Jump to content

DOWNLOAD MODS

Are you looking for something shiny for your load order? We have many exclusive mods and resources you won't find anywhere else. Start your search now...

LEARN MODDING

Ready to try your hand at making your own mod creations? Visit the Enclave, the original ES/FO modding school, and learn the tricks of the trade from veteran modders...

JOIN THE ALLIANCE

Membership is free and registering unlocks image galleries, project hosting, live chat, unlimited downloads, & more...

Internet Security 2010 and Other Nasty Security Viruses


 Share

Recommended Posts

Well it took a long time but apparently norton's idea of how to remove is to tell you how to get the system ready to use their bloated program. If Art's program will catch it and take it out then that might be the way to go. Following norton's preparation prior is standard proceedure in starting the removal process with just about everything.

Link to comment
Share on other sites

  • Replies 60
  • Created
  • Last Reply

Top Posters In This Topic

More bad news. I wanted to look at the registry directly, since the entries I listed came from HijackThis. When I tried, I got the message 'Registry editing has been disabled by your administrator". What now?

Based on what I've read you might not be able to access a lot of the services or registry until its cleaned by another program. This gets into everything and does a good job of going stealth mode....

I have a rootkit remover here but I dont' think its anything that is necessary based on what I've read.

McAfee usually is a good source of manually taking out viruses and trojans, but I can't find any references to that specific name in the database.

Link to comment
Share on other sites

More bad news. I wanted to look at the registry directly, since the entries I listed came from HijackThis. When I tried, I got the message 'Registry editing has been disabled by your administrator". What now?

Edit: I said I was using McAfee, but NASA switched to Symantec. They provide it free for our home computers.

If I can't edit the registry in safe mode, I would be afraid to do much. Since the bad software is not running now, and I'm an administrator of my computer, can you tell me how to re-enable registry editing. Or, if I run the program Arthmoor suggested, does it not matter?

From what I can tell the best thing is to disable system restore, reboot the computer and if possible run "any antivirus" from a thumb drive if you have it. I'm at the point the only thing I think I can do is break into it and see what is going on and I'm not local to you. I'm not sure what to suggest at this point. Art knows something that has worked for him in a corporate environment and it certainly can't hurt to give it a shot. I'm out of ideas at this stage. I'll keep trying to see if I can find more info for you though.. It might take a while...

Link to comment
Share on other sites

Well it took a long time but apparently norton's idea of how to remove is to tell you how to get the system ready to use their bloated program. If Art's program will catch it and take it out then that might be the way to go. Following norton's preparation prior is standard proceedure in starting the removal process with just about everything.

I know it's a long way to Tennessee, but I might have to make a beer run. :)

I would like to follow Norton's preparation then run Superantispyware. Where can I find the preparation? I hope it's not the site you linked earlier, because I can seem to get there.

Link to comment
Share on other sites

Thanks, I've bookmarked the page. I'm not going to actually do it until I get more information from Arion or Arthmoor.

I got it once... I'll see if I can grab it again and paste it here.

Discovered: July 10, 2001

Updated: February 13, 2007 11:57:32 AM

Also Known As: W32.Malot.int, I-Worm.Petik [Kaspersky], W32/PetTick@MM [McAfee]

Type: Worm

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

Disable System Restore (Windows Me/XP).

Update the virus definitions.

Run a full system scan and delete all the files detected as W32.Pet_Tick.G.

For specific details on each of these steps, read the following instructions.

1. Disabling System Restore (Windows Me/XP)

If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:

"How to disable or enable Windows Me System Restore"

"How to turn off or turn on Windows XP System Restore"

--------------------------------------------------------------------------------

Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, re-enable System Restore by following the instructions in the aforementioned documents.

--------------------------------------------------------------------------------

For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455.

2. Updating the virus definitions

Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:

Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).

Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).

The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.

3. Scanning for and deleting the infected files

Start your Symantec antivirus program and make sure that it is configured to scan all the files.

For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files."

For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan all files."

Run a full system scan.

If any files are detected as infected with W32.Pet_Tick.G, click Delete.

Writeup By: Atli Gudmundsson

Link to comment
Share on other sites

What's not mentioned here is that your current antivirus software is disabled by the worm. After disabling system restore reboot the computer in safe mode and run whatever you can to pick it up. Seems everyone has something for this. You're going to need it on other media that is about to run (such as a thumbdrive) ..... I seriously doubt but you can try and see if your mcafee runs in safe mode...

Link to comment
Share on other sites

Ok, I can't seem to get to the Symantec site, so here's my plan. Please let me know if this makes sense.

I'll download the free version of SuperAntiSpyware. Second, since I can't get to the Norton sight, I'll ask both of you Arion and Arthmoor what I need to do in preparation. I've verified that I can save files to a thumb drive, so I think I can upload one. I assume that I can install SuperAntiSpyware while in safe mode, right?

So, if you will tell me what I need to do to prepare, I'll do it. In the mean time I'll download SuperAntiSpyware to this computer and put it on a thumb drive.

BTW, Arthmoor, I now have SUPERAntiSpyware.exe. I assume this is the installer, not the actual program, right?

Edited by Vince
Link to comment
Share on other sites

I know it's a long way to Tennessee, but I might have to make a beer run. :)

I would like to follow Norton's preparation then run Superantispyware. Where can I find the preparation? I hope it's not the site you linked earlier, because I can seem to get there.

Feel like a minin vacation to the Smoky Mountains of East Tennessee around the Gatlinburg area do you? :)

Link to comment
Share on other sites

Ok, I can't seem to get to the Symantec site, so here's my plan. Please let me know if this makes sense.

I'll download the free version of SuperAntiSpyware. Second, since I can't get to the Norton sight, I'll ask both of you Arion and Arthmoor what I need to do in preparation. I've verified that I can save files to a thumb drive, so I think I can upload one. I assume that I can install SuperAntiSpyware while in safe mode, right?

So, if you will tell me what I need to do to prepare, I'll do it. In the mean time I'll download SuperAntiSpyware to this computer and put it on a thumb drive.

BTW, Arthmoor, I now have SUPERAntiSpyware.exe. I assume this is the installer, not the actual program, right?

I cut and pasted the steps a few messages up from yours. Basically where it say norton or symantec's products use the superantispyware program

Link to comment
Share on other sites

I tried to install SUPERAntiSpyware. When I did, I got the message "The system administrator has set policies to prevent this installation".

it's not that you want to install it from there. You really want to execute the program from there. Either though run ---> start menu and point to the exe file or try adding an link to the exe file on the thumb drive and point to the exe file.

Sent email to you regarding if phone would work better.

Link to comment
Share on other sites

Arion,

I've read what it says on that site. However, none of the filenames it refers to, either to remove the files or the registry entries are the same as I have. It mentions "enemies-names.txt" and "Antimalwaredoctor.exe". I have "dbf70700.exe" which is identified on many sites as Antimalwaredoctor".

I'll look in the registry (but not change right now) for references to dbf70700.

Vince

EDIT: the link provided by DarkRider also refers to the two names above.

I've found four entries in the registry of interest:

O4 - HKCU\..\Run: [YVIBBBHA8C] C:\DOCUME~1\VINCEB~1\LOCALS~1\Temp\Xfw.exe

O4 - HKCU\..\Run: [dbf70700.exe] C:\Documents and Settings\Vince Bly\Application Data\50A8F20A3BFFE119D1A9C07BF9224F03\dbf70700.exe

O4 - HKCU\..\Run: [hsf87efjhdsf87f3jfsdi7fhsujfd] C:\DOCUME~1\VINCEB~1\LOCALS~1\Temp\cmd.exe

O4 - Startup: Antimalware Doctor.lnk = C:\Documents and Settings\Vince Bly\Application Data\50A8F20A3BFFE119D1A9C07BF9224F03\dbf70700.exe

Antimalware Doctor manual removal:

Kill processes:

Antimalware Doctor.exe

HELP:

how to kill malicious processes

Delete registry values:

HKEY_CURRENT_USER\Software\Antimalware Doctor Inc\Antimalware Doctor

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Antimalware Doctor.exe"

HELP:

how to remove registry entries

Delete files:

Antimalware Doctor.exe C:\\Windows\\System32\\enemies-names.txt

HELP:

how to remove harmful files

Link to comment
Share on other sites

Some malware will not let you install anything, or, they will not let specifically known anti-malware programs to run, or install. A cheap trick to get around this is to rename the program or installer to Winlogon.exe. This is the name of a windows process that the computer needs to run, so, no malware is going to stop it.

Link to comment
Share on other sites

  • 1 year later...
  • 2 weeks later...
  • 4 weeks later...

Hiya folks.Here`s an interesting bit of development. I use Eset nod 32 security suite and scan regularly but don`t really understand the results I see...not the issue here. I installed Iobit malware scanner and found what it identified as a trojan. When I hit the clean button the header reads that 1 file has been cleaned. However...in the scan results box it reads failed. The file is this...C:\Windows\system32\bcrypt.dll which is labeled on mouseover as...Windows Cryptographic Primatives Library. Created 1/20/2008. Kinda looks like a false positive but I want to see what you folks think?...Thanks..:D

Link to comment
Share on other sites

Hiya folks.Here`s an interesting bit of development. I use Eset nod 32 security suite and scan regularly but don`t really understand the results I see...not the issue here. I installed Iobit malware scanner and found what it identified as a trojan. When I hit the clean button the header reads that 1 file has been cleaned. However...in the scan results box it reads failed. The file is this...C:\Windows\system32\bcrypt.dll which is labeled on mouseover as...Windows Cryptographic Primatives Library. Created 1/20/2008. Kinda looks like a false positive but I want to see what you folks think?...Thanks..:D

According to all the information I can find, you are correct, it was a false positive.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share


×
×
  • Create New...