bad virus - Page 5

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: bad virus



sfdavidkaye2@yahoo.com (David Kaye) wrote in

Quoted text here. Click to load it

You did notice he has a running (as in ,live, functional; it sets the
rules everyone else has to play by) TDSS rootkit right? They aren't viral
mind you, but they aren't a joke either. If you don't deal with it first,
everything else you do is a wasted effort. Rootkits hook at the kernel/OS
levels.



--
"Hrrngh! Someday I'm going to hurl this...er...roll this...hrrngh.. nudge
this boulder right down a cliff." - Goblin Warrior


Re: bad virus




 
Quoted text here. Click to load it

Your PC is actually in danger at this point of assisting in infecting
other machines or possibly being a zombie box if it's not already.

At this point, I'd have to go with David lipmans suggestion. Seriously,
it's time to wipe and reload. If you hadn't of taken such ... drastic if
you will steps to try and stop this, it might not have taken much real
effort to fix; but at this point, I can't trust the machine at all.

Really man, your not just putting your information in danger, your being
a very irresponsible netizen by allowing that computer to continue with
an internet connection in it's current state. If your ISP has already
blocked outbound email, it should just be a matter of time before your
connection is disabled until you verify the machine is clean.

Atleast, that's what happens in this area. When your ISP turns you off,
you have to have a licensed technician contact them and claim it's clean
and is okay. And if it's not, it falls back on the tech who did the work.
Fines, etc are possible here.

Several years ago when I worked for an ISP, I'd start by turning your
email off, and then I'd give you 24 hours. If your machine was still
spewing trojans and mass mailing worms; your connection was terminated
until you cleaned up your mess or took your business to a less
responsible ISP.


--
"Hrrngh! Someday I'm going to hurl this...er...roll this...hrrngh.. nudge
this boulder right down a cliff." - Goblin Warrior


Re: bad virus




Quoted text here. Click to load it

You seem to have contradicted yourself.
You said you'd start by turning off email, and if its still spewing mass
mailing worms 24 hrs later, the connection is terminated.

How is it going to be spewing mass mailing worms if the ability to send
email is terminated ?
How is anyone else in danger of being infected, since this machine can't
email ?


Re: bad virus





| You seem to have contradicted yourself.
| You said you'd start by turning off email, and if its still spewing mass
| mailing worms 24 hrs later, the connection is terminated.

| How is it going to be spewing mass mailing worms if the ability to send
| email is terminated ?
| How is anyone else in danger of being infected, since this machine can't
| email ?

If it has its own email engine and connects to a third party SMTP server.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: bad virus



David H. Lipman wrote:
Quoted text here. Click to load it

Well, all I can say is I use my connection basically to dl apps trying
to get rid of this thing, and post here.
I then pull the plug.
Looks like my NNTP connection was terminated, Xnews no longer works.

Sucks too, I was just about to send in my tax return via turbotax, I
think I should put that off until I get this cleared up

Re: bad virus



Xray wrote:

Quoted text here. Click to load it

Not at all.

Quoted text here. Click to load it

If 'twas me, I'd not even wait the 24 hours, 'cause ya know it's not
going to stop until something drastic is done.

Quoted text here. Click to load it

You're showing your lack of knowledge on how these things work. Mass
mailers have their own SMTP engine and do not use your email client. And
it doesn't even need email (that's what the spammers do though). Your
trojan could also be pinging sequential IP addresses, looking for PCs
without firewalls.

--
   -bts
   -Four wheels carry the body; two wheels move the soul

Re: bad virus



Beauregard T. Shagnasty wrote:
Quoted text here. Click to load it
Well, If I had such great knowledge of how these things work, I guess I
wouldn't be posting here, now would I ?

Re: bad virus




Quoted text here. Click to load it

I need to clarify myself.. Sorry.

What I meant by turn off email would be a server side block on a specific
port. That would stop you from using your email client from sending
email, unless you changed the configuration of your program. At the same
time however, a mass mailing worm isn't going to bother with what I did
or worry about it, it's usually using it's own code and email server; on
a port I didn't block.


Quoted text here. Click to load it

That's the thing... Isn't it. *You* can't email, unless you make a change
or two. Don't assume your computer can't either. :)


--
"Hrrngh! Someday I'm going to hurl this...er...roll this...hrrngh.. nudge
this boulder right down a cliff." - Goblin Warrior


Re: bad virus



Xray wrote:

Quoted text here. Click to load it

Read http://en.wikipedia.org/wiki/Botnet

Many of said worms/trojans/whatever have their own built-in SMTP mailing
engines. They don't use the email client (Outlook, Outlook Express,
Thunderbird, etc) that the user does email with.

It doesn't take a lot of code to send mail this way. There's no need for
a spiffy user interface or address book etc. The controller sends the
'botted machine the payload email and email addresses, then your machine
proceeds to send out crap without you knowing it.

Re: bad virus




Quoted text here. Click to load it

It doesn't sound like a virus but a trojan.  Anyhow, you can usually install
and run Mbam while in safe mode (and sometimes even update it if you run safe
mode with networking, though that's not always the case).  At the moment, Mbam
still appears to be the best anti-malware tool out there.  


Re: bad virus



From: gufus
Subj: Re: bad virusSun, 21 Mar 2010 14:45:27 -0600

From: David H. Lipman---? To: Xray
Subj: Re: bad virusSat, 20 Mar 2010 22:25:56 -0400

Hello, David!

You wrote on Sat, 20 Mar 2010 22:25:56 -0400:

??|> Looks like I'm looking at a fresh OS reinstall about now, this thing
??|> is insidious and is always one step ahead.

DHL> ** At this point, my advice is now to WIPE and RE-INSTALL the OS.

Can you suggest a  /good/ wipe app?

    Kev

--
With best regards, gufus.  E-mail: stop.nospam.gbbsg@shaw.ca



Re: bad virus




| From: gufus
| Subj: Re: bad virusSun, 21 Mar 2010 14:45:27 -0600

| From: David H. Lipman---? To: Xray
| Subj: Re: bad virusSat, 20 Mar 2010 22:25:56 -0400

| Hello, David!

| You wrote on Sat, 20 Mar 2010 22:25:56 -0400:

??||> Looks like I'm looking at a fresh OS reinstall about now, this thing
??||> is insidious and is always one step ahead.

DHL>> ** At this point, my advice is now to WIPE and RE-INSTALL the OS.

| Can you suggest a  /good/ wipe app?

If you are jsut re-installing the OS from scratch, the OIS distribution disk
will allowyou
to remove any/all partitions and recreate the partitions and perform a FULL
Format (rather
than a quick format).

The followg is comprehensive.  ESPECIALLY if you want to dispose of a hard disk
and you
are worried about the data on it.

If you have Norton or Symantec Ghost, the GDisk & GDisk32 utilities
http://service1.symantec.com/SUPPORT/ghost.nsf/docid/2002112213111525?Open

{ DoD NISPOM compliant }


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: bad virus



From: gufus
Subj: Re: bad virusSun, 21 Mar 2010 15:51:38 -0600

From: gufus
Subj: Re: bad virusSun, 21 Mar 2010 15:50:34 -0600

From: gufus
Subj: Re: bad virusSun, 21 Mar 2010 15:47:13 -0600

From: David H. Lipman---? To: gufus
Subj: Re: bad virusSun, 21 Mar 2010 17:24:16 -0400

Hello, David!

You wrote on Sun, 21 Mar 2010 17:24:16 -0400:

DHL> distribution disk will allowyou to remove any/all partitions and
DHL> recreate the partitions and perform a FULL Format (rather than a quick
DHL> format).

I was more instered in a zerofill or wipe app.

DHL> If you have Norton or Symantec Ghost, the GDisk & GDisk32 utilities

Not happy with Symantec apps.

--
With best regards, gufus.  E-mail: stop.nospam.gbbsg@shaw.ca



Re: bad virus




| From: gufus
| Subj: Re: bad virusSun, 21 Mar 2010 15:51:38 -0600

| From: gufus
| Subj: Re: bad virusSun, 21 Mar 2010 15:50:34 -0600

| From: gufus
| Subj: Re: bad virusSun, 21 Mar 2010 15:47:13 -0600

| From: David H. Lipman---? To: gufus
| Subj: Re: bad virusSun, 21 Mar 2010 17:24:16 -0400

| Hello, David!

| You wrote on Sun, 21 Mar 2010 17:24:16 -0400:

DHL>> distribution disk will allowyou to remove any/all partitions and
DHL>> recreate the partitions and perform a FULL Format (rather than a quick
DHL>> format).

| I was more instered in a zerofill or wipe app.

DHL>> If you have Norton or Symantec Ghost, the GDisk & GDisk32 utilities

| Not happy with Symantec apps.

GDisk isn't an application.  It is merely a utility.

It is fully DoD sanitiartion compliant.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: bad virus



From: David H. Lipman---? To: gufus
Subj: Re: bad virusSun, 21 Mar 2010 17:59:57 -0400

Hello, David!

You wrote on Sun, 21 Mar 2010 17:59:57 -0400:

DHL> GDisk isn't an application.  It is merely a utility.

'k

 DHL> It is fully DoD sanitiartion compliant.

'k

ttul...

--
With best regards, gufus.  E-mail: stop.nospam.gbbsg@shaw.ca



Re: bad virus




| From: David H. Lipman---? To: gufus
| Subj: Re: bad virusSun, 21 Mar 2010 17:59:57 -0400

| Hello, David!

| You wrote on Sun, 21 Mar 2010 17:59:57 -0400:

DHL>> GDisk isn't an application.  It is merely a utility.

| 'k

DHL>> It is fully DoD sanitiartion compliant.

| 'k

| ttul...

I sent 'ya a present  :-)


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: bad virus



Hi David,

21 Mar 10, David H. Lipman writes to All:

 >| From: David H. Lipman-+-? To: gufus
 >| Subj: Re: bad virusSun, 21 Mar 2010 17:59:57 -0400

 > I sent 'ya a present  :-)

 > -+- SoupGate-Win32 v1.05
 >  + Origin: Calgary Organization CDN Fidonet-Internet Gateway
 > (1:342/77.10)

Just checked the server...

<big smile>


        gufus

--
K Klement

Enhance your marketing at   http://www.gypsy-designs.com
                           mailto:info@gypsy-designs.com
Gypsy Designs                        Fax: (403) 242-3221

... Computers are unreliable, but humans are even more unreliable.

Re: bad virus




| Hi David,

| 21 Mar 10, David H. Lipman writes to All:

Quoted text here. Click to load it



| Just checked the server...

| <big smile>


:-)

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: bad virus



From: David H. Lipman---? To: gufus
Subj: Re: bad virusSun, 21 Mar 2010 19:05:42 -0400

Hello, David!

You wrote on Sun, 21 Mar 2010 19:05:42 -0400:


 DHL> :-)


Check your mailbox eh.

    Gufus


--
K Klement

Enhance your marketing at   http://www.gypsy-designs.com
                           mailto:info@gypsy-designs.com
Gypsy Designs                        Fax: (403) 242-3221



Re: bad virus




Quoted text here. Click to load it

Side note.. Make sure Internet Explorer (even if you don't use it) is not
set to work in offline mode. Mbam will generate error 732 if it is when
you try to update.


--
"Hrrngh! Someday I'm going to hurl this...er...roll this...hrrngh.. nudge
this boulder right down a cliff." - Goblin Warrior


Site Timeline