Results 1 to 7 of 7

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Growly
    Guest

    Default Virus Like Activity - but no Virus.

    hey there...

    Fixing a friends computer, he had the signs of virus:

    1) RPC shutdown
    2) Couldn't copy or paste
    3) Couldn't open links
    4) Couldn't open hotmail
    5) Couldn't update norton anrivirus
    6) IE would crash within 10 seconds of being run
    7) Couldn't manually shutdown from start menu or ctrl-alt-del (But i managed to use shutdown -s)

    Also, spyware going down, like messenger (the net service, not msn) messages being sent from randoms. I stopped this bye stopping the messenger service.

    Anyway- At first I thought it was Sasser or Blaster (old and new), but the fix programs for that didn't help. I used spybot and adaware (after painstakingly and slowly updating both) to get rid of about 130 nasties... but when it came to the virus...

    Norton Scan, after finally getting it to work (it originally wouldn't open at all when any button was clicked, and it wouldn't update either, but then I used shutdown -r to restart and it worked- so the definitions were updated when i scanned), found nothing after taking an hour. My friend said that it had kept popping up a few days prior with auto detect messages saying that there was an infection; ergo my surprise when it didn't find anything.

    Could this actually be a virus? or is it some sort of Windows problem (the not loading, etc)...
    I thought that at the lack of finding a virus would signal some sort of external threat, maybe someone reaching in each time and not leaving a virus? Maybe?

    Also, i used the shutdown -a to kill the RPC shutdown early, would this have stopped the virus running, or shut down the affected program, so that Norton couldn't detect it?

    I couldn't get the chance, but another friend with similar symptoms said that you couldn't go to the AVG site at all...

    Just some thoughts in there, though I'm not sure. I thought it was parculiarly odd.

    Anything would be appreciated, thanks.

  2. #2
    dumdum
    Guest

    Default Re: Virus Like Activity - but no Virus.


    He hasn't by chance got Zone Alarm 5. installed

  3. #3
    Pheonix
    Guest

    Default Re: Virus Like Activity - but no Virus.

    In case Nortons has been compromised, why not do an online AV scan as a "second opinion"? here

  4. #4
    Growly
    Guest

    Default Re: Virus Like Activity - but no Virus.

    No he doesn't have Zone Alarm, atleast not that I could see (taskbar, systray, process list)...

    Why?

    Oh, and the house call thing... I'll give that a shot next time, but I doubt it would be that. It may be, though.

  5. #5
    drcspy
    Guest

    Default Re: Virus Like Activity - but no Virus.

    well norton aint perfect, (indeed NO antivirus prog is), and recently I've seen very similar set of symptoms and after a bit of a fight I updated norton, which the client had on the puter, by doing a direct download of 'intelligent updater' from the symantec site rather than the built in 'liveupdate' function which wouln'dt work. anyway even tho the prog was updated and it scanned the system and said 'no virus' well I was still very suspicious so I side by side with norton installed avg and it FOUND a virus...........as I say nothings perfect......so do a different virus scan............perhaps download stinger and use taht is pretty good or download and use sysclean, (from trendmicro), it's also good and scans for quite a few more viruses than stinger.......both will run in safe mode too which is a help

  6. #6
    Gordon.
    Guest

    Default Re: Virus Like Activity - but no Virus.

    What you describe is something that I had to fix last week, this one is known to disable various security programs, IE will almost instantly crash, etc.

    Agobot - an IRC transported trojan

    An IRC backdoor Trojan and network worm W32/Agobot-IX is also known as:

    WORM_AGOBOT.GEN, W32.HLLW.Gaobot.gen, W32/Gaobot.worm.gen.d

    If it helps, I will post the removal instructions below, if nothing else it will allow you to search for the hklm keys and confirm or rule out this one.
    --------------------------------

    It copies itself to network shares that are protected by weak passwords. It
    then copies itself as winlogin.exe in the Windows system folder and then
    sets up the following registry entries so that it runs when a user logs on
    to the system and continues to run as a service.

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run \
    WinLogin = winlogin.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services\
    WinLogin = winlogin.exe

    At every activation W32/Agobot-IX attempts to connect to a remote IRC server
    and join a specific channel. It then continues to run in the background
    permitting remote access by an intruder and may let him control the
    computer.

    The worm may be configured to download and install other programs on the
    system as well as to flood other computers with network packets. It also
    shuts down or disables several security programs and furthermore it writes
    to the host file preventing various IT security sites from being accessed.
    ----------------------------------------

    Replace the Hosts file from a backup or edit it in Notepad to remove
    the changes that the worm has made.

    You will also need to edit the following registry entries, if they are
    present. Please read the warning about editing the registry.

    At the taskbar, click Start|Run. Type 'Regedit' and press Return. The
    registry editor opens.

    Before you edit the registry, you should make a backup. On the
    'Registry' menu, click 'Export Registry File'. In the 'Export range' panel,
    click 'All', then save your registry as Backup.

    Locate the HKEY_LOCAL_MACHINE entries:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run \
    WinLogin = winlogin.exe

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services\
    WinLogin = winlogin.exe

    and delete them if they exist.

    Close the registry editor.



  7. #7
    Growly
    Guest

    Default Re: Virus Like Activity - but no Virus.

    Awesome, I'll try it out. Ofcourse, no one believes in me, and his father took it into his office foro the over-rated IT Techs to do it (pfft, if i hadn't had homework...)

Similar Threads

  1. Replies: 19
    Last Post: 12-02-2008, 06:04 PM
  2. Replies: 8
    Last Post: 02-01-2003, 12:47 PM
  3. Replies: 4
    Last Post: 28-05-2002, 09:16 AM
  4. Replies: 3
    Last Post: 21-02-2002, 06:55 PM
  5. Replies: 2
    Last Post: 10-12-2001, 04:00 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •