Results 1 to 8 of 8

Thread: Question about a virus

  1. #1

    Question Question about a virus

    I had a client bring in his computer and said he could not get it to do anything at all. He stated that the last thing that it had done is come up with a blue screen and that was it. He was running Windows XP home sp2 updated. Well after hooking it up I could not get any of my diagnostic programs to work on boot up. So I decided to try and boot a linux distro to ram which worked. After searching through the harddrive on the computer I noticed that there were tons of files that were renamed or missing. He had Norton's and Mcaffee both on it and all the files in these folders were renamed with names that were very vulgar (i.e. s**thead, F**k You, etc..) well after getting into his registry I noticed that it was totally destroyed. Now this is the first time that I have ever had a computer that came to me that had every file renamed and the registry trashed that would ban any diagnostic check from running. I was wondering if anybody else has ever seen this type of virus of was it something new? I wasn't able to capture it to disk as it kept changing its own file name.

  2. #2
    Join Date
    Jan 2004
    You could put that hard drive in another computer and run antivirus on it from there.

  3. #3
    Just Another Geek
    Join Date
    Jul 2002
    Rotterdam, Netherlands
    I'm guessing his machine got infected with some backdoor and consequently got "0wn3d" by somebody..

    I think you're better off saving some of the important data and start from scratch..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  4. #4
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    United Kingdom: Bridlington
    Hi, I will go with SirDice on this one.

    What you are describing is a typical "vandal" attack, not a worm or virus............there is no intent to spread or replicate, just to destroy?

    Save what you can, reformat & re-install............

    And make sure that he has a firewall and AV next time.

    Also, http://www.diamondcs.com.au

    Get "RegistryProt"........it is free............the default answer, after you have set it up, is "no"...........then if stuff doesn't work say "yes"....................

    Try to capture it..................and zip a copy and PM it to me, I will take a look ............sounds like it has some sort of polymorphic engine?

    Good luck

  5. #5
    Thanks for the replys

    I finally found out that it was trying to connect to the net-- so I tagged it and followed it and noticed that it was trying to ddos a server in korea. I wasnt able to capture any of the "Mean Files" but I did get it fixed and told the owner about the problem and advised him to get an antivirus other then Mcaffee or Nortons.

  6. #6
    Senior Member
    Join Date
    May 2003
    he doesnt have to get another antivirs. chances are he had both so they were confliting with eachother and both finally gave up. remove one and the other will probably work fine.
    Everyone is going to die, I am just as good of a reason as any.


  7. #7
    Senior Member
    Join Date
    Feb 2004


    Also remind your client to update their antivirus often!
    Well...its not gonna get much better than linux!

  8. #8
    Join Date
    Apr 2005
    I suggest:

    1. Get/copy/salvage all working data in the HD;

    2. Low-level format the HD and then restore the work data as recovered, after the OS was reinstalled. If your client is sticking with the partition, then do the partitions as originally done before the data restore.

    3. Have the firewalls and the AVs up and then let it go. You m,ight as well check if the user's ISP is dedicated to that vulnerable default URl, if indeed there is, and change it.

    4. <Mind, you might as well educate the user regarding running the standard diagnostics and the updates needed for the anti-virus, firewalls, spyware and adware watchers/cleaners, etc.>

    I just noticed that some users are just that... users, like the jockeys who don't care if the horse is well-fed, as long as it runs. Computer users are <mostly> similarly inclined; they wouldn't care what ails the system as long as it works. Somehow, they need to be reminded that they need to get updates for the software they use and to do the diagnostics themselves so that when they encounter something that mystifies, then they should consult the more knowledgeable ones like here, in AO.

    <Tongue-in-cheek>! I was reading about JP's ruminations and every other one else ... was AO better then than now, indeed? Please pardon this irrelevance/irreverence, MsM and Neg.
    Si vis pacem, para bellum!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts