| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 46098 | 2004-06-13 09:34:00 | Virus Like Activity - but no Virus. | Growly (6) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 244081 | 2004-06-13 09:34:00 | hey there... Fixing a friends computer, he had the signs of virus: 1) RPC shutdown 2) Couldn't copy or paste 3) Couldn't open links 4) Couldn't open hotmail 5) Couldn't update norton anrivirus 6) IE would crash within 10 seconds of being run 7) Couldn't manually shutdown from start menu or ctrl-alt-del (But i managed to use shutdown -s) Also, spyware going down, like messenger (the net service, not msn) messages being sent from randoms. I stopped this bye stopping the messenger service. Anyway- At first I thought it was Sasser or Blaster (old and new), but the fix programs for that didn't help. I used spybot and adaware (after painstakingly and slowly updating both) to get rid of about 130 nasties... but when it came to the virus... Norton Scan, after finally getting it to work (it originally wouldn't open at all when any button was clicked, and it wouldn't update either, but then I used shutdown -r to restart and it worked- so the definitions were updated when i scanned), found nothing after taking an hour. My friend said that it had kept popping up a few days prior with auto detect messages saying that there was an infection; ergo my surprise when it didn't find anything. Could this actually be a virus? or is it some sort of Windows problem (the not loading, etc)... I thought that at the lack of finding a virus would signal some sort of external threat, maybe someone reaching in each time and not leaving a virus? Maybe? Also, i used the shutdown -a to kill the RPC shutdown early, would this have stopped the virus running, or shut down the affected program, so that Norton couldn't detect it? I couldn't get the chance, but another friend with similar symptoms said that you couldn't go to the AVG site at all... Just some thoughts in there, though I'm not sure. I thought it was parculiarly odd. Anything would be appreciated, thanks. |
Growly (6) | ||
| 244082 | 2004-06-13 09:38:00 | He hasn't by chance got Zone Alarm 5. installed | dumdum (4965) | ||
| 244083 | 2004-06-13 09:41:00 | In case Nortons has been compromised, why not do an online AV scan as a "second opinion"? here (housecall.antivirus.com) | Pheonix (280) | ||
| 244084 | 2004-06-13 09:44:00 | No he doesn't have Zone Alarm, atleast not that I could see (taskbar, systray, process list)... Why? Oh, and the house call thing... I'll give that a shot next time, but I doubt it would be that. It may be, though. |
Growly (6) | ||
| 244085 | 2004-06-13 18:54:00 | well norton aint perfect, (indeed NO antivirus prog is), and recently I've seen very similar set of symptoms and after a bit of a fight I updated norton, which the client had on the puter, by doing a direct download of 'intelligent updater' from the symantec site rather than the built in 'liveupdate' function which wouln'dt work. anyway even tho the prog was updated and it scanned the system and said 'no virus' well I was still very suspicious so I side by side with norton installed avg and it FOUND a virus...........as I say nothings perfect......so do a different virus scan............perhaps download stinger and use taht is pretty good or download and use sysclean, (from trendmicro), it's also good and scans for quite a few more viruses than stinger.......both will run in safe mode too which is a help | drcspy (146) | ||
| 244086 | 2004-06-13 20:47:00 | What you describe is something that I had to fix last week, this one is known to disable various security programs, IE will almost instantly crash, etc. Agobot - an IRC transported trojan An IRC backdoor Trojan and network worm W32/Agobot-IX is also known as: WORM_AGOBOT.GEN, W32.HLLW.Gaobot.gen, W32/Gaobot.worm.gen.d If it helps, I will post the removal instructions below, if nothing else it will allow you to search for the hklm keys and confirm or rule out this one. -------------------------------- It copies itself to network shares that are protected by weak passwords. It then copies itself as winlogin.exe in the Windows system folder and then sets up the following registry entries so that it runs when a user logs on to the system and continues to run as a service. HKLM\Software\Microsoft\Windows\CurrentVersion\Run \ WinLogin = winlogin.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services\ WinLogin = winlogin.exe At every activation W32/Agobot-IX attempts to connect to a remote IRC server and join a specific channel. It then continues to run in the background permitting remote access by an intruder and may let him control the computer. The worm may be configured to download and install other programs on the system as well as to flood other computers with network packets. It also shuts down or disables several security programs and furthermore it writes to the host file preventing various IT security sites from being accessed. ---------------------------------------- Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the worm has made. You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry. At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens. Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup. Locate the HKEY_LOCAL_MACHINE entries: HKLM\Software\Microsoft\Windows\CurrentVersion\Run \ WinLogin = winlogin.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services\ WinLogin = winlogin.exe and delete them if they exist. Close the registry editor. |
Gordon. (2217) | ||
| 244087 | 2004-06-14 06:09:00 | Awesome, I'll try it out. Ofcourse, no one believes in me, and his father took it into his office foro the over-rated IT Techs to do it (pfft, if i hadn't had homework...) | Growly (6) | ||
| 1 | |||||