My Friends: I picked up a virus when downloading a compiler to open a compressed movie. My desktop changed with "Virus Alert!" in the system tray, a red background, strange icons like Malware Defender, System Error Fixer and Protect my Privacy icons. Half my icons are gone. My start menu is missing items like Programs and Find. I could not get into Safe mode but goes into memory dump. I ran full scans via another computer with AVG and McAfee, then re-installed Windows XP SP2. Now I can get into Safe Mode but the other problems are still there when I boot normally. Can't connect to Internet too. Any idea how to fix this? Reformatting is a very last resort. Thanks for any help.

so you've formatted your primary drive before reinstalling windows right? just wondering since installing windows on your primary partition (usually c:) without formatting it leaves two copies of windows on that partition, which is not a good idea. please clarify this.

next i suggest you get Hijack This (http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download), and run a "system scan and save log file". post that log file here so someone can read it and see if anything's out of the ordinary.

then make sure that all your device drivers are installed, including drivers for your network card/modem. this is just a few initial steps to get started. the more info you provide here (any recent changes, updates, etc) the faster someone can help.

EDIT: ffs, can someone please ban jsksrinivassurveys already...s/he/it's been at it all day.

Some Spam BS



oh no you don't mofo, you ain't getting the last word in here.

Anyone else find it sad that a Spambot can get into the list of top posters for the last 28 days.

Anyone else find it sad that a Spambot can get into the list of top posters for the last 28 days.

rainbowdemon's online, looking at this thread as i type this. he must have been called away from his computer, i'm expecting the hammer to fall any time now...tick, tock, tick, tock...

I did some googling and Bleepingcomputer.com (http://www.bleepingcomputer.com/) has a tool called combofix that may be of help for this virus.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Also, Malwarebytes (http://www.malwarebytes.org/mbam.php) is a good program, if things are running well enough to install and update. I usually run this program in safemode with networking.

Finally, if you get things back to normal, another great free tool is superantispyware (http://www.superantispyware.com/).



My Friends: I picked up a virus when downloading a compiler to open a compressed movie. My desktop changed with "Virus Alert!" in the system tray, a red background, strange icons like Malware Defender, System Error Fixer and Protect my Privacy icons. Half my icons are gone. My start menu is missing items like Programs and Find. I could not get into Safe mode but goes into memory dump. I ran full scans via another computer with AVG and McAfee, then re-installed Windows XP SP2. Now I can get into Safe Mode but the other problems are still there when I boot normally. Can't connect to Internet too. Any idea how to fix this? Reformatting is a very last resort. Thanks for any help.

Wow! My first post, I took some time to carefully think about it, and this board timed me out. After that long reply, it was just going to dump the message I'd spent all that time over, just throw it out and tell me to log in again. Major, major fault, This is the product of illiterate coders who can't imagine anyone would possibly need to take some time with a message, and figure there's some (completely bogus) security issue if it takes that long.

But since I've seen this sort of inexcusable crap before, I was wily enough to select and copy the message I'd worked so long on, before letting the board destroy it. It follows. Don't reply to me, I doubt I'll ever be back. Hope it helps the guy who asked.
-------------------------------------------------------------

I have recovered from this sort of infection before, but it can be pretty difficult to do. It's a good training exercise, because you've got to keep a close eye on your own attitude. When you become angry or frustrated or despairing you need to walk away from the whole mess for a while, and recenter yourself. Emotions are the enemy, here.

Don't do anything without asking yourself first how you can recover from it if it goes wrong. Take your emotional pulse and if it's elevated, don't make any decisions about anything.

If you're not very familiar with your system's internals, you really need to pass this on to a pro. You'll need to understand the registry well and be confident about editing it. If you're not, then this is no job for you. Take it to a shop.

If it's at all possible, you should back up your drive before you start, even if that means removing it, installing it in another computer as drive F: or something, and taking the backup that way, before putting the drive back. If nothing else, back up your Documents & Settings directory. Most of your personal stuff will be in there, but so will a lot of the malware. Be careful with it.

"If you haven't seen it before, then don't click on it." - Repeat three times.

A lot of malware installs the disease, then offers to sell you the cure. A lot of it strives to look like official system messages. Never click on these, just close them.

As soon as you can (have control of the system again), install process explorer. You need to be familar with which processes are legitimate and which are not. Some of the illegitimate ones will restart themselves if killed, and that means another running process respawned them. You'll need to find that and kill it first, then find its executable and delete it. it may be an infected system file, which Windows will just recopy if you delete it, so you'll need to work around that.

Look, are you SURE you wouldn't rather take this to a shop?

SuperAntiSypware is an excellent start, but only a start. Attacks like this have several parts. Your time display settings for your system clock may have been changed, and you'll have to redo those manually. A different screensaver may have been installed, and you'll have to get rid of that by hand.

Many of your menu and desktop settings have probably been changed by the attacks, and you'll probably need to fix these one by one. All of the information you need is out there and googleable, but it may take some patient digging.

Malwarebytes' Anti-Malware is another essential tool, but also one you will want to keep around as a monitor, on top of anything else you have (antivirus). These two will do a pretty good job of digging a lot of things out, but nothing does it all.

I also want to recommend a program called "Autoruns" from sysinternals.com, which will tell you what programs are set to run automatically in various ways. it's good at finding insidious stuff, but you do have to know what you're doing with it.

I found a cool site for scanning for viruses. It uses all the top antiviruses.
http://www.virustotal.com/
Just upload your file and it will scan it with:
AhnLab-V3 ,AntiVir, Authentium, Avast, AVG, BitDefender ,CAT-QuickHeal, ClamAV, DrWeb, eSafe, eTrust-Vet, Ewido, F-Prot, F-Secure, Fortinet, GData, Ikarus, K7AntiVirus, Kaspersky, McAfee
Microsoft, NOD32, Norman, Panda, PCTools, Prevx1, Rising, SecureWeb-Gateway, Sophos, Sunbelt, Symantec, TheHacker, TrendMicro, VBA32, ViRobot, VirusBuster.

All great antiviruses.:icon_thum

Bitdefender and Spyware Doctor is the best app... But you should format again..(All drives) and dont use quick format..

Major, major fault, This is the product of illiterate coders who can't imagine anyone would possibly need to take some time with a message, and figure there's some (completely bogus) security issue if it takes that long.

So leaving authenticated tcp/ip connections laying around idle is "bogus"?

http://tools.ietf.org/html/rfc1948

Yes, that paper is from 1996...tcp/ip has been around since the 80's. Take care to read the section "Security Considerations" near the end.

And since you're probably thinking that tcp/ip sequences have improved since 1996, I've got a surpise for you (this is a scan of a fully patched Windows XP machine):



Cerebus rocket357 # nmap -vv -P0 -A -p 135-139,445 192.168.123.101

<snip scan output>

Device type: general purpose
Running: Microsoft Windows XP
OS details: Microsoft Windows 2000 SP4, Windows XP SP2 or SP3, or Windows Server 2003

<snip fingerprint details>

IP ID Sequence Generation: Incremental
Service Info: OS: Windows

Nmap done: 1 IP address (1 host up) scanned in 7.71 seconds
Raw packets sent: 23 (1724B) | Rcvd: 25 (1592B)

The same, against OpenBSD 4.3:


Cerebus rocket357 # nmap -vv -P0 -A -p 22-80 192.168.123.1

<snip scan output>

No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).

<snip fingerprint details>

IP ID Sequence Generation: Randomized

Nmap done: 1 IP address (1 host up) scanned in 12.97 seconds
Raw packets sent: 185 (12.428KB) | Rcvd: 126 (7112B)


P.S. - I left to eat after starting this post, came back and finished it, and clicked submit without zeropaid "making me log in again".