Virus Help

[Matt24]

ok, i restarted my computer and I am going to try to scan it again, if it doesnt work, here is my idea. i still have the email wher ei got this virus in my webmail. I reinfect myself, then run the tool

I think the tool isnt working because it cant end the processes(because they have been ended) therefore it doesnt delete the files(they are deleted anyway) but then the KEY part it doesnt edit my registry and fix that and that is the last step of hte tool and I think that is where I am still infected. What do you guys think?

 

[Matt24]

ok I have now found some stuff on the W32/Polybot!hosts virus which I previously mentioned. I think this thing is still hanging around cuz I cant go to symantec.com and those kinds of sites and I found info on this virus and it says it performs a DOS on those types of sites, trendware.com was also mentioned.

 

[Matt24]

I have figured out the alias name that symantec uses for this virus and have found the removal tool, so now I am going to try that, if it doesnt find anything, than I dont know what in the hell I'm going to do.

 

[Rickf]

Go here for Bagle.k

http://www.trendmicro.com/download/dcs.asp

download Sysclean Package

This will run in DOS. Let me know what it says

 

[Rickf]

You will need the pattern file also. Do not reinfect yourself.

http://www.trendmicro.com/download/pattern.asp



. Description

This self-extracting archive is a stand-alone fix package that
incorporates the Damage Cleanup Engine and Template. It replaces the
traditional fix tool by addressing a wide variety of system infections
rather than a specific malware infection.


This tool supports the following features:

o Terminate all malware instances in memory
o Remove malware registry entries
o Remove malware entries from system files
o Scan for and delete all malware copies in all local hard drives



II. File List

o sysclean.com - the main executable module
o readme.txt - this file
o lpt$vpn.XXX - downloadable component (see Requirements)



III. Requirements

1. Download the latest pattern file lpt$vpn.XXX in ZIP format as
lptXXX.ZIP from the following location:

<http://www.trendmicro.com/download/pattern.asp>

This file must be saved in the same folder where you run
this fix package.

2. This tool is designed to run under Windows 9x/ME/NT/2000/XP.

 

[Matt24]

Alright thanks, I will start those right after the virus tool gets done with this polybot one, hopefully it finds everything.

I just noticed my roommates computer cant go to symantec.com or trendmicro.com, I am guessin he must have some dormant worm, I am running Stinger for him. Luckily I have another roommate and his computer is fine so I can download this stuff.

 

[Rickf]

Remember you need to download the file pattern, unzip it to your dektop. It will say
"lpt$vpn.865"

Than download the engin to your desktop it will say "sysclean"

click on sysclean. This will load the lpt$vpn.865 into your sysclean engine.

Voila, scan away. Follow the instructions.

 

[Rickf]

Important. Polybot can only be removed like this.

http://www.bu.edu/pcsc/virus/alerts/polybot/

 

[Matt24]

Yeah that is the tool i used, i just noticed that it said to run them in safe mode if it didnt find anything the first time. I am going to try that. Then I will do the sysclean after that.

 

[Rickf]

YOU MUST DISABLE SYTEM RESTORE

1. To disable System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

 

[Matt24]

I did have that disabled. I have tried to start safe mode twice, but it hasnt worked either time. The screen just becomes stuck, any other way to run safe mode?

 

[Matt24]

nevermind, I see another way to do it through msconfig. Ill try that

 

[Matt24]

well nevermind again, it finally went through after like 4 minutes stuck on a screen.

 

[Matt24]

Should I leave it in safe mode when I run that sysclean as well or does that matter?

 

[Matt24]

i tried it in safe mode and it didnt find anything, I am now going to run the sysclean

 

[Matt24]

I am now running sysclean, it started out in dos and found JS_Fortnight.M, it is now running in windows and still scanning. Will this delete those programs and clean the stuff up itself or is this just to identify?

 

[Rickf]

sorry I had to step out. Run the sysclean first. It will remove the virus from the reg.
The last step is the manual removal

 

[Matt24]

Its still running, Ill be back in 40 minutes and hopefully it will be done by then. So I am going to have to do a manual removal after that?With the registry? Hopefully it will let me edit this time

 

[Rickf]

Yes it should. Let me know what it says after the scan finishes and you press clean. Remeber to write down the virus names so you can aquire patches to prevent this stuff again.

 

[Rickf]

http://www.virusbtn.com/resources/viruses/fortnight.xml