Virus again.

[SOD'EM]

Hi all,

 

Got a friends laptop here that is riddled with Antivirus pro. Have connected it to my wireless network and the signal is excellent. Problem is, when I try to go to a home page, it tells me "The connection has timed out" all the time. This is both with Firefox and IE. I have a feeling that the virus (which also keeps turning the page around) is stopping any websites from connecting. I have tried to install Malware Bytes from a pen drive, but that keeps failing too.

 

Any ideas?

[Bookworm]

http://www.xp-vista.com/spyware-removal/windows-antivirus-pro

 

step-by-step.

[SOD'EM]

I have managed to get Malware Bytes installed and found numerous viruses and sucessfully removed them. Also, AntivirusPro has now gone. I still can't get on any web pages though. I can't see any traces of infection, but anytime I open IE or Firefox, it will not display the home page (even when I have changed the home page to Google). I am connected to the internet. It says Signal excellent and connected. I am confused now.

[SOD'EM]

Problem now solved. Thanks Bookster. I just had to change the network settings in IE and Firefox.

[Bookworm]

I have Spybot teatimer protection running in the background, and you can "lock" so that the browser/homepage can't be changed without admin permission. Not sure if only compatible with IE though, I need to check myself since I now run Chrome, lol.

[Conniff]

This is from Safer Networking:

 

"Announcing support for Google's new browser Chrome 3 September 2008

 

About 24 hours ago, Google made a beta version of their own browser, Chrome, available to the public.

From a privacy standpoint, we neither like to see GoogleUpdate permanently in the background nor those anonymous usage statistics it wants to send home, but since it's open source, we're hoping for free cleaned-up clones.

From a security standpoint, the idea of restricting rights of browsing processes is something we hope to see spreading to other browsers as well, since we fully have to agree with this precaution (see for example Alter Ego).

 

But the reason to write a news article about it today is not for adding our opinion on Chrome to the mass of other opinions already out there, but to announce support for Chrome in Spybot - Search & Destroy. As soon as Chrome was available, we started digging into it and have now finished support for scanning and cleaning Chrome cookies, bookmarks and history (thanks to the similarity to Firefox, that was actually no big deal). Immunization is pending and depends on Chrome's capabilities for that. You can subscribe to the Chrome support feature request or watch our beta forum if you are interested in the progress."

 

Your covered Bookie. Click on the 'beta forum' link, it's a forum worth subscribing to.

Edited September 15, 2010 by Conniff

[Bookworm]

Thanks, Conniff.

[ForestChav]

Reinstalling windows is the only way to guarantee it being clean.

[Conniff]

If anyone is interested, Spybot now comes on it's own cd and is a boot cd with it's own Windows startup so does not require any access to the Windows on the hard drive or anything that is on the hard disc to load.

 

With the hard disc being completely 'cold', if there is anything hiding on it, it can have no affect on the scan by Spybot whatsoever. It does cost a tenner, but comes by registered post and is really worth having.

[Guest]

I have Spybot teatimer protection running in the background, and you can "lock" so that the browser/homepage can't be changed without admin permission. Not sure if only compatible with IE though, I need to check myself since I now run Chrome, lol.

 

imo

'teatimer' is a known resource hog and is known to cause crashes. it's an old timer, but Spybots passive protection is still quite good. there are plenty of other progs that protect/lock the homepage without the resource use, if thats all that is needed. other, more effective, 'realtime' protection software is widely available for free. using 'teatimer' together with a realtime Antiv is not a good idea.

[dx100uk]

the best way to get rid of these spoof anti-virus prog is to run combofix in safe mode from a penstick with a wired internet connection.

you can do it via wireless too but wired is better

 

dx

[dragonkeeper]

 

dx what is combofix ?

 

Reinstalling windows is the only way to guarantee it being clean.

 

No it does not

 

It depends what has latched on to your entire system.

 

I have in the past removed C drive (actual harddrive) installed new harddrive installed Windows and all my program files from CD. Only to get the same infection back. I had diconnected my computer from home network and internet. Hence infection was embedded in saved data on other harddrives and re-infected new C drive.

 

 

 

 

dk

Edited September 18, 2010 by dragonkeeper
to ask dx a question

[ForestChav]

No it does not

 

It depends what has latched on to your entire system.

 

I have in the past removed C drive (actual harddrive) installed new harddrive installed Windows and all my program files from CD. Only to get the same infection back. I had diconnected my computer from home network and internet. Hence infection was embedded in saved data on other harddrives and re-infected new C drive.

 

Yes it does.

 

You might have reintroduced the infection from the saved data on the CD, maybe one of your programs was a trojan or something, but the windows install would have been cleaned, as I said, unless you fdisk and format all the drives in the machine and reinstall Windows from scratch the infection may well reside still on the machine.

 

You can probably clean it without going to that extent in some cases, it depends what has got on there and how good your software is at detecting it. Personally I think your anti-virus fails the second it lets an infection on because it isn't doing its job properly (or doesn't have good enough heuristics) and you can take precautions as well - updating to Vista or Windows 7 if you don't have it, and leaving UAC on helps a lot because only things you trust or asked for you elevate. Don't download software from unofficial sources or use warez because it might have a trojan as well. Don't use IE - I use Firefox with Adblock Plus and Noscript and block most ads and javascript except from sites where I trust them and the javascript is needed for the site to work, and Flashblock replaces all flash items with a play button so you don't load those either. I've never had a virus.

[dx100uk]

 

dx what is combofix ?

 

dk

 

Download ComboFix from Here to your Desktop.

 

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

 

 

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results"
  
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
• Remember to re enable the protection again after combofix has finished
  

--------------------------------------------------------------------

2. Close any open browsers and any other programs you might have running

 

Double click on combofix.exe & follow the prompts.

If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"

Please select yes & let it download the files it needs to do this

When finished, it will produce a report for you.

 

 

 

also on the front if this reloading a virus from files saved to an external drive:

 

SO many many people do not have 'show files extensions' & 'show hidden files & folders' enabled in tools/folder options/view of 'my computer'

ideally you should also have 'show hidden system files & folders' enabled [re:autorun.inf files later]

 

this allows files [typically pictures or mp3's] to exist with an extension of .jpg.exe.

if you not got show extensions enable, you won't see that.

it will just appear as picture.jpg

don't forget that a . is now allowed in filenames!

 

these are of course the trojan virus that re-infects you.

 

this is done in conjunction with a file that sits in the root of the drive called:

autorun.inf.

 

if you find this file in the root of ANY external drive or penstick, DELETE IT!!

 

ideally this file should not be in the root of ANY drive on your system, even the boot device!!

 

 

now, removing and/or formatting discs that a virus has existed on

particularly your system hardrive.

 

don't forget that windows registry hides itself and a normal FORMAT will NOT delete this hidden backup.

 

so you put your windows disc back in and reinstall 'clean' and sometimes the beasty or its payload instructions are STILL THERE in the registry and get put back in!

 

all it needs to do is find the file it needs 'on line' whilst you are browsing or after you access you 'saved' music or pictures etc etc. - bingo its back..

 

use a dos prompt to format drives and always use:

 

format *: /u

 

where * is the drive letter.

 

one last point that relates to the above but is a very good general safety tip:

 

NEVER EVER browse the internet with an account or user that has ADMINISTRATION RIGHTS

[i'e they are an 'administrator' on the PC being used]

 

this bypasses some of the basic but most important security aspects of internet explorer

i'e activeX, script files, Java scripts & MS macro's etc etc

by using the admin account they go straight in without warning, as

IE assumes as you are an 'administrator' you know what you are doing.

 

nuff for now

 

dx

siteteam

[ForestChav]

NEVER EVER browse the internet with an account or user that has ADMINISTRATION RIGHTS

[i'e they are an 'administrator' on the PC being used]

 

this bypasses some of the basic but most important security aspects of internet explorer

i'e activeX, script files, Java scripts & MS macro's etc etc

by using the admin account they go straight in without warning, as

IE assumes as you are an 'administrator' you know what you are doing.

 

Or:

1. use a decent OS with UAC - even in IE, in Vista and Win 7, it will run in protected mode, i.e. without admin privileges. IE in Windows XP is pretty much useless security wise.

2. Use a decent browser (i.e. not IE).

[dragonkeeper]

 

Thank you dx for info on combofix.

Sod'em asked his question the ' oracle's ' of Cag answered with fix Sod'em up and running again.

well done

 

 

 

 

 

forestchav _ as for the install from CD, the CD's where shop bought program disc's.

I have been building computer systems for 15+ years. The only shop bought computer is my wife's laptop even that was bought without Operating system installed so that it could be personalised without having format and clean the drives first.

 

As for browser it is personal choice and what you feel comfortable in using.

 

I already know how to suck eggs.

 

 

 

 

dk

Edited September 19, 2010 by dragonkeeper
adding (of Cag)

[Zubair2.2]

Either format your hard drive or download and install the best free antivirus : AVAST.

[SOD'EM]

I recommend Avast to everyone I speak to. Every PC I've fixed, I have installed Avast.

[ForestChav]

I've tried several and Avast always seems to be the best...