Jump to content

Nasty Virus


soundman

Recommended Posts

I have a virus on my computer that is very frustrating & was hoping somebody could help me.

Characteristics similar to Conficker worm.

Windows malicious software removal tool doesn't detect it. Windows update doesn't work.

AVG's rmagent doesn't detect it.

The virus blocks administrator control and server control on the computer. You cannot access taskmanager (access denied) or access any update files for AV software (access to the server is denied), such as AVG update.

The virus doesn't allow any files or internet URL's to software, such as MalBytes or Eset online scan to be accessed by the computer.

That said, apart from no administrator access, the virus appears to be doing very little.

Any ideas???

Link to comment
Share on other sites

Try Spybot Search & Destroy.... it should do the job....

Download the stuff... install it (you need to be online) let it run....

Good luck...

Thanx, however tried that yesterday - the virus does not allow access to Spybot download links.

Link to comment
Share on other sites

Safe Mode is always worth a try. However, the more nasty viruses manage to be loaded even in Safe Mode. Others even crash the system when trying to boot into Safe Mode.

If you want to download stuff you have to choose SafeMode with networking.

Other options:

  • use a different browser to download from URLs that have been blocked by the virus. Use a different search engine (other than Google) if the seach results are being redirected, e.g. Yahoo.com. Check your DNS settings and see if they have been modified by the malware. Depending on the technique used by the malware this might or might not work.
  • try downloading directly from a download website such as softpedia.com, filehippo.com, download.com, etc. Those host the download files on their own servers.
  • If the malware blocks the update process try a product that allows 'offline udpates'. That is downloading the update as a standalone package and then using the manual update feature within the program to update. Avira supports this (both software installer and virus definition update available from softpedia.com). Malwarebytes provides an update installer, too, but for me this never worked and generated an error in the application.
    However, if you re-download certain malware and antivirus products those will contain not only the most recent product version, but often virus definition updates that are only a couple of days or weeks old. Better than nothing.
    Use a different PC to download the required files, write them to CD or USB thumb drive to transfer to your PC.
  • Boot from a bootable rescue CD. This comes with its own operating system and guarantees that the virus on you PC cannot be loaded. I recommend Kaspersky Rescue CD (search on softpedia.com). The program will update itself, but requires a cable connection to your router/modem, wireless is not supported. It's worth a try even without running an update.

I'd recommend to

  1. Try downloading Malwarebytes from one of the mentioned download sites and see if it updates. Run a full scan with or without a successful update.
  2. If step 1 didn't work, try downloading Hitman Pro from softpedia.com. This program is not that popular (yet) and might not be blocked by the malware. Hitman Pro will use 5 different scan engines to scan your PC. However, this one will not work at all without an internet connection.
  3. If neither 1. nor 2. brought any significant improvement, use Kaspersky rescue CD. It's not that hard to download the ISO file and write to CD, then just restart your computer and it will boot the rescue system.

Links

Malwarebytes Installer | Updater

Avira Antivirus Installer | Offline Update (daily updated)

Hitman Pro Installer

Kaspersky Rescue CD CD Image

welo

Edited by welo
Link to comment
Share on other sites

Safe Mode is always worth a try. However, the more nasty viruses manage to be loaded even in Safe Mode. Others even crash the system when trying to boot into Safe Mode.

If you want to download stuff you have to choose SafeMode with networking.

Other options:

  • use a different browser to download from URLs that have been blocked by the virus. Use a different search engine (other than Google) if the seach results are being redirected, e.g. Yahoo.com. Check your DNS settings and see if they have been modified by the malware. Depending on the technique used by the malware this might or might not work.
  • try downloading directly from a download website such as softpedia.com, filehippo.com, download.com, etc. Those host the download files on their own servers.
  • If the malware blocks the update process try a product that allows 'offline udpates'. That is downloading the update as a standalone package and then using the manual update feature within the program to update. Avira supports this (both software installer and virus definition update available from softpedia.com). Malwarebytes provides an update installer, too, but for me this never worked and generated an error in the application.
    However, if you re-download certain malware and antivirus products those will contain not only the most recent product version, but often virus definition updates that are only a couple of days or weeks old. Better than nothing.
    Use a different PC to download the required files, write them to CD or USB thumb drive to transfer to your PC.
  • Boot from a bootable rescue CD. This comes with its own operating system and guarantees that the virus on you PC cannot be loaded. I recommend Kaspersky Rescue CD (search on softpedia.com). The program will update itself, but requires a cable connection to your router/modem, wireless is not supported. It's worth a try even without running an update.

I'd recommend to

  1. Try downloading Malwarebytes from one of the mentioned download sites and see if it updates. Run a full scan with or without a successful update.
  2. If step 1 didn't work, try downloading Hitman Pro from softpedia.com. This program is not that popular (yet) and might not be blocked by the malware. Hitman Pro will use 5 different scan engines to scan your PC. However, this one will not work at all without an internet connection.
  3. If neither 1. nor 2. brought any significant improvement, use Kaspersky rescue CD. It's not that hard to download the ISO file and write to CD, then just restart your computer and it will boot the rescue system.

Links

Malwarebytes Installer | Updater

Avira Antivirus Installer | Offline Update (daily updated)

Hitman Pro Installer

Kaspersky Rescue CD CD Image

welo

You da man welo. :D

Hitman Pro cleaned it on a reboot. Trojan called resllb.tmp.

Also fixed problems with access to regedit and taskmgr.

Once again, many thanx. :)

Link to comment
Share on other sites

I'm glad it worked!

Now that your system is bascially cleaned and functional again, I recommend doing yet another full scan with Malwarebytes (after running its update feature) to make sure you clean out all remains of the infection (trojans usually download more malware after a successful infection).

Malwarebytes has a huge database of malware definitions and might very well catch a view things that Hitman left over.

welo

Link to comment
Share on other sites

Check your DNS settings and see if they have been modified by the malware. Depending on the technique used by the malware this might or might not work.

welo

Recently, my primary and secondary DNS have been changed. Funny thing is that my secondary DNS has 4 digits number instead of 10...please see attachment.

Has my DNS been modified by some malware?

THOMSON.pdf

Link to comment
Share on other sites

Hi

Go buy a real anti virus program, its cheap as well, dont need to be a cheap charlie when it comes to PC,, ohhh maybe you guys like to get a virus now and again

Dude, how about being a cheap charlie and not having to worry about viruses anyway?  Heard about Linux?  Duuh... :)

But then again riding a hog you will be overly familiar with the idea of getting charged silly money for antiquated technology.  :D

Edited by TerraPosse
Link to comment
Share on other sites

Recently, my primary and secondary DNS have been changed. Funny thing is that my secondary DNS has 4 digits number instead of 10...please see attachment.

Has my DNS been modified by some malware?

The second entry (8.8.8.8) is a public Google DNS server.

IPv4 addresses consist of four 8-bit numbers, that means each number is between 0-255. Therefore 8.8.8.8 is a valid IP address.

The first entry is a server in the TOT network, but I think the IP address is incomplete on the screenshot, right? (203.113.7.1__).

Assuming the address is 203.113.7.130, this would be a valid TOT DNS server.

dns1.totbb.net 208.67.222.222

dns2.totbb.net 203.113.7.130

So I'd say your DNS settings don't have anything to do with malware. From my experience malware would change the DNS settings on your PC (in the network adapter's properties) and NOT on your router.

If you changed your router's default password to something else (which is STRONGLY recommended) it would be near to impossible for malware to change those settings on the router.

I wouldn't worry too much about malware changing the DNS settings unless you notice strange browser behavior (like being redirected to fake websites). Furthermore TOT DNS servers are well-known for causing unstable browsing behavior. This is why you will often read the advise to change your DNS server settings to something else (openDNS, Google DNS, dnsAdvantage, ...).

Are you sure you didn't change those settings yourself after reading here about it? :) Maybe somebody else did for you?

There is actually 2 ways for your router to determine DNS server settings. Default setting is that those are retrieved automatically from the provider (TOT) - same as the router's public IP address. You can manually override those default settings in the router's configuration interface. If you change to the details or settings page on your Thomson Speedtouch you should see which option is activated. I would be surprised if TOT assigns the Google DNS by default...

There is 2 basic steps to secure your router:

  • change the default passwords for all user with admin privileges (default password for TOT modems is admin/tot)
  • change wireless security mode to WPA or WPA2 (-PSK)

welo

You can run the following command from the command line to get some basic info on any IP address:

 C:\Users\welo>nslookup 8.8.8.8
Server:  resolver1.opendns.com
Address:  208.67.222.222

Name:	google-public-dns-a.google.com
Address:  8.8.8.8

Get TOT's DNS server adresses...

 C:\Users\welo>nslookup dns1.totbb.net
Server:  resolver1.opendns.com
Address:  208.67.222.222

Non-authoritative answer:
Name:	dns1.totbb.net
Address:  203.113.5.130


C:\Users\welo>nslookup dns2.totbb.net
Server:  resolver1.opendns.com
Address:  208.67.222.222

Non-authoritative answer:
Name:	dns2.totbb.net
Address:  203.113.7.130

Link to comment
Share on other sites

I am running Spybot SD, Commodo Firewall (activate stealth port wizzard) and CCleaner from a clean install.

No Anti Virus at all.

Run Hijack This and Hitman Pro about twice a year and never had any issue.

Also a few good tools at GRC.com.

Also do not forget to disable some dangerous services running in the background, just Google for unneeded Windows services or check GRC.com.

and deactivate before you connect to the net.

Make sure you have all the latest updates installed from these programs and your unneeded services shut down before you connect your fresh installed machine to the net.

Run updates frequently and you should be fine.

(I was running Zonealarm before as a firewall and got plenty of sh!t coming through).

:)

Link to comment
Share on other sites

Hi

Go buy a real anti virus program, its cheap as well, dont need to be a cheap charlie when it comes to PC,, ohhh maybe you guys like to get a virus now and again

Dude, how about being a cheap charlie and not having to worry about viruses anyway?  Heard about Linux?  Duuh... :)

But then again riding a hog you will be overly familiar with the idea of getting charged silly money for antiquated technology.  :D

Do i have to say anything, Duuh

http://en.wikipedia.org/wiki/Linux_malware

Link to comment
Share on other sites

Go buy a real anti virus program, its cheap as well, dont need to be a cheap charlie when it comes to PC,, ohhh maybe you guys like to get a virus now and again

All the programs I've listed are 'real'.

Those are free versions of commercial software products that are identical to their 'paid' versions in their core functionality, detecting malware. The main difference is that the paid versions contain a real-time shield/guard, which is of no real use in case of an already infected PC.

Of course not everything in life is free, and developing and maintaining an antivirus product requires serious efforts and therefore funding. However, some companies give away their product for home (non-commercial) use for free in order to promote their product or for other reasons.

Avira Antivirus Free might not be THE best antivirus, but this title probably changes on a weely bases anyway (if there were a reliable way to determine a winner in the first place), but it's definitely one of the best.

Malwarebytes has definitely one of the best anti-malware databases and is regularly recommended for malware removal. It is even (unofficially) recommended/used by Symantec (Norton) Tech Support.

Kaspersky has excellent reputation for years, and offers a rescue CD and a removal tool for free which uses again the same scan engine as their paid version, but offers no real-time guard.

Hitman Pro is a cloud-based virus scanner which is only targeted at malware removal, not at prevention/protection. The company names the product a '2nd opinion' scanner. It uses a completely new approach to scan a PC fast and efficiently and uploads suspicious files to a computer network (cloud) where the file is scanned by 5 major antivirus engines. It offers a 30-day trial period which is sufficient to clean an infected PC.

However, I do recommend to secure your Windows PC by

  • keeping your Windows OS up2date
  • staying away from pirated software and malicous websites; using a web browser other than IE, install WOT addon, using caution with any kind of download
  • disabling the autorun feature for all drives
  • turn on Windows Firewall (or use another personal firewall)***
  • installing a good pro-active antivirus tool (paid or free)**
  • running a second on-demand malware scanner once or twice a month (free online scanner, or free desktop versions, or paid)
  • (backup your data regularly to DVD or 2nd/external HDD in multiple versions)

**I recommend against the use of AVG since detection rates have deteriorated over the last years.

***this is especially true if you have a laptop with wireless and might connect to different networks than your own

welo

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.



×
×
  • Create New...