GAMEBOOMERS provides you with all the latest PC adventure computer games information, forum, walkthroughs, reviews and news.
GB Reviews Latest & Upcoming Adventure Games GB Annual Game Lists GB Interviews

BAAGS

GB @ acebook

GB @ witter

About Us
Walkthroughs free games galore Independent Games World of Adventure Patches Game Publishers & Developers GameBoomers Store
The Adventure Shop Big Fish Games Homepage
Page 3 of 4 < 1 2 3 4 >
Topic Options
#135663 - 05/02/04 10:01 PM Re: Need help with a virus
Jenny100 Offline
GB Reviewer Glitches Moderator
Sonic Boomer

Registered: 10/24/00
Posts: 34861
Loc: southeast USA
Quote:
Originally posted by Hagathaone:


This all started with me not being able to install a game because of the copy protection, and turning off Norton, and then going on the Internet for about 30 seconds before I remembered. The problems started shortly thereafter. And SASSER got into my system while I was on the 'net getting the AGOBOT scan. So the moral of the story is - if you have to disable Norton to install a game properly because of the copy protection, return the game for a refund and send a nasty note to the developer.
Actually there are a number of games that don't install properly with an antivirus running - and it has nothing to do with the copy "protection." It has to do with the antivirus detecting the installation as "virus-like activity" and blocking parts of the install so you get a bad install.

But it's important to realize you shouldn't connect to the Internet without some form of firewall or antivirus protection. Some of these newer viruses can infect without opening an email or doing anything other than connecting to the Net. If you "tend to forget," I'd recommend getting a hardware firewall that will at least block incoming probes.

Once you get your computer sorted out, you can check your firewall protection with the Shields Up test here
https://grc.com/x/ne.dll?bh0bkyd2
Use the Common Ports option when it comes up.

Top
#135664 - 05/02/04 10:15 PM Re: Need help with a virus
infernoj13usa Offline
The Radiant Moderator Staff Reviewer
BAAG Specialist

Registered: 06/07/02
Posts: 5766
Loc: FT. Worth ....Where the West b...
Before you begin:
If you are running Windows NT/2000/XP, make sure that you do, or have done, the following:
Create a secure password. This worm takes advantage of weak network passwords. (A full-time Internet connection, such as DSL or Cable, is considered a network connection for these purposes.)
Patch the DCOM RPC vulnerability as described in Microsoft Security Bulletin MS03-026
Patch the WebDav vulnerability as described in Microsoft Security Bulletin MS03-007 .

--------------------------------------------------------------------------------

if you can't get onto the internet you'll have to do this step afterward. but try to see if it will work. (you'll have to reboot out of Safe Mode for
these steps.

Inferno
_________________________
Watching: Dark Shadows
Reading: Angelique's Descent
Playing: WoW and living in Kil' Jaeden

Top
#135665 - 05/02/04 10:24 PM Re: Need help with a virus
infernoj13usa Offline
The Radiant Moderator Staff Reviewer
BAAG Specialist

Registered: 06/07/02
Posts: 5766
Loc: FT. Worth ....Where the West b...
After the MS patches are in. Reboot into regular mode (sorry, I know that it hurts)

and:

Here we go:
These are our avenues of attack.
  • Disable System Restore (Windows Me/XP).
  • Restart the computer in Safe mode or VGA mode.
  • Restore the Hosts file.
  • Reverse the changes made to the registry (removing the service and Run keys that the worm added).
  • Update the virus definitions.
  • Run a full system scan and delete all the files detected as
    W32.Gaobot.gen!poly
    Dos AGOBOT.HM
    AGOBOT B
    WORMNACH B


  • Disable System Restore

    To turn off Windows XP System Restore
    Click Start > Programs > Accessories > Windows Explorer
    Right-click My Computer, and then click Properties.
    Click the System Restore tab.
    Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box as shown in this illustration:
    Click Apply. A message should appear in a small window.
    Click "Yes"
    This will delete all existing restore points.
    Click Yes to do this.
    Click OK.



Quote:
from the Systematic website:
Safe mode is the Windows diagnostics mode. When you start the computer in Safe mode, only the specific components that are needed to run the operating system are loaded. Safe mode does not allow some functions, such as a connection to the Internet. Safe mode also loads a standard video driver at a low resolution. Due to the low resolution, your programs and the Windows desktop may look different than usual and the desktop icons may have moved to different locations on the desktop
  • To use the F8 method
    Use this method only if Windows XP is the only operating system installed on your computer.
    Start Windows, or if it is running, shut Windows down, and then turn off the computer.
    Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening.
    As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the Windows Advanced Options menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
    Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.


Inferno
_________________________
Watching: Dark Shadows
Reading: Angelique's Descent
Playing: WoW and living in Kil' Jaeden

Top
#135666 - 05/02/04 10:30 PM Re: Need help with a virus
infernoj13usa Offline
The Radiant Moderator Staff Reviewer
BAAG Specialist

Registered: 06/07/02
Posts: 5766
Loc: FT. Worth ....Where the West b...
  • To restore the Hosts file
    Removing these will fix the Windows host file so that the added name resolution entries from the Worm will not prevent you from visiting the Web sites of antivirus vendors.


Using Windows Explorer, look for a file named "hosts" in the following locations, if they exist:

C:\Windows\System32\Drivers\Etc\hosts
C:\Winnt\System32\Drivers\Etc\hosts
D:\Windows\System32\Drivers\Etc\hosts
D:\Winnt\System32\Drivers\Etc\hosts


For each \hosts file that you find, double-click the file.
When the "Open With" dialog box appears, scroll through the list and select Notepad. Do not check the "Always open this program with. . ." box.
Delete the following lines within the file:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com


Do not delete the line:

127.0.0.1 localhost


Save the hosts file.

INferno
_________________________
Watching: Dark Shadows
Reading: Angelique's Descent
Playing: WoW and living in Kil' Jaeden

Top
#135667 - 05/02/04 10:32 PM Re: Need help with a virus
infernoj13usa Offline
The Radiant Moderator Staff Reviewer
BAAG Specialist

Registered: 06/07/02
Posts: 5766
Loc: FT. Worth ....Where the West b...
  • Reverse the changes made to the registry

    Click Start, and then click Run. (The Run dialog box appears.)

    Type regedit

    Then click OK. (The Registry Editor opens.)


    Navigate to the key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run


    In the right pane, delete any of the following values:

    "^`d}qZxu" = "~`d}qzxu3zYF"

    "Configuration Loader"="confgldr.exe"

    "Video Process"="sysconf.exe"

    "Service Host Process"="spoolsvc.exe"

    "svchost"="winhelp.exe"

    "csrs"="csrs.exe"


    Do one of the following:
    If you are using Windows NT/2000/XP, skip to step h.
    If you are using Windows 95/98/Me, go on to step f.


    Navigate to the key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\RunServices


    In the right pane, delete any of the following values:

    "^`d}qZxu" = "~`d}qzxu3zYF"

    "Configuration Loader"="confgldr.exe"

    "Video Process"="sysconf.exe"

    "Service Host Process"="spoolsvc.exe"

    "svchost"="winhelp.exe"

    "csrs"="csrs.exe"


    Navigate to and delete the keys:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    Services\SoundMan
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    Services\svc32
  • Exit the Registry Editor.
  • Restart the computer in Normal mode.


INferno
_________________________
Watching: Dark Shadows
Reading: Angelique's Descent
Playing: WoW and living in Kil' Jaeden

Top
#135668 - 05/02/04 10:34 PM Re: Need help with a virus
Hagathaone Offline
Shy Boomer

Registered: 05/01/04
Posts: 19
I'm afraid you lost me a while back- I don't know how to create a secure password......

Top
#135669 - 05/02/04 10:42 PM Re: Need help with a virus
infernoj13usa Offline
The Radiant Moderator Staff Reviewer
BAAG Specialist

Registered: 06/07/02
Posts: 5766
Loc: FT. Worth ....Where the West b...
  • Restart in Normal Mode
    Close all open programs.
    Click Start, and then click Run. The Run dialog box appears.
    type msconfig and then click OK.

    The System Configuration Utility appears Check the /SAFEBOOT option, and then click OK.

    You'llsee the prompt to restart the computer. Click Restart.
  • Locate your Norton Antivirus Software.
  • Run live update
  • If nothing happens...don't panic. Uninstall
    Norton and reinstall it.
  • Run Live update again.
  • Start your Symantec antivirus program and make sure that it is configured to scan all the files
  • Scan your system
  • delete all the files detected as
    W32.Gaobot.gen!poly
    Dos AGOBOT.HM
    AGOBOT B
    WORMNACH B


take 2aspirin and call me in the morning.

Inferno
_________________________
Watching: Dark Shadows
Reading: Angelique's Descent
Playing: WoW and living in Kil' Jaeden

Top
#135670 - 05/02/04 10:43 PM Re: Need help with a virus
infernoj13usa Offline
The Radiant Moderator Staff Reviewer
BAAG Specialist

Registered: 06/07/02
Posts: 5766
Loc: FT. Worth ....Where the West b...
OK, Hagatha I'm working on it.
Inferno
_________________________
Watching: Dark Shadows
Reading: Angelique's Descent
Playing: WoW and living in Kil' Jaeden

Top
#135671 - 05/02/04 11:16 PM Re: Need help with a virus
infernoj13usa Offline
The Radiant Moderator Staff Reviewer
BAAG Specialist

Registered: 06/07/02
Posts: 5766
Loc: FT. Worth ....Where the West b...
Creating a password even if you are the "Owner"
or Administrator for your system is one of the best things that you can do for yourself.

Go TO-->Start-->Control Panel-->User Accounts

Double Click. Take the time to read all the help files here as well, they explain a lot.

When your ready: Click on your file...it's probably still listed as "Owner" or "Administrator"

First click on "Change my Name" Don't keep it as "Owner"!!! That's the biggest mistake that eveyone makes and it's the first thing an attacker will look for (everyones XP is called "Owner" unless they change that) if you have "Guest" change that one to after your done with changing yours.

Next, Click on Create a password. Read the articles below about this and follow what they say... you'll be glad that you did.


I keep a notebook with all my passwords written down. Silly in this day and age I know...but it has saved me and the things I do more times then I can count. You can create a password reset disk for it if you wish ...just read the help file on your computer. I don't use this function, but you may want to.



Read these:
Creating Strong Passwords


Windows XP Tips and Tricks


Inferno

If you have any other questions. Let me know
_________________________
Watching: Dark Shadows
Reading: Angelique's Descent
Playing: WoW and living in Kil' Jaeden

Top
#135672 - 05/02/04 11:52 PM Re: Need help with a virus
Hagathaone Offline
Shy Boomer

Registered: 05/01/04
Posts: 19
OK. I amready to start...but not sure exactly where... I thinkI amsupposed to start by going to it and downloading a file onto a floppy.

(Sorry to sound dense, but this is a lot of information and hard to keep track of everything I have to do; also I am working on a very slow computer with a keyboard that requires literally a hard smack to get the space bar to work - it's my old keyboard and that space bar has seen a lot of battle pauses).

The link leads me to a thread on some board somewhere and I can't work out what I am supposed to download off that thread. It is on the Tech Guy support forums.

Top
#135673 - 05/03/04 12:05 AM Re: Need help with a virus
infernoj13usa Offline
The Radiant Moderator Staff Reviewer
BAAG Specialist

Registered: 06/07/02
Posts: 5766
Loc: FT. Worth ....Where the West b...
After you've downloaded this set it aside. You'll only use this if the manual removal does not work.

http://www.accs-net.com/hosts/Downloads/hosts127001.zip

Inferno
_________________________
Watching: Dark Shadows
Reading: Angelique's Descent
Playing: WoW and living in Kil' Jaeden

Top
#135674 - 05/03/04 12:21 AM Re: Need help with a virus
Hagathaone Offline
Shy Boomer

Registered: 05/01/04
Posts: 19
Thanks. File downloaded onto floppy. Now I've printed all of the above information and will see if I can do any of this.

(I may have to be sick tomorrow).

Top
#135675 - 05/03/04 01:01 AM Re: Need help with a virus
Hagathaone Offline
Shy Boomer

Registered: 05/01/04
Posts: 19
I've hit a brick wall already...here's whatI have done:

1. Secure Password-already had one, it turns out.

2. I had disabled System Restore yesterday

3. Restarted in Safe Mode and deleted (for the 500th time) the files in the hosts file.
4. Saved now empty hosts file (the "local" file not supposed to remove is not there anyway- not sure if that is a problem - it stopped appearing after the very first time I deleted all the other files and never returned. I've checked very carefully each time but it's never there)

5. None of the listed files were in the Registry.

6. Where it says "XP-skip to step h" - there is no step h letter anywhere. However,none of the files listed appeard in any of those locations-I checked them all. By the way, I do not understand the term "key" as in Navigate to and delete the keys".

7. Restarted in Normal mode.

8. I don't know how to turn off all open programs in XP. I knew which two programs to leave running in 98, but I have always heard that this does not apply to XP, so that I can't do.

9. There is nothing called SAFEBOOT option listed in the System Configuration Utility. And the Utility just gets shut down almost immediately anyway. There are a fewoptionslisted, but the Utility doesn't stay open long enough for me to write them down.

So that's as far as I got.

I thought I saw another post about what to shut down in XP so maybe I'll have a look at that.

Top
#135676 - 05/03/04 01:31 AM Re: Need help with a virus
Hagathaone Offline
Shy Boomer

Registered: 05/01/04
Posts: 19
Found the list of programs to shut down.

In the System Configuration Utility,there are three options listed-Normal, Diagnostic Startup,and a third one which has a series of checkboxes that I wouldn't touch with a ten foot pole without guidance. Of course there are some other tabs, but none of these have a SAFEBOOT option either.

When I restart in Diagnostic Startup, I cannot run Liveupdate because my internet connections is disabled in this mode. In fact, all of the small icons that normally appear on the desktop header (or footer, on some desktops) are gone in this mode.

So I can't go any further. And I have been working on this for 12 hours today and that's it for now. I just checked the HOSTS file and the bad files are back in there again so I have to start from scratch anyway. But I don't know where scratch is anymore.....

Top
#135677 - 05/03/04 01:52 AM Re: Need help with a virus
infernoj13usa Offline
The Radiant Moderator Staff Reviewer
BAAG Specialist

Registered: 06/07/02
Posts: 5766
Loc: FT. Worth ....Where the West b...
go to bed. I'll try to make it clearer for you for tomorrow. check back here again.

Inferno
_________________________
Watching: Dark Shadows
Reading: Angelique's Descent
Playing: WoW and living in Kil' Jaeden

Top
Page 3 of 4 < 1 2 3 4 >


Who's Online
Key: Admin Global Mod Mod Staff  )
5 registered (Carolin, bermag45, scampy, Mikael, 1 invisible), 72 Guests and 14 Spiders online.
Newest Members
shaun9991, weakstorm, 123pazu, dawnmann, Colour
8419 Registered Users