startup registry locations is the surefire way to make sure that they are removed properly. I am currently writing a program (I think it is done) that will clean this out for you automatically. If you are interested, email me at dts@datatechpc.com and I can send you a beta version to run and test. Good luck. :)
0
Thanks buff nasty,
That's the sort of advice I needed. I've just about got it sorted. Only a few oddities at startup. Avast complains about writing to 'pcandis3.vxd' 3 or 4 times the other synptom is Avast complains about writing to 'setiface'. The timing an when I have denied it, suggests that it is its own updating which upsets it.
Following your advice, I looked into local_machine~run- and found the entry 'wild tangent'. Guess it's time to try another reboot!
He'll be home from school in half an hour ready to download more trojans etc.
0
If I may butt in here, what would you guys recommend as the best way to avoid getting infected? Have heavy grey box running XP pro and I would probably launch it through the window if I had these troubles!
0
I've been thinking for days to remove this thread from my reminder list. The only thing that has stopped me is I am contemplating doing a beta test on buff nasty's software.
The best way to avoid infections is to inter the computer in an underground vault. Preferably guarded by a team of tea ladies (credit for this idea belongs to someone else, just I can't remember who).
If you want to connect the computer to the internet, you will need an up to date antivirus scanner. A configured firewall. Anti malware programs - I recommend Ad-Aware and Spybot Search & Destroy (both of these are in the useful links at the top of this forum). Not using Internet Explorer is helpful as it is commonly targeted. I use Mozilla but many recommend Mozilla Firefox.
Avoid many sites. The worst I have come across is Freeporn, it tried to install 13 viruses and even more syware. File sharing and instant messaging are possibly worse. It was an instant messaging/chat site that infected my son's computer, albeit via an email received from a participant.
Keep everything uptodate. The internet is a battleground. Ally yourself with the good guys and your system might survive.
Remember the golden rule. Your computer will be stuffed up at some stage, just make sure that you have adequate backups of anything important!
I'm still tracking this thread, if you need clarification post back here. If you have further questions, you might be better off posting your own thread.
0
Rimfire: thanks very much for your response. My apologies for not responding sooner.
I've thus far avoided the entire hassle by surfing with an older computer running W95 and netscape browser, usually with java off, and being careful where I stick my mouse. No antivirus software, and no viruses. But I'm going to have to make the leap into the 21st century soon.
I will figure on Mozilla Firefox, Ad-Aware, Spybot, ZoneAlarm?? or Nod (mentioned on another thread). Not sure what to do about the firewall. I'll be connecting with ISDN since my rural area will probably never see DSL. Maybe I can use a CSCO ISDN router with integrated firewall
0
Zone Alarm is a software firewall and it iss a freebie. I don't know if you would need a Cisco brand router in order to install a hardware firewall. Instead I would look at some of the cheaper offerings. A wireless router is available fairly cheap because of the demand. You can turn off the wireless side until such a time you might use it.
NOD is one of the lesser known commercial Antivirus packages. I don't know if there is much between the brands. I guess the better ones have solutions available a few minutes before the more mediocre ones. There are a couple of free AV products. One is AVG the other Avast. Both are reasonable. Their downside is that they are updated daily rather than every 4 hours like the big brands.
Firefox is becomming increasingly popular. When (and if)it becomes more popular than IE, it will be targeted by the malware authors. There has alreay been a flaw identified with its tabbed browsing - a message could come up from another tab which looks just like it's from the open tab. That a smutty site you had a glance at might send a message that you needed a update while you were looking at a microsoft page.
ISDN might not be your best choice, even bidirectional satellite is cheaper and faster!
0
Rimfire,
You're not the only one fighting to clean up machines running 9x OS's. A relative brought me two PII450 machines last Friday that were among the worst I've seen. One would post and the other would boot to safe mode...that's all.
After about 70 hours during the week, I was able to clean the machines and repair the user induced errors. I found literally thousands of virii, worms, trojans, hijackers and other assorted malware and that was the easy part.
Seems as the machines started to go to hell that the owners began banging keys...making back-ups to numerous folders, associating files with about any extension imaginable, creating new users, password protecting anything and everything, and likely some "fixes" I can't begin to imagine.
Correcting that part of the mess ate up the most time.
Installing Win98 updates, ZoneAlarm, AVG, AdAware, Spybot and Spyblaster and a few other tweaks completed the process and both machines are happily running for their new owners.
I know it would have been much easier to pave the road and reinstall everything but I haven't done a lot of serious problem solving on Win98 lately; it was a learning experience. I imagine your experience was an eye opener too.
I'm also amazed they even had the time to get all this stuff on the machines; they were on dial up!
I removed about 5,000 malware fles from an unprotected XP machine connected to cable last year and was surprised at the amount of crap I found. That kind of infection on a 98 dial up machine just floored me.
Amazing that it could all have been avoided with five free programs and an hour per week spent updating and scanning.
You did good; I hope your son learned something too.
Skip
0
Sounds like you had a bit of fun with those computers Skip!
As a rule, I like to do a full rebuild on any second hand computer that comes my way. That way I know exactly where I stand. It avoids a lot of problems including relics of long uninstalled programs and corrupted files. I also don't like the idea of pirated software that I am unaware of.
I only spent a day on my son's computer. Once I had the mouse back (scanreg /restore), I was able to update Ad-Aware and Spybot S&D and get rid of the problems. I never was able to get Panda to run. Apart from that, his computer is behaving in an acceptable manner. Mind you, he complained last night that his new video card I installed a week ago is causing crashes.
Nice to bump into you again, even if here in the catacombs of long forgotten threads!
0
Hi Rimfire,
Actually, I was watching this thread to see how you made out.
I received a 233 and a 300 from the same person yesterday. They also came from the same owners and were in about the same condition. Unbelievably, they both came with all the cd's in pristeen condition and they both received a fdisk/format and clean install of 98 and office97.
Now, everyone in the house has their own machine and couldn't be happier.
The original owners of the 4 machines bought 2 brand new rigs...wonder how long it'll take them to destroy the new ones?
"he complained last night that his new video card I installed a week ago is causing crashes."
:)
Skip
0
Hi Skip, I considered the original purpose of this thread to be finalised five weeks ago. I just haven't removed it from my tracking list yet. As you have been following the saga, I feel I should let you know the jboy and I exchanged some advice via pm (he was facing some tricky networking problems at the same time).
I haven't looked at the video card problem yet, I spent a good part of yesterday sorting out a new computer for my daughter. The rest of the day was spent at the pub!
0
"The rest of the day was spent at the pub!"
Yep, my price for the two PII450's was 2 liters of brandy.
Skip
0
I hope you meant you drank that much sorting out the problems. If not, are you interested in some 486s at a sixpack apiece?
0
That's what I meant...not the kind of job you want to do sober.
Sure don't need any more 486 machines either. I have 3 DX4-100's in the garage waiting to be built...ran out of AT cases.
Skip
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
