Virus (Has to be a quick message)... (ahem)

[Gray]

I have quick a big big problem in regards to what im suspecting is some type of virus which has hit my PC mighty hard. For many years i havent (knowingly) suffered from any virus' on my actual computer, but whatever i have at the moment has completely messed up my head, and time for World of Warcraft!

Anyway, it only just happened to take effect a few hours ago, the first thing which prompted me was that my Antivirus (Norton Internet Security 2005, Up to date definations as of 28/05/05) was corrupted and needed a reinstallation, and it would deactivate itself (Couldnt re-enable it) as well as the actual firewall as well. When i opened up Norton everything was blanked out with "TAMPERED" under each option, so that has kind of led me to believe that something has directly targetted my Antivirus to just knock it offline. As soon as they both went off i just disconnected from the internet (For what little good it did).

I restarted the PC and everything was working fine again, or so it seemed. After i went to load up some programs (Like... World of Warcraft, Mozilla etc) it just came back that there was an error and it wouldnt load back up after that then, again prompting a possible restart. Instead i tried to do a system scan instead of just leaving it, a bit way through it it popped up stating that it was once again corrupt.

I started to have my suspicions on what virus would knowingly go for the Antivirus, and came up with things like MyDoom, Nimda etc. I went onto the Symantec website and downloaded the latest FX-MyDoom Removal Tool, i ran it and then i got hit with a Bluescreen. That certainly didnt happen before when ive ran other Removal Tools. I restarted and tried again, and again it happened. After about the 5th time i started to get the picture and gave up on that.

The Blue Screens where all different, but some where more common, i cant remember the actual error messages (I think some where IRQL_LESS_THAN_EQUAL, <something>Non_Paged) and there was a file which was ntfs.sys which i think is one of those "crital" system files within XP. The times ive had them errors was a few months ago, when i have the dodgy memory so i tried the settings of 130x17 significantly lowering my FSB but that was around the settings which i had which sorted the actual Blue Screens out (Previously...) although i have not yet installed the new Enermax Noisetaker which was replaced a few weeks back, its still on my shelve in its actual packaging. I dont think its a hardware fault though.

I went into Safe Mode, and tried doing the MyDoom scan from within there, it did do it - But it was unfortunatly slow while scanning through the actual KotoR2 Game Folder, it was on scan about 30mins and then i watched that film with Tom Hanks (Which is on at the moment) but it just didnt go anywhere, half way through the film it was still scanning that folder. I cancelled it off.

Just trying again, and once again i was hit with a Blue Screen while running the MyDoom Scan within WindowsXP. I dont get enough time to stay on the actual PC if things are running it will just crash, so instead of being on the internet typing this i have to use Notepad and paste it through.

Another thing is so long into logging onto the internet, everything just wont work anymore, no pages, no irc, no msn - nothing, i was thinking if the firewall was to blame for it but i just dont know.

This virus or whatever has completely got me, i just dont know what to do next because i dont have enough time to do anything - and with the Norton things failing im at a loose end. I dont really want to format my computer, that is only a very very last resort.

Im only interested in serious replies to this thread, i cant be bothered with anything else, cheers:

Windows XP SP2
Norton IS 2005 Updated definations

(Ive just noticed as well, any programs that i run just crash instantly, meaning unable to access any internet sites - obviously by the time this is posted it will be fixed but just to make sure you know)

 

[Uriel]

Given you that seem pretty stuck I'll try not to ramble.

First, I don't think NAV is that good (and what's happend to you sounds very similar to a laptop I came across running NAV2003). Try downloading the fully functional trial version of Kaspersky which I've always found to be great http://www.kaspersky.com/

Second, if that doesn't work/won't install try Trend Micro's online 'housecall' http://housecall.trendmicro.com/hou.../start_corp.asp

Either of these options should hopefully pick up and kill whatever's infected your machine. If they don't/can't run for long enough without crashing, your next (perhaps first) priority is to get a handle on what can/needs to be backed-up. I managed to lose a spectacular amount of stuff after a hard drive crash, so stay calm and prioritise.

That done, what happens next depends on whether you have access to a second PC or not. Ideally, you want a friend to burn you off something like this http://www.ultimatebootcd.com/index.html or http://www.ubcd4win.com/ so you can start the machine without logging on to the infected client. With a decent bootdisk you can either run anti-virus s/w separate from the OS or start burning important stuff off. If you don’t have access to a second machine you could be in a little more trouble since there’s a risk any bootdisk you make yourself will be infected by the virus…

Without going so far as to state the obvious you want to avoid crashing your machine too much since the last thing you want is an infected PC with a corrupt filesystem. Also, it's pretty late (at least where I am) so unless something strikes you a solid gold fix, you might want to leave it for the morning and approach the thing fresh, nothing more stressful than watching a blue bar crawl across the screen at 3am.

 

[Tom]

If it were me, and I didn't have a backup of my important files, I'd stick another HD in there, copy the important stuff into a folder, and format the old drive.

Nuke it from orbit, its the only way to be sure.

Make sure you scan the files you copied before anything touches them (once you've reinstalled the OS)

 

[Gray]

A small breakthrough, i installed Kaspersky, i have used it in the past from all that im aware. Anyway, again i have to use Notepad because of the virus. I installed Kaspersky Personal for the moment, upon trying to update the definations manually it wouldnt work (Didnt see that coming...) so i tried to manually download them from the site to no avail. Shortly after that i tried a system scan (With out of date definations) but alas, same as before the system crashed. I didnt get deterred from this though, i connected just to update you all when Norton crashed on me, when it did Kaspersky automatically kicked in and said "Lovesan IP <xx.xx.x.x..x> is attacking your computer, it has been successfully repelled". At the time i thought "Lovesan" was just the name of someone trying to attack the computer, but upon Googl'ing i found that it is infact a virus! And next to it-it had "MS Blast" (To which i went awww fuck!).

When i went to get some information, the small information i gathered from Google was that it was a DCOM type virus, or RPC. Just then the RPC error message popped up saying that my PC was going to restart in 1minute. To a point when i went "shit.. this is the part where my PC never boots up again now.." Luckily it did... Going to try and get something for this MS Blast/Lovesan now

 

[Ch3tan]

http://www.grc.com/dcom/

quit computers gray, i swear your the modern day "some mothers do ave em".

 

[Gray]

I installed the DCOM thing, although it may now be disabled i dont know if it is too late. With the actual virus (Whatever it is) being installed its not helping (ack)

I went into Safe Mode and did the FX MSBlaster removal, first it Blue Screened me, second time it did it successfully but found nothing (Oh fuck off Norton..)

I have tried to access the Control Panel to remove Norton Internet Security in Safe Mode, but it said i had to be in Real Mode to actually remove it (Again, Fuck off Norton). I tried activating the Windows Firewall to which it said that it needed Services setup, i tried going into services and i seen some Internet Explorer script run - and close it down automatically.

Now im thinking that this "virus" has gone and attacked the Services so i cant enable or disable anything. I have work now, and with my pc going off its tits im going to have to access the forums from work to see what people have said.

And just as im typing this Norton has completely disabled leaving me with no protection apart from Kaspersky, so im going to have to turn off the PC.

If anyone knows any ways of removal, if they can post them - With me not being able to access the internet properly at home (and being at work) it makes it a very difficult task with only one pc

 

[Ardrias]

Grisoft has a pretty nice removal tool for various kinds of viruses, that I find works pretty well. You can grab it here. Might not help, but at least it's another thing to try.

Edit: Saw you didnt have access to net at home, but it's tiny so you can just stick it on a floppy or some such.

 

[Gray]

Well still at work so it sucks, but im on an hour dinner break so i can do some research somewhat into it. Norton website was fruitless, as was the Grisoft site (!) but upon checking McAfee i got this:

By applying the MS03-026 patch to the machine, it will prevent the RPC service from failing, in-turn solving these symptoms. It is very important that the machine is rebooted after the patch has been installed. The machine can then be updated to the latest dats/engine/config and an on-demand scan run to pickup msblast.exe, IF it exists. All of these symptoms are related to the RPC vulnerability and not necessarily due to W32/Lovsan running locally. Msblast.exe may not be present at all.

inability to cut/paste
inability to move icons
Add/Remove Programs list empty
dll errors in most Microsoft Office programs
generally slow, or unresponsive system performance

I havent (yet) installed this Microsoft Patch, although i have emailed it to myself hoping that i can. I know this virus isnt going to make it an easy download though.

When the RPC error kicked in, i was unable to do a Copy/Paste of what i wrote on here, i was getting loads of .dll errors, mainly when loading Mozilla/World of Warcraft. "Generally slow/unresponsive" is such an understatement for this mind, took me about 10mins to load up and logon to the internet

Looking up it does look ok to remove if it works, going to try the manual removal first, get Norton the hell of my system and then get that patch installed

 

[Embattle]

I take it you have removed your internet connnection?

 

[Gray]

I am still able to connect to the internet at home, its just unbelivably sluggish to do anything - But i think its more the system instable

 

[Ch3tan]

He means (i think), that he takes it you have tried using your pc with the net connection disabled.

 

[Gray]

Got home, i knew it wasnt going to be a ride in the park for some reason.

I checked the MS Patch for Blaster, i installed it, waited forever for it to install, and then wait longer to think about what its going to do - Only to tell me that the "patch" i have is newer than the one i tried to install, and wasnt for Service Pack 2 users.

Charming.

I tried again - Only it told me to basically fuck off because i was using Firefox and not Internet Explorer as my browser. That was so fucking nice, maybe i would if the bastard thing would work you wankers so basically, i cant patch upto the new version of the patch as Microsofty wont let me.

I went into Safe Mode and did a Scan using STINGER from Trend, it found nothing. I did another scan in Windows - Again, nothing.

I dont get what is happening, i know its some variant of Blaster most definatly, but the signs arent showing, like in the Registry it says to delete the key "windows auto update" from the Run tree, only its not there.

It says to delete blaster from system32 and CAD it - Only its not there. I dont get it, at all.

I did some scans while connected to the internet, and Kaspersky told me "woooah! watch it bud, theres some hack called HELKERN trying to attack you!" and then my system would slowly deteriate.

I did it without the internet connection, but again it found nothing

*blank* Going to have a look at this Helkern if i can

 

[Embattle]

My point regarding the internet connection is that you may either be opening your PC to further attacks or possibly getting more viruses downloaded to your PC without realising....I would stay off the net, even unplug the connection unless you really need to go on the net.

 

[Uriel]

Agree with the above posters, staying online might be causing you further problems. Download the latest definitions for Kaspersky. Install a decent firewall like http://smb.sygate.com/products/spf_standard.htm and install some decent anti-spyware either http://www.webroot.com/downloads/ or http://www.lavasoftusa.com/software/adaware/

Then, disconnect from the net and start to clean house. Once the spyware/AV have run their course make sure the firewall is turned on and reconnect. Iirc MSBlaster infects people remotely through hijacked machines so even if you clear it off your system there's a chance you'll be reinfected. The firewall should stop this from happening.

 

[Lazarus]

uriel.

nice tip for the Kaspersky antivir. I was using Grisoft and having problems on a machine im trying to fix. uninstalled Grisoft and installed Kaspersky and it has found a virus that Grisoft didnt.

However, how do I aply the updates I have in the zip file (virus defination) to the PC?

The PC does not have a net connection and I d/loaded and transferred the file over.

<<edit>> no matter - found it!!!

 

[Gray]

Heres the things that ive tried, some with success, some without:

Norton Antivirus (In Windows) - Crash
MyDoom Removal Tool (In Windows) - Crash
MyDoom Removal Tool (In Safemode) - Crash
Spyboy Search and Destroy 1,2 (In Windows) - Crash
Kaspersky Antivirus (No updated definations) (In Windows) - Crash
MSBlaster Removal Tool (In Windows) - No virus found
MSBlaster Removal Tool (In Safemode) - No virus found
Microsoft Malware Tool (In Windows) - No Malware found
Microsoft Malware Tool (In Safemode) - No Malware found
Kaspersky Antivirus (With updated definations (Took over an hour to install) - No virus found (Took over 3 hours to complete)

I still cant install the Microsoft Patch for Blaster because of Internet Explorer, perhaps if i did get that i would be able to do something, but this is starting to really piss me off now.

I havent though, had any Blue Screens (Touch wood) for a very long time, everything does seem to be going OK at the moment apart from the fact its taking forever to load any programs up as well as the internet, so something is still lurking

 

[Embattle]

People waste more time getting shot of possible viruses than a format and reload would take.....my advice is to backup what you really need then FRL it, once you've reloaded the OS go striaght for the AV then get the latest updates for both windows and the AV program. Once you've done this use the AV to scan the backed up stuff then bring it back across.

 

[Gray]

Everything is fine now :s

Um...

I managed to gain control of my Control Panel again, to which i instantly removed Norton Internet Security, as im running Windows Firewall and Kaspersky at the moment.

Everything just loaded up straight away without a hitch, Mozilla (Which took about a minute to load usually) came on straight away and the whole system is a lot faster.

I dont know what has happened, im still a bit "hmmm" on it, but at least now i can look around to see whats happened without slowing down, shame i have work now as well, grrr

/edit

Loaded up IRC as a test - Because i was getting some messages as soon as i loaded it up saying i have a virus etc, just got this now:

[14:28] <Natalie15> excuse me,but its seems that your mirc is sending spam,please install this security update -> http://<IP ADDRESS>SystemFix.exe

hmm

*closes down IRC*

 

[Bob007]

Any security updates for mIRC will be avail from mIRC main site, if you think you have a problem with mIRC, only use main site to fix it. Or consider changing irc client

 

[TdC]

tbh you should NEVER EVER EVER EVER install anything that didn't come from it's maker's site.

my gf installed some kind of instant-message client in a beta that someone sent to her and I had great joy clearing shit off her pc after that :/

 

[Gray]

Oh course, i was never going to install anything someone i didnt know asking me to install some weird program.. It was just that say, 3 days ago when everything *was* ok, i never got PMs from anyone saying that i had something dodgy and to install a certain program

Until yesterday, at the brink of all the problems, its as if these "bots" "know" something and are trying to make the problem worse by letting unbeknown people download something which will make it 10 times worse.

At least my Internet Explorer is now working (oh yay.. so happy............. hm) i can see about installing the update(s)

 

[Ch3tan]

Don't worry gray, its just the eye of the storm. Your clearly cursed, enjoy the calm while it lasts.

 

[Gray]

So everything is seemingly fine now, been on for a while and no hiccups. I did install Sygate though, but it crashed. Alot. To begin with it installed fine (As always..) but then i connected to the internet, it did the usual thing of blocking Mozilla (As it wasnt "allowed"?) when i went to set it as OK, it just crashed on me.

Reset, tried again, just crashed. Tried to unistall it, but it said it had to be closed down first. Tried closing it, it crashed. Babum! Took about 6 restarts to finally get it to load up and closed down successfully.

Think im going to install the old and trusty Zone Alarm, for a short time anyway, either that or leave Windows Firewall, but i dont know... Its microsoft.. :/

 

[Gray]

ick :s

Friday night kind of sucked.. I was playing WoW as normal when the game which started to slow down and eventually WoW crashed, during that it wouldnt allow me to play it again (Kept coming up with WoW error #132 / 131) which seemingly was something to do with memory.

Anyway, i restarted the computer (which usually worked on other occasions) but it didnt work, after a lot of messing i gave up and attempted to just reinstall, upon doing it though it just kept crashing.

I restarted one final time... And everytime on the windows loading screen i would be getting hit with a BSoD, i did have the codes with me at the time but now i dont but basically many of the errors were relating to memory side problems.

I took out one stick of memory, placed it in Bank 1, nothing. Bank 2, nothing, Bank 3... nothing. Also did the same with the second stick in all the banks. Again, nothing.

It made me think it could be a BIOS setting, i lowered the FSB, fiddled with the memory timers, but nothing would load it up. I finally gave up the hard drive for the moment, i had my old IBM Deathstar ready and waiting with XP on it - Crapped out again. This led me to believe it was a definate memory problem.

I went to format my PC anyway, upon getting the "Windows is starting" screen up on the installation, i would get a BSoD - "fuck" i thought to myself. I couldnt format or repair any of the hard drives on the system.

I managed to contact my bro we had a look and managed to get everything working to a limit, we didnt try everything but the main hard drive i had was now up and running on the memory which i had (Dual Channel as well). Thats when we hit the major problem.

Upon connecting up my secondary hard drive which has (and i fucking mean literally) everything on it, i would get a BSoD at startup. Not good i thought again, that hard drive has over 80-90gb of stuff on it if i lose that id probably cry.

We tried for 3 hours to get it working, it seemed that the NTFS-File System on it was fucked, corrupted, damaged, bollocksed you name it - it was it. We tried it on my bros system - it wasnt recognised.

We tried it on another system which had Windows Millenium - wasnt recognised, and finally - We tried it as a SATA drive - again, nothing. I felt empty inside, all my music, games, movies and everything else of value to me was on that backup drive. The only way forward was to format it. I was gutted.

So the hard drive was back, with 80gb more space than before. We seemingly fixed the problem, and didnt need to format my PC after all, i took it all home, hooked it up, began to re-install WoW - and it kept locking up. Then Firefox started to crash and then *bam* i got hit with a BSoD which i had the day earlier.

PFN_LIST_CORRUPT

Again, i couldnt Google much because using Firefox/IE would seemingly kill the PC into oblivion, i gave up. it was going to get formatted and thats that! I did manage to get past the Setup screen, i formatted the PC (NTFS) but half way through install it corrupted.

Ohh dear... I got home about 1am last night and attempted on a few occasions to actually format it, but its not having it. The memory must be fucking really dodgy at the moment.

I just whacked in my IBM drive after waking up with this idea, sorted. But the PC is still somewhat unstable even after my bro did the memory tweaking. I was going to go down Manchester to Aria, but after getting lost for a few hours last time i think i gave it a miss. But i just ordered some GeIL memory which i hope will sort my problem.

Still gutted about the HD though.. jeez, trust is an awful thing to have in the PC world

 

[MKJ]

I notice in all this not once have you run msconfig. Msblast makes an exe file run on starting your computer. You should have run msconfig and checked the files that are starting with windows. My girlie's mother had blue screens and got kicked off the internet after a short period. I talked her through checking the files that were starting up with windows and sure enough there was a dodgy file - msblast something or other. Once that was taken off the system stayed online long enough for me to take the computer over using msn. I then installed Regcleaner (marvellous utility for sorting the registry out - free too I think), and I downloaded Kaspersky Anti-virus/Firewall. Once I was confident there were no nasties running in the background I let Kaspersky rip. Stable ever since. Prior to this a number of people had looked at the computer and got nowhere. You should really get used to running msconfig to check on the background processes along with Taskmanager. Also get that Regcleaner off Download.com - I think!

One more thing you can't beat a good backup. Think about a 2nd hard drive that holds a Norton Ghost image (or something similar) of a perfect working operating system. Sometimes it ain't worth the bother of trying to sort some nasties out and running Norton Ghost can put your system back - operating system and all files etc - in a matter of minutes. Fantastic bit of kit.