GAMEBOOMERS provides you with all the latest PC adventure computer games information, forum, walkthroughs, reviews and news.
GB Reviews Latest & Upcoming Adventure Games GB Annual Game Lists GB Interviews

BAAGS

GB @ acebook

GB @ witter

About Us
Walkthroughs free games galore Independent Games World of Adventure Patches Game Publishers & Developers GameBoomers Store
Big Fish Games Homepage    
Page 4 of 4 < 1 2 3 4
Topic Options
#135678 - 05/03/04 01:58 AM Re: Need help with a virus
infernoj13usa Offline
The Radiant Moderator Staff Reviewer
BAAG Specialist

Registered: 06/07/02
Posts: 5766
Loc: FT. Worth ....Where the West b...
Quote:
Originally posted by Hagathaone:
I've hit a brick wall already...here's whatI have done:

1. Secure Password-already had one, it turns out.

By the way, I do not understand the term "key" as in Navigate to and delete the keys".

Change your password, You've been compromised.
"KEY"
  • That refers to the "registry" key. It's located in the Registry editor (well, it's the fastest way to find it.
  • Take a look here:



    after you locate "Microsoft" again click on the + to the left and scroll down until you see "Windows" click on the + to the left and scroll down until you locate see "current version" click on the left and scroll down until you locate run and click on the left until you see "run". Double Click on "run" , now look at the window on the right. See anything?
  • Follow part "D >" below. (If you double click on the files here you will see the values) delete only the "values" listed here. Do not delete the folders on the left, only the values on the right.
  • Then use the same "navigation proceedure" to locate the "Key" in step "h" but now if you find that "key" located on the left side of the window (it will look like a folder)delete it entirely.
  • it will be in the left side of the registry window. There are two you must delete ...these are the registries for the worms themselves! They are the worm's Hooks.
    One is called "soundman" the other is "svc"
  • Therefore these computer sentences need to go:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    Services\SoundMan

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    Services\svc32

    understand?
  • A> Click Start, and then click Run. (The Run dialog box appears.)
  • B> Type regedit

    Then click OK. (The Registry Editor opens.)
  • C> Navigate to the key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run
  • D> In the right pane, delete any of the following values:

    "^`d}qZxu" = "~`d}qzxu3zYF"

    "Configuration Loader"="confgldr.exe"

    "Video Process"="sysconf.exe"

    "Service Host Process"="spoolsvc.exe"

    "svchost"="winhelp.exe"

    "csrs"="csrs.exe"
  • E> Do one of the following:
    If you are using Windows NT/2000/XP, skip to step h.
    If you are using Windows 95/98/Me, go on to step f.
  • F> Navigate to the key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\RunServices
  • G> In the right pane, delete any of the following values:

    "^`d}qZxu" = "~`d}qzxu3zYF"

    "Configuration Loader"="confgldr.exe"

    "Video Process"="sysconf.exe"

    "Service Host Process"="spoolsvc.exe"

    "svchost"="winhelp.exe"

    "csrs"="csrs.exe"
  • H> Navigate to and delete the keys:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    Services\SoundMan
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    Services\svc32
  • I> Exit the Registry Editor.
  • J> Restart the computer in Normal mode.


Hopefully, it will be gone. You will have killed it.




Inferno
_________________________
Watching: Dark Shadows
Reading: Angelique's Descent
Playing: WoW and living in Kil' Jaeden

Top
#135679 - 05/03/04 02:35 AM Re: Need help with a virus
infernoj13usa Offline
The Radiant Moderator Staff Reviewer
BAAG Specialist

Registered: 06/07/02
Posts: 5766
Loc: FT. Worth ....Where the West b...
Diagnostic Startup is Safe Mode

You do the manual regedit in this mode.
Then restart the system into normal mode.
and then see if you can get Norton to do the live update not before.

You may have to reinstall Norton and then run the live update.
Inferno
_________________________
Watching: Dark Shadows
Reading: Angelique's Descent
Playing: WoW and living in Kil' Jaeden

Top
#135680 - 05/03/04 05:32 PM Re: Need help with a virus
Jema Offline
Adept Boomer

Registered: 09/11/02
Posts: 13648
Loc: Virginia
Inferno, you are a wiz!!! I hope the manual process you outlined works for hagatha since the cleanup tool didn't.

Jenny100, thanks for posting the link to Gibson's site. I've known about GRC for years and periodically go there and run the port scan to make sure something either I do or a patch or an install does hasn't changed my "all ports stealthed" to something less secure.

I suggest that everyone also go to GRC's homepage, follow the links, and read, read, read!

wave Jema
_________________________
Wouldn't that jar your mustard!

Top
#135681 - 05/03/04 08:56 PM Re: Need help with a virus
Hagathaone Offline
Shy Boomer

Registered: 05/01/04
Posts: 19
Hi guys - I'm afraid this isn't working, after all your time and effort. Here is what I THINK I'm supposed to do:

1. Edit the Hosts File in Safe mode; save edited file
2. Edit Registry in safe Mode
3. Restart computer in Normal mode and run Liveupdate.

1. I have edited and saved the Hosts file at least 100 times (no exaggeration). Doesn't matter. As I found out yesterday when I started using Safe Mode, the next time I start my computer, be it in Safe or Normal Mode, the virus files are back in the Hosts file. Always. 100%of the time. They aren't going anywhere.

2. There are no virus files in the Registry. I have double and triple checked, and those files don't appear. There is nothing in any of those registry Keys that has an = in it at all. Nor are the keys I am to delete present. Now I don't know if there is something that is not displayed, but I can't see any of those files or keys.

3. When I restart my computer in Normal Mode, my Norton still won't start. Not just the live Update, but Norton Antivirus itself. Nothing happens when I click on it. But that wouoldn't matter, because as soon as I have restarted my computer, all the virus files are back in the Hosts file. This happens without fail - Safe or Normal mode.

Also, in the instructions last night I was to Open the SYstem configuration Utility and restart in SAFEBOOT and THEN run Norton. But as I noted, there is no Safeboot and the Diagnostic Mode option I have is not at all the same as Safe Mode- it looks totally different. Am I supposed to do this step now? I can't tell.

So, I must have missed something or a step somehwere, or this just is not working.

I have not installed any patches at all. When I tried to get the MS03-26 and MS03-007 patches from the Security site, the page never loaded.

Thanks for all your time.

Top
#135682 - 05/03/04 10:33 PM Re: Need help with a virus
Hagathaone Offline
Shy Boomer

Registered: 05/01/04
Posts: 19
My last-ditch attampt was to edit the Hosts file and registry in Safe, and then run that virus removal program I downloaded. It indicated no virus on my computer.

Then I restarted in Normal, and the Hosts file was full again. So manually removing the files apparently is not the solution. The virus seems to be residing somewhere else on my system and is reactivated when the computer starts.

Even with the Hosts file edited and saved, and all non-essential programs turned off, and the antivirus program indicating no virus, running in Normal Mode, I cannot uninstall or run Norton Antivirus (I could, however, uninstall anything else if I wanted to).

Don't know if anyone else has had this happen, but it seems I am not going to get rid of this without a complete re-install.

Top
#135683 - 05/04/04 02:08 AM Re: Need help with a virus
Jenny100 Offline
GB Reviewer Glitches Moderator
Sonic Boomer

Registered: 10/24/00
Posts: 35463
Loc: southeast USA
Is it possible you're being reinfected as soon as you go on line? Or do those boogers show up in your Hosts before you go on line?

Top
#135684 - 05/04/04 05:17 AM Re: Need help with a virus
infernoj13usa Offline
The Radiant Moderator Staff Reviewer
BAAG Specialist

Registered: 06/07/02
Posts: 5766
Loc: FT. Worth ....Where the West b...
Safe Boot and Selective Startup means the same thing for Windows XP.

If you type redgedit in the run command line you will get:




if you click on the boot.ini tab



just so you know.


and no, there aren't supposed to be any "=" signs there in the registry... that symbol was only meant to be for communication to you.


it only meant that in the "KEY" or FOLDER located in the left window of "regedit".

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Run


if the "VALUE" which would be located on the right window pane after you double click in "RUN"


for ex.


"Service Host Process"="spoolsvc.exe"

The VALUE NAME or Value itself is Service Host Process

the VALUE DATA is spoolsvc.exe

Norton wants you to delete both. The "=" was just a way to explain it.


Inferno
_________________________
Watching: Dark Shadows
Reading: Angelique's Descent
Playing: WoW and living in Kil' Jaeden

Top
#135685 - 05/04/04 05:47 AM Re: Need help with a virus
infernoj13usa Offline
The Radiant Moderator Staff Reviewer
BAAG Specialist

Registered: 06/07/02
Posts: 5766
Loc: FT. Worth ....Where the West b...
YOu need to uninstall or delete Norton and then reinstall it, while in Normal mode.

Remember that "Host file I had you download? you could try that.


In Selective Startup or Safe Mode (remember that they are one and the same)
Instead of deleting all the files one at a time ... just delete the whole Host files ...replace it with the "new host file" on that floppy I had you download last night. Just use Windows Explorer and copy the unzipped new Host file into the directory which originally housed your bad file. Delete the registry values and keys once again like before.
Go to your desktop and delete the contents of the recycle bin
Use Windows explorer and delete all Norton files (you have nothing to lose now as Norton has been diabled anyway)

Go to regedit once again and choose Nornal Startup. Close out of all open programs and SHUT OFF your system.

Turn on your system .... Install Norton and try running live update. If this is successful then run a full system scan. Delete any files that it finds regarding the worm.


See if this works ... This happened to me last year with the Wehlacia Worm. I wound up removing it from my system but I had damaged my registry because I deleted the wrong file. I wound up having to reinstall Windows XP. I lost all my data
I really and empathize with what your going through. MArita can tell you just how upset I was.

Inferno

and reboot to Normal mode.
_________________________
Watching: Dark Shadows
Reading: Angelique's Descent
Playing: WoW and living in Kil' Jaeden

Top
#135686 - 05/06/04 09:34 PM Re: Need help with a virus
Hagathaone Offline
Shy Boomer

Registered: 05/01/04
Posts: 19
Ok I'll give another shot.

Top
#135687 - 05/06/04 10:33 PM Re: Need help with a virus
Hagathaone Offline
Shy Boomer

Registered: 05/01/04
Posts: 19
I have now deleted the Hosts file in Safe Mode and unzipped the downloaded file into that folder.

However, I still cannot findanything in the Registry that conforms tothe values you've indicated. I never have!

There is one value in Current Version/Run that is close:

scvhost=svchost.exe, but that is not the same as the one in the list.

Should I delete this??????? I don't dare try anything else until I know because if it's wrong I'm hooped. I will have to leave my computer on and in Safe Mode because once I go back into Normal, if the virus is till there I will have to download the file again and this computer I'm on right now is a royal pain; dial-up connection, and a space bar that does not work.

I do not think I keep getting re-infected because I have had my internet connection unplugged for most of the last week. The virus is lurkingsomewhere but my registry doesn't have those values or the keys.

Top
#135688 - 05/06/04 11:20 PM Re: Need help with a virus
Hagathaone Offline
Shy Boomer

Registered: 05/01/04
Posts: 19
Also, I think I have more than one problem here.

That TrendMicro scan I downloaded on Saturday,which I have run about 50 times, all of a sudden found Nachi.b TODAY. It's never done that before, and NACHI.B was was supposedly removed by the on-line scan I used last Saturday. I haven't seen it since then.

As I say, my registry does not contain the keys and values for AGOBOT, although the TrendMicro scan has dound it several times in the past (but is not finding it right now). That same scan has in the past found Sasser a few times, but it does not find it right now.

But with my computer not linked to the Internet I don't know how I could have been reinfected with NACHI.B. I just don't understand it.

Too bad I can't install Norton in SafeMode.

Top
#135689 - 05/07/04 11:43 AM Re: Need help with a virus
CCbomber Offline
Addicted Boomer

Registered: 01/16/03
Posts: 3272
Loc: Mojave desert, California
Hagathaone,

Is this your only computer? Would it be possible
for you to attach this drive as a slave (or 2nd
master on the other IDE chain) of another
computer?

The only reason I suggest this is because you seem
to be so deeply mired in difficuties here that you
might be better off to scan the drive for a virus,
worm, etc. from a working system. In that way you
can isolate, remove, repair, etc. from that
system. You could also simply copy all your
important data, files, favorites, etc. to the main
drive and reinstall XP (I assume) on your drive.

Top
#135690 - 05/08/04 08:15 PM Re: Need help with a virus
Hagathaone Offline
Shy Boomer

Registered: 05/01/04
Posts: 19
Hi there. In the end that is likely what will happen with my system but it won't be me who's doing it. I know someone who is a genius with this sort of thing and I guess I'll have to let him work it out for me. Thanks to everyone who tried to help. I know a heck of a lot more about computers now than I did before, that's for sure.

On the very much brighter side, I did go out and buy a second computer just for games and not to connect to the Internet. I dropped a fair bit of cash on it, and bought a 19" screen, and my word, does that thing fly! I can hardly wait to see how Morrowind and its expansions performs on it. My old system can be for older games - I think I'll put Win 98 back on or maybe have both 98 and XP on it. Since I still play a lot of BG/IWD and things like Thief and Deus Ex, that would be worthwhile for a few more years, anyway.

And anyway, a girl can't have too many shoes, handbags or computers, I always say. And my partner can't complain about my profligate spending because he has three computers himself(not as many shoes or handbags, though).

Top
#135691 - 05/09/04 08:50 PM Re: Need help with a virus
granny Offline
BAAG Specialist

Registered: 08/27/99
Posts: 7405
Loc: Ft. Lauderdale, Florida USA
This may be impossible, but with WINDOWS???? Who knows.

Could your 'puter somehow be set to do an automatic 'Back UP', (going back to a previous date) to before you started deleting these files & programs???

I feel silly asking, but it soulds like you are stuck in a loop.
_________________________
Granny Goodwitch

A woman NEVER shot a man while he was doing dishes!

Top
Page 4 of 4 < 1 2 3 4


Who's Online
Key: Admin Global Mod Mod Staff  )
7 registered (connie, Cathy1, LadyLinda, mj2c, monbron, kjos, cailyn), 56 Guests and 19 Spiders online.
Newest Members
Veilant, tookiebgirl12, Adam_B, Polikolp, efmouse
8541 Registered Users