Virus

[jahbulon.livejournal.com]

My laptop has a bug.

Its a real bastard :

Can't browse to antivirus sites, in fact if you type in the name of any antivirus products into a search engine and hit submit, it closes the window.
It won't let me access the windows firewall or security center settings.
I can't access the firewall via the command prompt.
The processes window in the task manager comes up blank.
Won't let me install AVG.

I just installed windows on this machine a week ago and haven't installed any antivirus. Anyone know what it is? Anyone know an online scanner that might not be programmed into this little bastard?

Edit : After rolling XP back to SP1 Ad-Aware now picks up 31 objects. A bunch of Alexa trackers, two windows vulnerabilities listed as regedit access disablement. When the regedit disablement is removed, regedit is still unavailable. I'm pretty sure this is a virus rather than spyware.
Considering I have the latest windows updates, have not opened any email attachments, have been running the windows firewall every time I've been connected and have only been connected for short periods browsing fairly inoccuous sites, I'm going to have to assume its some sort of worm.. It seems made for SP2.

Comments

[jahbulon.livejournal.com]

I think you're right dude.. Bootable AV cd gonna be the way to go.. Is it an in-built function of Norton et al to create one of these CDs?

I couldn't network it with another machine, I think due to SP2 being installed. I just rolled that back and going to see if I can network and use one machine to scan the other. Wish me luck.

[swwinchester.livejournal.com]

OK. It's almost definately spyware, although there's a few viruses that tend to do the same thing. Your best - hell, in all honesty, your ONLY bet in this case :

Safe Mode - Control Panel - Internet Options. Under the programs tab, there SHOULD be a button that will let you see EVERY BHO and whatnot loading with your browser. Very neat little tool that Microsoft threw us in SP2. Also, I'd strongly reccomend that in safe mode you check your startup sequence via MSCONFIG, in particular your non-microsoft services, kill anything that shouldn't be there, kill any normal programs starting with the system that shouldn't be there, and pray that lets you get things going. You may or may not need to clean up the hosts file, it depends on HOW this thing is redirecting and killing your browser.

Failing that, you're going to be installing AVG from Safe Mode.

Failing THAT, well, I hope you like installing Windows. ^_^;;

I will NOT ask you what in the bloody hell you were doing operating with your pants down like that, as I really, really don't want an answer.

[teraflops.livejournal.com]

That's a virus. There's a bunch of them that'll do exactly what you're seeing out there right now. Nasty little buggers, too.

[jahbulon.livejournal.com]

That is so very helpful. :)

[teraflops.livejournal.com]

Heh, sorry. I figured the prior replies pretty much covered remediation steps.
Safe mode might let you run stinger. Barring that, like hereticorp said, a bootable A/V CD, and/or an AV program that the virus doesn't know of, is probably going to be your best bet.

[jahbulon.livejournal.com]

And holy crap, I have that little dragon figurine in my bedroom.

[teraflops.livejournal.com]

Aww, he sure is a cutie. I've got a few of these little guys on Monitor Lizard duty right now, but I don't actually have the pocket dragon that's in my icon. Yet ;-)

[omicron32.livejournal.com]

http://getfirefox.com

Use that to get your AV software or whatever you need.

Then proceed to use it forever because it's not prone to the exploits IE is.

Accept no substitutes. IE sucks.

[jahbulon.livejournal.com]

Thanks, but isn't that completely irrelevant?

[blackrat.livejournal.com]

Not really.. I'd wager IE had a hand in getting your poor puter into this mess - once it's cleaned up (one way or the other), your best bet would be to use Firefox to avoid* the same sort of thing happening again.


*or, at least, lessen the chance considerably

[jahbulon.livejournal.com]

Well your wager is incorrect. But thankyou for suggesting I download a browser in order to remove a virus.

[jahbulon.livejournal.com]

Firefox tells me connection refused when browsing to the domain housecall.trendmicro.com but the window closes when browsing to the IP.

[eightofspades.livejournal.com]

Did you check your host file?

[blackrat.livejournal.com]

When did I suggest that?
(And, furthermore, what would be the point in regurgitating that which others have already covered?)

[jahbulon.livejournal.com]

Ah, you didn't. Guy before you. Nm.

Stupid viruses.. They piss me off.

[blackrat.livejournal.com]

Yes. Yes they do.

Amusingly, a friend (who doesnt work in this particular examples IT dept) tells me that their Co. (Win2K based) just got hit by Blaster. 900+ infected PC's.

You know, that one that has been out over a year now, and updating to SP4 + a few simple windows updates removes the vulnerability..

It's funny because we don't have to clear up *that* mess ;)

[jahbulon.livejournal.com]

Jesus Christ... I still get people calling with Blaster, but generally after they reinstall windows.. 900 machines? The admin should be shot!

[omicron32.livejournal.com]

You said IE shut when you were browsing webpages... so not really.

And anyway, I take every oppertunity I get to promote alternative browsers.

[jahbulon.livejournal.com]

Preaching to the converted:)

[omicron32.livejournal.com]

Everyone is guilty of using IE until proven otherwise.

Get your friends using it, your friends friends, your parents, their parents, everyone. Do not rest until no one you know uses IE.

...And if you can, get them to switch to Linux too. :P

[jahbulon.livejournal.com]

As soon as Linux just works, in an immediately accessible way, and is compatible with most other softare, I will switch.

/Seriously hate microsoft
/Give me convenience or give me death

[omicron32.livejournal.com]

I'll admit it doesn't 'just work' yet, but it sounds like you haven't tried it for a while. It's really coming along now. (Game support is still a minus if that's your thing - though UT2k4 and Doom3 are some pretty high-profile ports recently.)

I'd recommend trying the new SuSE 9.1 / 9.2 as I've heard that's pretty close to 'just works'.

I personally use Gentoo (http://www.gentoo.org)... I like it hard. ;)

[jahbulon.livejournal.com]

Hahaha.. I refer you to the song by Three Dead Trolls in a Baggie, Every OS Sucks :

I've got a girlfriend and things to get done, the linux OS sucks! Sorry to say it, but it does!

Want games, will windows... Also the networking/file-sharing capabilities of XP are something I actually like.. Home networking is easy as pie, but that is all I use it for.

Can you plug an ethernet cable into a linux box and have access to shared files at the click of a button?

[omicron32.livejournal.com]

Corporate networking is as easy as pie with Windows, too. (I manage 500 WinXP clients and 5 Win2000 servers... As well as 10 Linux clients and a server :P)

It's not as easy as plug'n'play to share files, but then again it isn't in Windows. If it is, it shouldn't be because then it turns into a security risk.

Linux networking - at least with NFS - is as simple as editing /etc/exports on your server, and /etc/fstab on your client. Now, that's simple as pie for me, but I do see where you're coming from.

Still, you should still try it before you knock it.

[abstrak-tokatl.livejournal.com]

go to dozens of porn sites and enjoy your self.

[hamilton.livejournal.com]

check your hosts file for entries that send the wriong IP for the AV sites. There are visuses that will edit this file so you can't reach AV sites. Clean out any entreis you don't know are good. Here is an example of a good host file.


The location of this file on XP is,c:\i386 you will need to search for it on different systems.


# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

c:\i386

[loosechanj.livejournal.com]

ITYM %systemroot%\system32\drivers\etc

...

[teriwyn.livejournal.com]

The fact that it closes the browser when even trying to type a search for popularly named AV software makes me think this might not be the case.

Try to browse to AV online scanners by IP?

Re: ...

[swwinchester.livejournal.com]

Oh, no, this still might be the case : I've seen a hosts file that actually goes and calls a local .html file that contains a javascript to close the window whenever you try to go to any of the sites in the hosts file. Pretty evil.

Re: ...

[jahbulon.livejournal.com]

Its not the hosts file, I edited that and it still closes the browser windows.

Access to regedit is disabled also. Ad-Aware finds this hack and removes it but then I am told I do not have enough permission to run regedit.

Re: ...

[swwinchester.livejournal.com]

The instant I hear the words "I no longer have enough permission", your only real sure-fire bet is to wipe the machine - it'll actually be faster and less painful. This is now time to 'cut your losses'.

This time around, my only suggestions are - you put firefox on right after you run windows update, you get AVG running within one reboot of that, and better luck this pass around.

Re: ...

[jahbulon.livejournal.com]

'cut your losses' is a concept I have to explain to my friend helping me here. He's the kind of geek who won't let go :)

I think I'm going to have to reinstall. What a crock. I brought my machine in to work to play starcraft on the LAN. I wanted fun and gaming, not frustration and geekery.

CASTRATE THE VIRII AUTHORS AND FEED THEIR GENITALS TO FLESH-EATING BACTERIA

Re: ...

[swwinchester.livejournal.com]

Your pain is felt. I used to deal with these things regularly. Geek Squad mantra is "DO NOT RESTORE IT". Well, we learned that the mantra has it's limits.

And that machine, as of right now, would be where we'd be pronouncing it 'in need of rebuild.'

If required, take a large, blunt object, and strike the geek helping you. Not hard enough to kill, just hard enough to knock senseless. Then start the wipe and restore before he gets back up.

Re: ...

[jahbulon.livejournal.com]

Hahahahaa good suggestion. Goddamn XP. If this were 98 I could boot into DOS.

Re: ...

[swwinchester.livejournal.com]

... OK, if it were 98, yeah, you'd have your DOS and command line scanner. Nice and effective tools, they were.

At the same time, have you EVER tried to clean spyware out of 98? It's insane. One invariably feels like a dentist trying to extract a few bad teeth, and accidentally taking the whole damn jaw - but somehow managing to leave some good teeth in there. They're pretty useless by that point, but they're there.

[eightofspades.livejournal.com]

Just for your reference, Hamilton, the one windows uses is in ogw's reply.

Definately 0wn3d

[coyoteden.livejournal.com]

You're seeing two different ways of preventing a removal: Host file blocking of sites and closing windows with certain words in the title.

First, boot into safe mode.

Now at the run box, type 'notepad \windows\system32\drivers\etc\hosts'
take out all the lines redirecting variuos sites to 127.0.0.1

Next, run msconfig and turn off ALL startup items.

Boot normally and you should be able to get some sort of antivirus on there. Update it and do a full system scan before turning startups back on.

Re: Definately 0wn3d

[jahbulon.livejournal.com]

Oh yeah, msconfig won't run. This is a hardy bugger. It's blocked access to all system config tools and websites which might help, and it seems to have done both those things using multiple methods.

I am so frustrated I want to scream.

Re: Definately 0wn3d

[coyoteden.livejournal.com]

won't run in safe mode?

wow, that is in there deep.

do this
run > "cmd" to get a shell

cd \windows\system32
copy taskmgr.exe task.com
task.com

that should start the task manager as a differently named process, and you can kill it from there

it might also be in as a system service. run "services.msc" and look for suspicious ones.