I got a really nasty computer virus for Christmas
#1
Contributing Member
Thread Starter
I got a really nasty computer virus for Christmas
And I'm just now clean of it...I think. May there be a special place in hell for the scum that author these things.
Some history:
What started off as slow performace, turned into a complete take-over of my PC. I couldn't run task manager, at one point it wouldn't even boot up.
I have up to date McAfee service that I assumed was doing the job....nope it didn't work. This virus just laughed at McAfee. The virus was popping up warnings of an attack on my PC and directing me to some scam site called "Internet Security 2010" where supposedly my PC would be saved. Some of the warnings I took a screen shot of:
I had to bring in a PC pro just to get some control back, he worked on it for for about 4-5 hours one night and got it running with the help of "Malwarebytes anti-malware" and "Spybot search and destroy" on a boot disk.
But it reloaded itself and 2 days later was even worse giving the blue screen of death and stopping me from even booting up in safe mode. Call the PC guy back in and after another long night of work running things like Hijackthis, rkill, etc... he has it running again and showing clean scans from Malwarebytes, Spybot, Ad-ware. Things are running faster and it seems much better, but sometimes a scan will find a trojan or 2. And there is a weird thing happening with Google searches. The search shows correct results but when you click on the link you get redircted to sites that seem totally unrelated to the subject, almost like random redirecting.
Finally after removing and reinstalling McAfee it was able to help out some, It had been partly disabled by the virus so it won't detect it. Also the Malwarebytes must be removed, reloaded and updated after every scan because the virus somehow changes the program so it can't find the virus.
After lots of scanning and reloading and rescanning all the AV programs were showing clean scans and that all was good. The PC is running fast...but there is still that Googe redirect problem. So I search this problem on another computer and find many others with the same problem. Its called "TDL3 rootkit" and there are apparently only 2 programs at this time that will remove it. One (Combofix) they say it very dangerious to use if you don't know what you are doing and the other is "Hitman Pro 3.5".
THE FIX!
Hitmanpro is free for a 30 day trial and after running it my Google search links are now back to normal! I've heard you need to be careful what site you down load it from because there are scam sites out there. I downloaded it from hitmanpro.com, but even that address got redirected to a new address. The hitmanpro only took about 3 minutes to run and remove it, at least I hope its gone.
One guy had this to say:
I read that one of the things that makes it easy for this virus to take over your PC is that most users stay logged in all the time as the administrator.
More info:
http://forum.avast.com/index.php?topic=51543.0
http://www.prevx.com/blog/139/Tdss-r...s-the-net.html
Interesting quote from the first link:
Some history:
What started off as slow performace, turned into a complete take-over of my PC. I couldn't run task manager, at one point it wouldn't even boot up.
I have up to date McAfee service that I assumed was doing the job....nope it didn't work. This virus just laughed at McAfee. The virus was popping up warnings of an attack on my PC and directing me to some scam site called "Internet Security 2010" where supposedly my PC would be saved. Some of the warnings I took a screen shot of:
I had to bring in a PC pro just to get some control back, he worked on it for for about 4-5 hours one night and got it running with the help of "Malwarebytes anti-malware" and "Spybot search and destroy" on a boot disk.
But it reloaded itself and 2 days later was even worse giving the blue screen of death and stopping me from even booting up in safe mode. Call the PC guy back in and after another long night of work running things like Hijackthis, rkill, etc... he has it running again and showing clean scans from Malwarebytes, Spybot, Ad-ware. Things are running faster and it seems much better, but sometimes a scan will find a trojan or 2. And there is a weird thing happening with Google searches. The search shows correct results but when you click on the link you get redircted to sites that seem totally unrelated to the subject, almost like random redirecting.
Finally after removing and reinstalling McAfee it was able to help out some, It had been partly disabled by the virus so it won't detect it. Also the Malwarebytes must be removed, reloaded and updated after every scan because the virus somehow changes the program so it can't find the virus.
After lots of scanning and reloading and rescanning all the AV programs were showing clean scans and that all was good. The PC is running fast...but there is still that Googe redirect problem. So I search this problem on another computer and find many others with the same problem. Its called "TDL3 rootkit" and there are apparently only 2 programs at this time that will remove it. One (Combofix) they say it very dangerious to use if you don't know what you are doing and the other is "Hitman Pro 3.5".
THE FIX!
Hitmanpro is free for a 30 day trial and after running it my Google search links are now back to normal! I've heard you need to be careful what site you down load it from because there are scam sites out there. I downloaded it from hitmanpro.com, but even that address got redirected to a new address. The hitmanpro only took about 3 minutes to run and remove it, at least I hope its gone.
One guy had this to say:
As of today, 1/20/2010, the latest updates for AVG, Malwarebytes, Spybot Search & Destroy, and AdAware could not fix it
More info:
http://forum.avast.com/index.php?topic=51543.0
http://www.prevx.com/blog/139/Tdss-r...s-the-net.html
Interesting quote from the first link:
TDL3 will register itself as a print processor.
The printer subsystem (spoolsv.exe), that has system rights,
will load this Print Processor accordingly.
The printer subsystem (spoolsv.exe), that has system rights,
will load this Print Processor accordingly.
Last edited by mt_goat; 01-21-2010 at 07:01 AM.
#2
Registered User
Join Date: Apr 2009
Location: Suisun City, California
Posts: 535
Likes: 0
Received 0 Likes
on
0 Posts
I am assuming that you are running windows.
Windows comes with a System Configuration Utility. You can open it by clicking start, run, then type in msconfig, then click ok. This should open up the System Configuration Utility.
The Service and Startup contain files that run every time your computer starts. This is normally where a virus would reactivate from. Normally all that should be in there is Microsoft stuff, internet service provider files, and stuff for sound/video.
I would also recommend downloading the Firefox browser. It runs much better than IE, it is not hacked as much, and it is free. http://www.mozilla.com/en-US/
Windows comes with a System Configuration Utility. You can open it by clicking start, run, then type in msconfig, then click ok. This should open up the System Configuration Utility.
The Service and Startup contain files that run every time your computer starts. This is normally where a virus would reactivate from. Normally all that should be in there is Microsoft stuff, internet service provider files, and stuff for sound/video.
I would also recommend downloading the Firefox browser. It runs much better than IE, it is not hacked as much, and it is free. http://www.mozilla.com/en-US/
#4
Glad you are getting your PC back into shape.
I have had a few viruses in the past long ago, they are not fun.
Makes you want to punch the author of it in the face, and do a little more to him too.
Take him to the forest and smear honey all over him and drop him off in a known bear zone
I have had a few viruses in the past long ago, they are not fun.
Makes you want to punch the author of it in the face, and do a little more to him too.
Take him to the forest and smear honey all over him and drop him off in a known bear zone
#5
Registered User
I would backup your data and reload. I have messed with the 2008-2009-and the 2010 anti-virus virus. You can get it cleaned and running but you still will have some issues.
Whokrz is right, you can turn off a bunch of stuff in MSCONFIG, you will also want to turn off "System Restore" viruses like to hang out in there and reinstall themselves.
All in all I recommend a reload and use something other that McAfee. Norton, PC-Cillin or NOD32 for your anti-virus. For AdWare and such stick with Spybot, I have not had much luck with AdAware and the free version loads it's own spyware.
Clean out all "Temp" files and "temp Internet" files.
Hope this helps.
Whokrz is right, you can turn off a bunch of stuff in MSCONFIG, you will also want to turn off "System Restore" viruses like to hang out in there and reinstall themselves.
All in all I recommend a reload and use something other that McAfee. Norton, PC-Cillin or NOD32 for your anti-virus. For AdWare and such stick with Spybot, I have not had much luck with AdAware and the free version loads it's own spyware.
Clean out all "Temp" files and "temp Internet" files.
Hope this helps.
Last edited by Lumpy; 01-20-2010 at 09:52 AM.
#6
Contributing Member
Thread Starter
I would backup your data and reload. I have messed with the 2008-2009-and the 2010 anti-virus virus. You can get it cleaned and running but you still will have some issues.
Whokrz is right, you can turn off a bunch of stuff in MSCONFIG, you will also want to turn off "System Restore" viruses like to hang out in there and reinstall themselves.
All in all I recommend a reload and use something other that McAfee. Norton, PC-Cillin or NOD32 for your anti-virus. For AdWare and such stick with Spybot, I have not had much luck with AdAware and the free version loads it's own spyware.
Clean out all "Temp" files and "temp Internet" files.
Hope this helps.
Whokrz is right, you can turn off a bunch of stuff in MSCONFIG, you will also want to turn off "System Restore" viruses like to hang out in there and reinstall themselves.
All in all I recommend a reload and use something other that McAfee. Norton, PC-Cillin or NOD32 for your anti-virus. For AdWare and such stick with Spybot, I have not had much luck with AdAware and the free version loads it's own spyware.
Clean out all "Temp" files and "temp Internet" files.
Hope this helps.
#7
Contributing Member
Thread Starter
Trending Topics
#8
Registered User
Reloading is wiping the machine and starting over. Put the CD's in that came with it and boot off the CD's and this will reload the machine. It will wipe everything on the computer and have it like it was when you first turned it on.
If it does not have CD's then there will be a key combination to hit while it's booting to boot into the Recovery options. From there you will have a list of choices. I'm assuming you are running XP? Or are you on Vista?
.
If it does not have CD's then there will be a key combination to hit while it's booting to boot into the Recovery options. From there you will have a list of choices. I'm assuming you are running XP? Or are you on Vista?
.
#9
Registered User
On my computers (home and work) I disable "System Restore" I also do this on all the machines I work on. It usually makes more of a mess than it helps. As you found out.
#10
Contributing Member
Thread Starter
Reloading is wiping the machine and starting over. Put the CD's in that came with it and boot off the CD's and this will reload the machine. It will wipe everything on the computer and have it like it was when you first turned it on.
If it does not have CD's then there will be a key combination to hit while it's booting to boot into the Recovery options. From there you will have a list of choices. I'm assuming you are running XP? Or are you on Vista?
.
If it does not have CD's then there will be a key combination to hit while it's booting to boot into the Recovery options. From there you will have a list of choices. I'm assuming you are running XP? Or are you on Vista?
.
#13
Registered User
Well there are a few options, I would get a new hard drive and install it in the computer and reload from the CD's and then copy the data off the old one on to the new one. That's what I usually do when I reload mine, I do that every year or so.
You also can get a Thumb drive and copy your pictures and documents to that. For the cost of a thumb drive vs. messing with cd's or dvd's is much easier to use a thumb drive.
Do you have emails saved on your machine or do you use webmail? Basically do you use Outlook or Outlook Express or Yahoo, Hotmail, or g-mail? Do you need these backup?
What I need to know is if you have CD's or if all your restore info is on the original hard drive. This will help determine the best way to do this.
.
You also can get a Thumb drive and copy your pictures and documents to that. For the cost of a thumb drive vs. messing with cd's or dvd's is much easier to use a thumb drive.
Do you have emails saved on your machine or do you use webmail? Basically do you use Outlook or Outlook Express or Yahoo, Hotmail, or g-mail? Do you need these backup?
What I need to know is if you have CD's or if all your restore info is on the original hard drive. This will help determine the best way to do this.
.
#15
Registered User
When you got the computer did it come with CD's?
What is the make and model of the PC?
Do you need your emails?
Outlook express will have all the in data stored in your profile, something to the affect of
C:\Documents and Settings\User\Local Settings\Application Data\Identities\{GUID}\Microsoft\Outlook Express
The user may be "owner" or "administrator" or "mt_goat" some sort of user name. The {GUID} is a random string of numbers. There also may be a few folders in the Identities folder only one will have all your email info. Usually the largest of them will be the one you need.
If you have all your pictures backed up on CD's what else do you need backed up? You should be able to get it all on a thumb drive.
What is the make and model of the PC?
Do you need your emails?
Outlook express will have all the in data stored in your profile, something to the affect of
C:\Documents and Settings\User\Local Settings\Application Data\Identities\{GUID}\Microsoft\Outlook Express
The user may be "owner" or "administrator" or "mt_goat" some sort of user name. The {GUID} is a random string of numbers. There also may be a few folders in the Identities folder only one will have all your email info. Usually the largest of them will be the one you need.
If you have all your pictures backed up on CD's what else do you need backed up? You should be able to get it all on a thumb drive.
#16
Contributing Member
Thread Starter
Yes I have the CDs that came with it, its a Dell Inspiron 530. Not sure how bad I need the e-mails. I would really like to keep my saved favorites in IE8 though. And I'd like to keep them in the same order they are now, for some reason everytime I try to transfer them the order switches to alphabetical.
#17
Registered User
Ok that helps...
Options:
1) Since you have CD's that came with it, if it were mine, I'd get a new hard drive and reload from there.
2) Use the currant drive back everything up and reload, it will save a bit of $$$
If you copy the "Favorites" folder from your profile to another machine and now they are listed A,B,C click on the "Favorites" in the menu bar and select "Organize Favorites" you then can place them in any order you want.
Options:
1) Since you have CD's that came with it, if it were mine, I'd get a new hard drive and reload from there.
2) Use the currant drive back everything up and reload, it will save a bit of $$$
If you copy the "Favorites" folder from your profile to another machine and now they are listed A,B,C click on the "Favorites" in the menu bar and select "Organize Favorites" you then can place them in any order you want.
#19
YotaTech Milestone-Two Millionth Post
Hey guys......I've been following this thread, a little, sounds like Mt Goat has a clue what he's doing, whereas I have zero clue. I'm the kind of ignoramous that just wants the computer to wrk when I want it to and that's about it.
Anyhoo..I found the link to the demon that infected my desktop PC and figured I'd paste the picture of what mine looked like (not mine, but it's a screenshot from a website talking about it).
Sounds like similar crap to mine....
Anyhoo..I found the link to the demon that infected my desktop PC and figured I'd paste the picture of what mine looked like (not mine, but it's a screenshot from a website talking about it).
Sounds like similar crap to mine....
#20
Registered User
If you go External and are going to swap drive you will have to get the External out of the case which does not always work out so well. I'd get a normal HD and then get the enclosure.
You are going to need to know if you have a SATA drive or a IDE drive. I'm going to post links to both. First the IDE then the SATA the last will be an Enclosure.
http://www.newegg.com/Product/Produc...Ultra%20ATA100
http://www.newegg.com/Product/Produc...25%20-%20%2450
This is for a USB IDE
http://www.newegg.com/Product/Produc...name=USB%202.0
This is for a SATA USB
http://www.newegg.com/Product/Produc...name=USB%202.0
Need anything else let me know...
You are going to need to know if you have a SATA drive or a IDE drive. I'm going to post links to both. First the IDE then the SATA the last will be an Enclosure.
http://www.newegg.com/Product/Produc...Ultra%20ATA100
http://www.newegg.com/Product/Produc...25%20-%20%2450
This is for a USB IDE
http://www.newegg.com/Product/Produc...name=USB%202.0
This is for a SATA USB
http://www.newegg.com/Product/Produc...name=USB%202.0
Need anything else let me know...