Can't shake this virus!
Results 1 to 10 of 10

Thread: Can't shake this virus!

  1. #1
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324

    Can't shake this virus!

    I can't shake this virus. I'm not sure even which one it is.

    I get some reports that it is trojan agent.ba from trendmicro online scan, and just downloader trojan from NAV.

    I have disabled system restore, rebooted to safe mode w/networking so I can download all updates.

    I've updated all definitions for NAV, The Cleaner, Adaware, Spybot, CWShreader and Trend Micro. All the applications come up clean in safe mode. When I reboot to regular mode it finds the virus right away and can't remove it. It keeps changing the filename and I can't track this sucker down.

    I'd run a hijack this, but I'm in the middle of another scan...

    Any suggestions?

    It is on a client's PC and I'm supposed to give it back tomorrow... hopefully I can shake it tonight. I don't want to do a full reload... after all the time I've spent on it so far...

    Oh, I can't get symantec to get fully updated either. Symantec redirector fails and I can't update the rest of NIS 2k3 without that update...
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  2. #2
    Macht Nicht Aus moxnix's Avatar
    Join Date
    May 2002
    Location
    Huson Mt.
    Posts
    1,752
    Phish,
    Try Swatit, http://swatit.org/. It is one of the best trojan removers I know of. It does take a long time, but it goes really in depth through your system.

    And its free.
    \"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
    Author Unknown

  3. #3
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    moxnix:

    Thanks for the suggestion. I'm going to run it now.

    Hopefully that'll take care of it... this is driving me crazy.

    I've never had this much trouble getting rid of malware on PCs...

    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  4. #4
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    someone else seemed to have this problem and following the advice given at the site given below was successful in removing it. response 23 seems to do the trick.

    http://www.computing.net/security/ww...rum/12291.html
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  5. #5
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    The manual removal that tedob1 referenced cleared it up.

    I'm still running swatit just in case...

    I've been bugging with that thing for hours now...

    Thanks you two!
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  6. #6
    Just to make sure you didnt miss any good ideas:
    http://www.antionline.com/showthread...702#post768817

    Get us that HJT log when you can... I know groovicus is an ace when it comes to checking those.

    If this is smart malware, try more obscure tools to gather startup information like the ones here:

    http://www.sysinternals.com/ntw2k/fr...autoruns.shtml
    http://www.spywareinfo.com/~merijn/f...tartupList.exe

    Also, take the box off the web and leave it on a network, try port scanning it and netcat-ing to any suspicious ports to help fingerprint the virus. Sniff the trafic for any mass-mail attempts, and try some file monitoring as well.
    http://www.sysinternals.com/ntw2k/source/filemon.shtml

  7. #7
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    Soda:

    I did try using a couple of different tools.

    Filemon and Regmon along with some other normal tools.

    netstat -an, tcpview, fport, norton firewall logs, etc.

    It was hard to trace it down, but I finally got it removed.

    Thanks again!
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  8. #8
    Senior Member MadBeaver's Avatar
    Join Date
    Jul 2003
    Location
    Bath, Maine
    Posts
    252
    If your Nav still isn't up updating try deleting the Update log files. I had to do this on a 2000 server to get to complete updating once.

    What finaly got it?
    Mad Beaver

  9. #9
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    MadBeaver:

    I uninstalled, rebooted, deleted any folders it left behind and reinstalled.

    I think the virus was preventing it from updating? Not sure why it wasn't updating...

    It was Norton Internet Security that couldn't update because the Redirector was failing.

    Norton Antivirus was updating just fine.

    Dunno what the problem was... but its fixed by reinstall of NIS2k3
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  10. #10
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,019
    Something that may help in the future. Next time you get one of these mutating files that you can't identify, go to one of these two sites:

    Virus Total,
    or
    Virus Scan

    And they will allow you to upload the file to be scanned by several different scanning engines. Then it is usually just a matter of surfing to the appropriate site and finding the tool that targets that specific infection.


    http://www.pandasoftware.com/download/utilities/
    http://www.ravantivirus.com/pages/download.php
    http://securityresponse.symantec.com...ools.list.html

    Other AV sites have free tools available also, you just need to dig for them.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •