a virus or not...very curious

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Last night I was stupid enough to click on a unknown exe....though I
had scanned it with NOD32 first, which is running on my XP system, and
it said it was fine. Then my PC just shuts down and reboots and
continues this cycle, shutting down and restarting.

I managed to go into Safemode and scanned my system for a virus and
nothing. So I treid Panda, Trend Micro...every on-line scanner I could
think of, plus Nod32, plus Adaware and Spybot and nothing. Finally,
(from safemode) I simply deleted the dodgy exe from the folder it had
been downloaded to and did a system restore. Then everything was fine.
Can anybody explain what happened here? Is there somethign still on my
system? Why didn't any of the scanners find it. Any thoughts on this
would be much appreciated. Thanks.


Re: a virus or not...very curious

After much thought,lee aka pepplewick@gmail.com came up with this jewel:

Quoted text here. Click to load it

Submit the dodgy exe to VirusTotal and see what they come up with.

max
--
My Pages:
Virus Removal Instructions:
http://maxpro4u.freehostingnow.com/removal.html
Keeping Windows Clean:
http://maxpro4u.freehostingnow.com/keepingclean.html
Tools: http://maxpro4u.freehostingnow.com/tools.html
Change nomail.afraid.org to gmail.com to reply. nomail.afraid.org is
specifically setup for USENET.Feel free to use it yourself.

Re: a virus or not...very curious


Quoted text here. Click to load it

No telling from your description of the effect as to what it was. Further,
who cares? So, you learned from the experience, right?



Re: a virus or not...very curious

lee wrote:
Quoted text here. Click to load it


Your not providing enough information. Perhaps a sample or name of the file?

Re: a virus or not...very curious

lee wrote:
Quoted text here. Click to load it

scanners are really very good at identifying *known* malware...
unfortunately new/unknown malware doesn't really fall into that category...

my suggestion would be to send a sample of the file (if you still have
it somewhere) to your anti-virus developer for analysis, but beyond that
there's really no way to tell what it was or if there's anything left
over on your drive...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

Re: a virus or not...very curious


Quoted text here. Click to load it

Go to My Computer, Properties. In the dialog box that pops up, select
the Advanced tab, then click on Settings in the "Startup and Recovery"
section. In the new dialog box that pops up, find the System Failure
section and remove the check mark from the "Automatically Restart"
item. Press OK twice to close everything and accept the change.

The next time you have this kind of error that normally causes your
system to automatically reboot, you'll instead be presented with a
blue screen that will contain clues as to what went wrong.


Re: a virus or not...very curious

On 14 May 2007 12:05:20 -0700, lee wrote:

Quoted text here. Click to load it

Sounds like some kind of malware possibly infected the boot sector of your
hard drive and threw your system into a continuous loopback, somewhat like
a 'land attack,' causing your computer to attempt to connect to itself.  If
you deleted the file but then afterward did system restore, it could be
possible for it to be on your system, since it would most likely have been
in the system volume information.  I would highly suggest doing an online
scan with Kaspersky AV at their site.  I used NOD32 for a long time, but
its detection capabilities have gone somewhat downhill. I have found that
Kaspersky detects a lot of crap that the others don't.  I would run the
Kaspersky online scan along with downloading the free version of
Superantispyware or a trial version of Sunbelt Counterspy.  I think a combo
of those three would be much more effective than the apps you've mentioned.
Also, another option would be to uninstall NOD32 and install a trial
version of Kaspersky AV or Kaspersky Internet Security (which use and
love).  You could always reinstall NOD if you didn't like it.  Once you
determine your system is clean, disable system restore, which will get rid
of any crapware that is in your system volume info, then reinable it again.
No need to reboot if using XP.  Anyway, hope that gives you some ideas at
least.

--
Posted via a free Usenet account from http://www.teranews.com


Re: a virus or not...very curious

@l77g2000hsb.googlegroups.com:

Quoted text here. Click to load it

Hi Lee.

Do you still by chance have the original exe you clicked on? I'd be happy
to analyse it for you and report back the results. If BugHunter doesn't
already detect it or it's potential offspring, it will.

Sadly, No scanner will detect everything out there. Even if you use
multiple ones, if the malware is new enough, it's probably going to evade
them. It may not get far due to various other security software, but
it'll get a start.

The exe file might have changed files, added additional files, and/or
modified certain registry keys incorrectly resulting in the system
failing to restart in normal mode. Not all malware seems to be well
tested before they release it.

You can find the program I wrote to scan for this junk here:
http://bughunter.it-mate.co.uk


--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: bughunter.dustin@gmail.com.removethis
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml


Re: a virus or not...very curious

On May 17, 4:50 am, Dustin Cook
Quoted text here. Click to load it

Thanks for the all the advice. I finally just reinstalled everything;
I was due anyway and and a plus side everything's a lot faster now. I
did run the file through VirusTotal as a post advised and it found a
lot of nasty stuff in there, generic graybird, dropper.small.awa,
win32.delf.dnr, etc...could all of these be in there are are they just
nakenames? Anyway, thanks again and will take of the advice for
alternated scanners as advised also.


Re: a virus or not...very curious

@y80g2000hsf.googlegroups.com:

Quoted text here. Click to load it
and

They could all be names for the same item. No standard naming convention,
same problem with viruses and worms. :( I don't help the problem, as
BugHunter tends to call things whatever BitDefender calls them. If
BitDefender doesn't know it at the time, it's named something other than
what BitDefender would eventually call it.

If there was some form of standards, I would make BugHunter conform to
it.

I'm glad you got your machine back up and running, thats the most
important part.


--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: bughunter.dustin@gmail.com.removethis
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml


Re: a virus or not...very curious

Dustin Cook wrote:
[snip]
Quoted text here. Click to load it

as was demonstrated by the caro naming convention's failure to harmonize
malware naming, a naming standard does not solve the naming problem... a
naming standard can only define the format of the name, it can't
reasonably be expected to tell you what the final name should be... for
that you need a central naming authority or a naming effort that is
coordinated across all vendors... unfortunately the deconfliction stage
(to ensure that 2 companies don't get different names for what turns out
to be the same thing) would invariably introduce delays in the issuing
of updates... that's not a easy trade off to justify...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

Site Timeline