A puzzling virus

Printable View

November 9th, 2004, 01:01 AM
Cpt. Commander

A puzzling virus

My friend has gotten what he believes is a virus on his computer. He said he was downloading a file off of sharaza (like Kazaa, but supposedly more secure....yeah right) and the XP SP2 virus detection program thing instantly detected the Krepper worm. He ran AVG, and it detected it, but it couldn't remove. He then found a removal tool online, he ran it, then it tol him to restart. He did, and now he can't log in at all. When he tries logging it, it will get so far as "loading personal settings" then blink and start logging off. He has tried hitting F8 and going into safe mode as well. We would much appreciate it if anyone has any good info to help us. I have been researching it through Google, and I feel I have a decent understanding of the Krepper worm, and have taken precautions from letting it propagate to my other friend's computer on the network, but we are still stumped as to how to get into his computer and remove it. Thanks for any help.
November 9th, 2004, 01:15 AM
jinxy

A quick and dirty answere is, if the box is continualy rebooting at the login screen the chances are that the registery has been damaged some how. This is fairly easy to fix using your xp disk and the recovery console. Unfortunetly i have not got the details to hand at the moment.

One of the other members here may have. I'll check back later and if a fix is not available i will dig around to see if i can find one for you.

Jinxy
November 9th, 2004, 01:22 AM
nihil

Quote:

He then found a removal tool online, he ran it, then it tol him to restart

Yes............which tool.............from where?............I guess there is one born every minute? I would like that information though.......

The obvious solution is to format and re-install.

Please do not expect the RIAA or MPAA to play by rules other than of their own making.

I guess that line above is one of those "satanic verses" that get inserted into good guys posts?

As he cannot boot, he has a problem to start with?..............sure there are solutions, but how important is his data?..............I can give a recovery option, possibly, but it will be a bit long winded, so I would like to know what the requirements are first.

cheers
November 9th, 2004, 02:02 AM
jinxy

To use the recovery console to restore a damaged regestry read this:

http://support.microsoft.com/kb/307545
November 9th, 2004, 02:07 AM
Cpt. Commander

Alright, umm, just a few things. It doesn't "reboot", it just logs off back to the login screen. Also, he doesn't remember the tool, sorry. So, this recovery console thing sounds like our best option. I guess we are gonna try it. Thanks guys.
November 9th, 2004, 02:35 AM
Und3ertak3r

Had this a few week ago.. WSUpdate is the Malware involved do a google on that..

there is a renamed system file .. There is another thread in the SPYWAR/ADWARE forum on this one.. go there and have alook..

you will need the winxp CD.. and you will find yourself useing the recovery console..
You will be renaming a file and the registry will need to be edited..
DONT do a warm install (install over).. you will most likley F##k the installation and lock out the users files...

BTW:

Quote:

XP SP2 virus detection program thing

what sp2 Virus detection thing..???
November 9th, 2004, 02:47 AM
Cpt. Commander

Service Pack 2 comes with a virus detection thing. Looking up that post in the spy/ad section now. Thanks for the post undertaker, cuz we were just about to install over it.
November 9th, 2004, 05:02 AM
moxnix

Quote:

Originally posted here by Cpt. Commander
Service Pack 2 comes with a virus detection thing.

Not that I am aware of. SP2 comes with antivirus program detection. If you don't have an antivirus program installed or have one that is out of date it will prompt you to take care of it, but it doesn't have any kind of built in virus protections.
November 9th, 2004, 05:19 AM
Ghost_25inf

Heres what you can do.

1.) pull the Hard drive
2.) attach it to another Computer as a slave drive
3.) Run AV software to detect and remove the virus
4.) reinstall hardrive and remove all backups of XP on the PC
5.) Dont use any more peer to peer sites (free always comes with a price)!

Also Recovery console may not work because the virus might have infected the Registry and any last good boot will also be infected. but what I posted up above has worked for me and it should work for you also.
November 9th, 2004, 10:19 AM
Und3ertak3r

Read this thread.. links to various discussions are covered in there:

http://www.antionline.com/showthread...hreadid=262034

The second post has the info..... but read the story first..

I am thankful that I post these little encounters from time to time..

good history resource..

cheers
November 9th, 2004, 10:21 AM
Spyder32

He's probably referring to an A/V software that just comes with it such as Norton or McAfee (correct?). If not, then I dunno what he means by a pre-installed A/V system that comes with SP2.
November 9th, 2004, 10:53 AM
MrBabis

I got same problem few times and here is soultions:

1) I am agry with Ghost_25inf
2) Run repair/install of you xp agane
here is some info about how to do it
http://www.webtree.ca/windowsxp/repair_xp.htm
http://www.michaelstevenstech.com/XPrepairinstall.htm
November 9th, 2004, 11:50 AM
Und3ertak3r

Points to note: AVG.. (also NAV, and CA-VET) won't delete Malware that is inside archives or executable archives..

This is a common theme with people complaining that X AV couldn't remove the virus or cant or what ever.. The people aren't able to, don't want or don't know how to read the antivirus logs to find out what is happening..
The detection logs tell you reams about the infection.. and in this fellows situation.. the virus was probably inside file an archive.. and therefore could not be removed..

Most people when they see the Virus found message start to panic, and when the the AV prog gives the .. "Virus can't be removed" message that trips them completly..
Had a friend who found an "Update"for a game he was playing, and enjoyed his gameing so much, that when the AV could Not CLEAN the Virus from the Patch, tried i3 other AV programs, until he got one the said it cleaned it.. ** cough *** well the patch was a keylogger, the anti virus prog was just a load of spyware.. I don't know which was harder to remove.. the Trojan or the family of spyware..

The warning that our friend encountered could have been one of several parts of the SP2 actions.. one of the components is suppposed to identify attempts for virus like programs to run, not to mention the firewall blocking suspect outbound.. .. so i appologise for questioning that statement earlier..
So yes there is a AntiVirus Thingy in SP2.. not my idea of an antivirus prog.. and likly that it warned too late.. we probably will never know..

cheers
November 9th, 2004, 01:42 PM
AxessTerminated

Sophos Virus Definition

When Windows XP just "logs off" it usually has something to do with the registry...often activation, though that doesn't seem to be the case here.

Quote:

Troj/Krepper-G is Trojan which changes browser settings, downloads and installs/runs new software and modifies the HOSTS file to redirect internet searches.
The Trojan copies itself to the Windows\inetdata folder as services.exe and creates the following registry entries so as to auto-start on user logon or system start.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\xp_system = c:\windows\inetndata\services.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\xp_system = c:\windows\inetndata\services.exe

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run = "C:\\WINDOWS\\inetdata\\services.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\(5321E378-FFAD-4999-8C62-03CA8155F0B3)

HKCU\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"

that's from: http://www.sophos.com/virusinfo/anal...jkrepperg.html