PDA

View Full Version : Computers SERIOUS Virus - Help!!!!!!!!


DaneMcCloud
03-02-2010, 03:56 PM
Well, I got my first virus ever this week. I don't know how but it happened. Anyway, the computer froze up completely last night. After going into Safe Mode, I ran Adaware, SpyBot and MalwareBytes. I think it was SpyBot that found four different files, from trojans to security, etc. It cleaned up and everything worked fine last night.

I boot this morning and same thing: The computer froze. I went into Safe Mode and SpyBot found 15 this time and Adaware found four. I cleaned it up and it ran fine.

I had to shut down to run errands and once I booted, same damn thing: The computer froze. This time in Safe Mode, Spybot found one file. And even after cleaning up these files, Firefox windows are spawning.

How is this happening? I'm not hitting porn sites, just normal stuff like USA Today, SI, Chiefsplanet, etc. This is the first time ever for having a virus and I've been a home PC user since 1993.

ANY help would be greatly appreciated!

Over-Head
03-02-2010, 03:59 PM
ANY help would be greatly appreciated!
I'd have thought it impossible for us simple mortals to help the legendary Dane McCloud:D

DaFace
03-02-2010, 04:01 PM
Spybot's good, but I'd try others. Malwarebytes is usually pretty good at cleaning you up as long as you can get into safe mode. Download it, install it, run a full scan, and then see how things look.

DaneMcCloud
03-02-2010, 04:05 PM
Spybot's good, but I'd try others. Malwarebytes is usually pretty good at cleaning you up as long as you can get into safe mode. Download it, install it, run a full scan, and then see how things look.

Yeah, I've run all three in Safe Mode: Malwarebytes, Adaware and SpyBot. They each seem to find something in Safe Mode but not in Regular Mode. And each and every time it tells me it's clean, once I shut down and reboot, I have to go into Safe Mode again.

QuikSsurfer
03-02-2010, 04:14 PM
In Safe Mode - malwarebytes, ccleaner, and microsoft security essentials (will have to be installed in normal mode).
If MS security essentials detects anything, update this thread with the information.
Virus type/name would be helpful.

edit: make sure to update each program before running scans.

DaneMcCloud
03-02-2010, 04:19 PM
In Safe Mode - malwarebytes, ccleaner, and microsoft security essentials (will have to be installed in normal mode).
If MS security essentials detects anything, update this thread with the information.
Virus type/name would be helpful.

edit: make sure to update each program before running scans.

Thanks, Dude. I'll try the MS Security essentials because I haven't tried it yet.

Fish
03-02-2010, 04:22 PM
Have you tried a System Restore?

If you have, and that didn't work, I'd suggest turning off System Restore, and boot back into Safe Mode, and run your scans again. Complete scans too, don't just do the quick ones.

If you can, run a HijackThis scan too, and post the results.

QuikSsurfer
03-02-2010, 04:23 PM
Thanks, Dude. I'll try the MS Security essentials because I haven't tried it yet.

http://www.softpedia.com/get/Antivirus/Microsoft-Security-Essentials.shtml

make sure to download the .exe that matches your operating system. and again, you'll have to install this while in normal user mode rather than safe mode.. but you should be fine to perform the update and run the scan in safe mode.
Let us know.

DaFace
03-02-2010, 05:03 PM
In Safe Mode - malwarebytes, ccleaner, and microsoft security essentials (will have to be installed in normal mode).
If MS security essentials detects anything, update this thread with the information.
Virus type/name would be helpful.

edit: make sure to update each program before running scans.

Yeah, it would be helpful to know what you're up against.

DaneMcCloud
03-02-2010, 05:05 PM
Thanks guys, I'll let you know. My computer is currently working so I have to work. If it follows the same pattern (shut down, reboot tomorrow morning but gets stuck), I'll follow all of the instructions in this thread and post the results.

Thanks to all!

DaneMcCloud
03-02-2010, 05:27 PM
Backdoor: winNT/Rustock.GenB! was detected

bevischief
03-02-2010, 05:31 PM
Antifreeze and lots of it.

"Bob" Dobbs
03-02-2010, 05:34 PM
http://www.uploads.ejvindh.net/rustbfix.exe seems like it should help.

DaneMcCloud
03-02-2010, 05:38 PM
Hey guys, the MS Security Essentials that QuikSurfer suggested found that virus and eliminated it. The computer rebooted and is currently working as normal.

I'll keep you all posted.

Thanks again!

keg in kc
03-02-2010, 06:17 PM
That's what you get for watching videos featuring eastern european women fellating german shepherds.

thecoffeeguy
03-02-2010, 06:38 PM
Well, I got my first virus ever this week. I don't know how but it happened. Anyway, the computer froze up completely last night. After going into Safe Mode, I ran Adaware, SpyBot and MalwareBytes. I think it was SpyBot that found four different files, from trojans to security, etc. It cleaned up and everything worked fine last night.

I boot this morning and same thing: The computer froze. I went into Safe Mode and SpyBot found 15 this time and Adaware found four. I cleaned it up and it ran fine.

I had to shut down to run errands and once I booted, same damn thing: The computer froze. This time in Safe Mode, Spybot found one file. And even after cleaning up these files, Firefox windows are spawning.

How is this happening? I'm not hitting porn sites, just normal stuff like USA Today, SI, Chiefsplanet, etc. This is the first time ever for having a virus and I've been a home PC user since 1993.

ANY help would be greatly appreciated!

Most likely, you went to a site that was compromised and had malware on it. Then, you went to it (even if you are using firefox, thats not 100% safe) you downloaded some stuff and thats all it takes. Also the possibility of a drive by web attack.

Check out this statistics. Mind boggling:

http://www.blade-defender.org/eval-lab/

mikeyis4dcats.
03-02-2010, 07:24 PM
elitekiller.com

download the rogue removal toolkit. Golden.

DaneMcCloud
03-02-2010, 08:40 PM
Okay, I'm still infected.

I set the msconfig to boot into Safe Mode automatically. I just ran Malwarebytes and it came up with a "rootkit" file. I'll now run Adaware, Spybot and MS Essentials and report back.

This thing just does not want to go away.

DaFace
03-02-2010, 09:00 PM
Rootkits are incredibly hard to get rid of. You may want to go all-in and use combofix instead. It takes forever, but it's the best one I know of to get at something like that.

DaneMcCloud
03-02-2010, 09:00 PM
Rootkits are incredibly hard to get rid of. You may want to go all-in and use combofix instead. It takes forever, but it's the best one I know of to get at something like that.

Is combofix a program?

DaFace
03-02-2010, 09:07 PM
Is combofix a program?

Yep. There's not much to it. Just download it and let it go.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

DaneMcCloud
03-02-2010, 09:33 PM
Yep. There's not much to it. Just download it and let it go.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Cool, thanks!

I'm running a full Security Essential scan. If that doesn't do it, I'll try the combofix tonight. If that doesn't do it, I'll just reload the image tomorrow using Paragon and hope that I didn't have the virus 3 months ago (my last image backup).

thecoffeeguy
03-03-2010, 08:18 AM
Cool, thanks!

I'm running a full Security Essential scan. If that doesn't do it, I'll try the combofix tonight. If that doesn't do it, I'll just reload the image tomorrow using Paragon and hope that I didn't have the virus 3 months ago (my last image backup).

In my experience, when we find a rooted box on the network, we immediately pull it, grab what data we can, the reinstall the image.

Honestly, good rootkits, you will never get rid of without a complete reinstall/backup restore of a image on the box. They are that good and that much of a pain in the ass.

Couple things to think once this is fixed.

1.) Use IE 8 or Google chrome. I know I know, am I crazy suggesting IE8!!! The truth is, Firefox has more holes than IE 8 right now believe it or not.

2.) If you do decide to use Firefox, install a the no-script addon.

3.) Do you really want flash installed? That is the mother of all ways to exploit a system. I never install it on my systems.

4.) Use an alternative to adobe reader. There are plenty out there, but adobe reader is the most quick and efficient way to compromise a host. Ones that come to mind: FoxIt Reader, Sumatra...plenty other options.

5.) Windows 7 as a lot more security builtin to it at this point. Right now, I would say it is slightly more secure than Snow Leopard at this point IMO. This is just the base system though. The tables get turned when software gets installed.

Just a couple things to keep in mind.

THinking we should have a sticky thread in here for stuff like this.

tymania
03-03-2010, 09:24 AM
really in my experience with viruses like this.. i try to back up whatever data i want off the hard drive.. and do a full re-install.. It sucks and can be time consuming i know, but takes as much time as you are spending on trying to eliminate the virus..

DaneMcCloud
03-03-2010, 12:21 PM
really in my experience with viruses like this.. i try to back up whatever data i want off the hard drive.. and do a full re-install.. It sucks and can be time consuming i know, but takes as much time as you are spending on trying to eliminate the virus..

I'm not working today so I'll check out the system later this morning. The problem that I have with reinstalling everything is that for my line of work, it takes about 48 hours to reinstall from scratch, due to the enormous volume of programs and plugins.

I used Paragon to create an image several months back but I've never used the recovery feature. I may call the computer builder later this afternoon for instructions.

Thanks for all of the input!

DaneMcCloud
03-03-2010, 12:23 PM
In my experience, when we find a rooted box on the network, we immediately pull it, grab what data we can, the reinstall the image.

Honestly, good rootkits, you will never get rid of without a complete reinstall/backup restore of a image on the box. They are that good and that much of a pain in the ass.

Couple things to think once this is fixed.

1.) Use IE 8 or Google chrome. I know I know, am I crazy suggesting IE8!!! The truth is, Firefox has more holes than IE 8 right now believe it or not.

2.) If you do decide to use Firefox, install a the no-script addon.

3.) Do you really want flash installed? That is the mother of all ways to exploit a system. I never install it on my systems.

4.) Use an alternative to adobe reader. There are plenty out there, but adobe reader is the most quick and efficient way to compromise a host. Ones that come to mind: FoxIt Reader, Sumatra...plenty other options.

5.) Windows 7 as a lot more security builtin to it at this point. Right now, I would say it is slightly more secure than Snow Leopard at this point IMO. This is just the base system though. The tables get turned when software gets installed.

Just a couple things to keep in mind.

THinking we should have a sticky thread in here for stuff like this.

Can this spread beyond my C drive? I have six drives mounted on this particular computer. If so, I'd better re-image asap.

thecoffeeguy
03-03-2010, 01:45 PM
Can this spread beyond my C drive? I have six drives mounted on this particular computer. If so, I'd better re-image asap.

Yes, it sure can. If you have a worm, it can replicate.

Although I have not seen a worm in a long time, there were days where a user would get a virus worm, and it would replicate to other users on the network. Talk about a pain in the ass.

DaneMcCloud
03-03-2010, 02:13 PM
Yes, it sure can. If you have a worm, it can replicate.

Although I have not seen a worm in a long time, there were days where a user would get a virus worm, and it would replicate to other users on the network. Talk about a pain in the ass.

I ran more scans in safe mode this morning and it appears to be gone.

Could it be hiding?

keg in kc
03-03-2010, 02:17 PM
I ran more scans in safe mode this morning and it appears to be gone.

Could it be hiding?I'd make a 'hide the worm' joke here, but I've been insensitive enough on this thread already. Hopefully it's worked out.

thecoffeeguy
03-03-2010, 02:34 PM
I ran more scans in safe mode this morning and it appears to be gone.

Could it be hiding?

I'll just speak from my experience.
Any time you are dealing with a rootkit, that is just bad bad news.
Honestly, a very good rootkit will never be found. The box is essentially 'rooted'. Only doing forensic work on a suspected 'rooted' boxes were we able to determine that these machines were in fact, rooted.

Malware is getting better and better these days and it is much farther ahead than anti-virus. Its the cat and mouse game right. The baddies keep upping the ante, and the anti-virus companies try to keep up. I see it daily.

Now, if it were me, I would not even mess around. I would backup my data that I knew was 'clean', and just reinstall the OS. This is the only way to truly make sure it is gone.

So answering your question, it very well may well be laying dormant. Your machine could be fine today, tomorrow, even for a couple weeks. Then it wakes up again and rears its ugly head and you are back to square one.

Even though its a pain in the butt to reformat and reinstall the OS, you actually save time in the long run. Think about all the virus scans and programs you have downloaded to try and find out what is going on. some work, some dont. They may appear to work today, but what about tomorrow, and Friday for example.

Not trying to be a debbie downer, but I deal with this stuff daily. It is really quite frighting some of the malware I see these days.

Hope that helps.

Any questions, fire away.

Otter
03-03-2010, 02:50 PM
I'll just speak from my experience.
Any time you are dealing with a rootkit, that is just bad bad news.
Honestly, a very good rootkit will never be found. The box is essentially 'rooted'. Only doing forensic work on a suspected 'rooted' boxes were we able to determine that these machines were in fact, rooted.

Malware is getting better and better these days and it is much farther ahead than anti-virus. Its the cat and mouse game right. The baddies keep upping the ante, and the anti-virus companies try to keep up. I see it daily.

Now, if it were me, I would not even mess around. I would backup my data that I knew was 'clean', and just reinstall the OS. This is the only way to truly make sure it is gone.

So answering your question, it very well may well be laying dormant. Your machine could be fine today, tomorrow, even for a couple weeks. Then it wakes up again and rears its ugly head and you are back to square one.

Even though its a pain in the butt to reformat and reinstall the OS, you actually save time in the long run. Think about all the virus scans and programs you have downloaded to try and find out what is going on. some work, some dont. They may appear to work today, but what about tomorrow, and Friday for example.

Not trying to be a debbie downer, but I deal with this stuff daily. It is really quite frighting some of the malware I see these days.

Hope that helps.

Any questions, fire away.

I haven't played with one in over a year but would a rootkit revealer help in this instance?

DaFace
03-03-2010, 02:56 PM
I haven't played with one in over a year but would a rootkit revealer help in this instance?

Most of the time, combofix will detect and remove rootkits as good as a revealer would. However, as TCG said, there's never a way to tell 100% if a rootkit has been eradicated.

Otter
03-03-2010, 03:09 PM
Most of the time, combofix will detect and remove rootkits as good as a revealer would. However, as TCG said, there's never a way to tell 100% if a rootkit has been eradicated.

Ah, I haven't had an infection for years and I'm mostly hardware oriented at work these days. If you're getting these infections while surfing the internet use Firefox with the NoScript addon. It's the simplest piece of advice that will prevent 99.9% of infections.

Watch I'll get a rookit tonight when I go home.

DaneMcCloud
03-03-2010, 03:26 PM
Ah, I haven't had an infection for years and I'm mostly hardware oriented at work these days. If you're getting these infections while surfing the internet use Firefox with the NoScript addon. It's the simplest piece of advice that will prevent 99.9% of infections.

Watch I'll get a rookit tonight when I go home.

What's NoScript add-on?

DaneMcCloud
03-03-2010, 03:26 PM
This virus is still on the computer so I'm copying an image from last year and will re-image using Paragon.

What a PITA!

Otter
03-03-2010, 03:29 PM
What's NoScript add-on?

https://addons.mozilla.org/en-US/firefox/search?q=noscript&cat=all&advancedsearch=1&as=1&appid=1&lver=3.6&atype=0&pp=20&pid=5&sort=&lup=

Should be the first one that appears on the list. If not do a search on "NoScript" in the upper right hand corner.

DaneMcCloud
03-03-2010, 03:36 PM
Will I be okay if I export a .pst and re-import after the computer has been re-imaged?

phisherman
03-03-2010, 04:52 PM
hmmm, i would think so, but with really nasty viruses, you never know.

i've never seen anything get into a .pst though.

DaFace
03-03-2010, 05:10 PM
hmmm, i would think so, but with really nasty viruses, you never know.

i've never seen anything get into a .pst though.

I concur.

thecoffeeguy
03-03-2010, 08:54 PM
I haven't played with one in over a year but would a rootkit revealer help in this instance?

Really depends on how good the rootkit is.
We have found some using rootkit revealer, but there have a been a few incidents where we 'suspected' something was up with a PC. What we did was basically clone the drive and did some deep forensic work on it. Only then we were able to see that it had a rootkit on it.

Granted, before we did the forensic work, we ran through all of our tools and procedures to see if it was compromised. We found nothing.

DaneMcCloud
03-03-2010, 11:29 PM
So, I used Paragon to reload an image I created last year. It only took 30 minutes to reload the image and about another 30 minutes or so to run all of the MS updates, and other 30 to load programs I'd purchased since that image. I did a few quick tests and everything seems to be working just fine.

Paragon saved my ass. It would have taken at least 48 hours to reload everything from scratch and I've now got MS Essentials loaded. I'm going to re-image, then load the .pst (I'm still a little worried!) and re-image again.

Thanks for all the help!

QuikSsurfer
03-03-2010, 11:31 PM
So, I used Paragon to reload an image I created last year. It only took 30 minutes to reload the image and about another 30 minutes or so to run all of the MS updates, and other 30 to load programs I'd purchased since that image. I did a few quick tests and everything seems to be working just fine.

Paragon saved my ass. It would have taken at least 48 hours to reload everything from scratch and I've now got MS Essentials loaded. I'm going to re-image, then load the .pst (I'm still a little worried!) and re-image again.

Thanks for all the help!

Like fish mentioned, it would be a good idea to utilize the system restore function. Create a restore point every so often.

tymania
03-04-2010, 06:55 AM
So, I used Paragon to reload an image I created last year. It only took 30 minutes to reload the image and about another 30 minutes or so to run all of the MS updates, and other 30 to load programs I'd purchased since that image. I did a few quick tests and everything seems to be working just fine.

Paragon saved my ass. It would have taken at least 48 hours to reload everything from scratch and I've now got MS Essentials loaded. I'm going to re-image, then load the .pst (I'm still a little worried!) and re-image again.

Thanks for all the help!

.pst file? like an outlook archived file? You shouldnt have any problem reloading that... ive done it many times before

Buehler445
03-04-2010, 07:16 AM
What a Pain in the fucking ass.

I'm bookmarking this for the good info in it.

DaneMcCloud
03-04-2010, 09:47 AM
Like fish mentioned, it would be a good idea to utilize the system restore function. Create a restore point every so often.

I'm going to run through all of my programs this morning to make sure that I've got everything updated, then create another image. It only took 33 minutes to restore the 55 gig C:drive (I keep no information on that drive - just programs only). It couldn't have been easier!

I'll call the computer manufacturer about System Restore. I believe they turned it off when the computer was built because it causes issues somehow with my primary programs. If not, I'll definitely turn it on.

Thanks again for the assistance!