May 23rd, 2005, 05:31 AM
Question about a virus
I had a client bring in his computer and said he could not get it to do anything at all. He stated that the last thing that it had done is come up with a blue screen and that was it. He was running Windows XP home sp2 updated. Well after hooking it up I could not get any of my diagnostic programs to work on boot up. So I decided to try and boot a linux distro to ram which worked. After searching through the harddrive on the computer I noticed that there were tons of files that were renamed or missing. He had Norton's and Mcaffee both on it and all the files in these folders were renamed with names that were very vulgar (i.e. s**thead, F**k You, etc..) well after getting into his registry I noticed that it was totally destroyed. Now this is the first time that I have ever had a computer that came to me that had every file renamed and the registry trashed that would ban any diagnostic check from running. I was wondering if anybody else has ever seen this type of virus of was it something new? I wasn't able to capture it to disk as it kept changing its own file name.
May 23rd, 2005, 05:53 AM
You could put that hard drive in another computer and run antivirus on it from there.
May 23rd, 2005, 10:00 AM
I'm guessing his machine got infected with some backdoor and consequently got "0wn3d" by somebody..
I think you're better off saving some of the important data and start from scratch..
Experience is something you don't get until just after you need it.
May 23rd, 2005, 10:22 AM
Hi, I will go with SirDice on this one.
What you are describing is a typical "vandal" attack, not a worm or virus............there is no intent to spread or replicate, just to destroy?
Save what you can, reformat & re-install............
And make sure that he has a firewall and AV next time.
Get "RegistryProt"........it is free............the default answer, after you have set it up, is "no"...........then if stuff doesn't work say "yes"....................
Try to capture it..................and zip a copy and PM it to me, I will take a look ............sounds like it has some sort of polymorphic engine?
May 28th, 2005, 03:50 AM
Thanks for the replys
I finally found out that it was trying to connect to the net-- so I tagged it and followed it and noticed that it was trying to ddos a server in korea. I wasnt able to capture any of the "Mean Files" but I did get it fixed and told the owner about the problem and advised him to get an antivirus other then Mcaffee or Nortons.
May 28th, 2005, 08:16 AM
he doesnt have to get another antivirs. chances are he had both so they were confliting with eachother and both finally gave up. remove one and the other will probably work fine.
May 30th, 2005, 09:01 PM
Also remind your client to update their antivirus often!
May 30th, 2005, 10:18 PM
1. Get/copy/salvage all working data in the HD;
2. Low-level format the HD and then restore the work data as recovered, after the OS was reinstalled. If your client is sticking with the partition, then do the partitions as originally done before the data restore.
3. Have the firewalls and the AVs up and then let it go. You m,ight as well check if the user's ISP is dedicated to that vulnerable default URl, if indeed there is, and change it.
4. <Mind, you might as well educate the user regarding running the standard diagnostics and the updates needed for the anti-virus, firewalls, spyware and adware watchers/cleaners, etc.>
I just noticed that some users are just that... users, like the jockeys who don't care if the horse is well-fed, as long as it runs. Computer users are <mostly> similarly inclined; they wouldn't care what ails the system as long as it works. Somehow, they need to be reminded that they need to get updates for the software they use and to do the diagnostics themselves so that when they encounter something that mystifies, then they should consult the more knowledgeable ones like here, in AO.
<Tongue-in-cheek>! I was reading about JP's ruminations and every other one else ... was AO better then than now, indeed? Please pardon this irrelevance/irreverence, MsM and Neg.
Si vis pacem, para bellum!