Online since 2002. Over 3300 puzzles, 2600 worldwide members, and 270,000 messages.

TwistyPuzzles.com Forum

It is currently Sat Apr 19, 2014 10:34 pm

All times are UTC - 5 hours



Post new topic Reply to topic  [ 27 posts ] 
Author Message
 Post subject: Got me a nasty little virus
PostPosted: Mon May 02, 2011 2:51 pm 
Offline

Joined: Sun Mar 27, 2005 7:37 pm
Through an ill advised decision I downloaded a trojan horse agent_r.xj. I've had a few trojans before and a quick AVG scan and removal gets rid of them, Well all the other times it did.
This little blighter is different though. I first noticed it when my CPU was suddenly running at 100% even though I wasn't doing much. So I ran the scan and found it in a number of locations. AVG removed some but others were 'inaccessible'. A little Googling revealed how nasty this is so I quickly installed the recommended Malwarebytes and Superantispyware. After a full scan with each I was able to remove the remaining traces (or so I thought).
A little surfing quickly revealed that I had what some call the Google redirect virus. When you do a search (not necessarily Google) using any browser you end up on all sorts of sites you didn't want to be on.
Time for drastic action. Disconnect from internet and use back up netbook to change important passwords just in case. More searching with netbook confirms further this IS a nasty creature to have. Tried tdsskiller but won't run (the virus can block virus software). Lots of chat about Combofix but sounds a bit scary. The more I read the more opinions there are of what to do. Each seems more complex and not guaranteed to work.
So, my question is should I just do a complete recovery and start afresh? Will this definitely get rid?
BTW my system restore stopped working months ago. Conflicting programs or something.
P.S. Since a recovery will clear my hard drive is it safe to copy the files I haven't backed up and reload them later? I am talking about straight forward pictures etc. According to my scans I have no viruses so I assume it is hidden in Windows stuff.

_________________
Image


Last edited by Tony Fisher on Mon May 02, 2011 2:57 pm, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: Got me a nasty little virus
PostPosted: Mon May 02, 2011 2:56 pm 
Offline
User avatar

Joined: Fri Feb 08, 2008 1:47 am
Location: near Utrecht, Netherlands
Have you tried booting in to safe mode and the running Spybot S&D/your antivirus/whatever? That usually does the trick, even for the worst of them.

_________________
Tom's Shapeways Puzzle Shop - your order from my shop includes free stickers!
Tom's Puzzle Website


Buy my mass produced puzzles at Mefferts:
- 4x4x6 Cuboid for just $38
- Curvy Copter for just $18
- 3x4x5 Cuboid for just $34


Top
 Profile  
 
 Post subject: Re: Got me a nasty little virus
PostPosted: Mon May 02, 2011 2:58 pm 
Offline
User avatar

Joined: Mon Aug 27, 2007 3:50 pm
Location: Copenhagen, Denmark
Starting fresh will do the job. If it doesn't then it's deffinaly a nastier virus that I have ever heard of.
I am not the biggest computer guy, so others might know better, but store all you valueable photos on an online server, start fresh, and get those files again. Don't use an external hdd because the virus will most likely jump.

Is it really true that Mac's can't get virus? Or are these days over?

_________________
Tony Fisher wrote:
I believe it would work best with black plastic.

My puzzles in the Museum
My Website
My Youtube Channel


Top
 Profile  
 
 Post subject: Re: Got me a nasty little virus
PostPosted: Mon May 02, 2011 3:05 pm 
Offline
User avatar

Joined: Thu Sep 24, 2009 12:21 pm
Location: Chichester, England
Sigurd wrote:
Is it really true that Mac's can't get virus? Or are these days over?


I don't believe they can. At least not iPods.

_________________
3x3x3 single: 5.73 seconds.
3x3x3 average of five: 8.92 seconds.
3x3x3 average of twelve: 9.77 seconds.

Buy the Curvy Copter Skewb, NovaMinx, and more here!


Top
 Profile  
 
 Post subject: Re: Got me a nasty little virus
PostPosted: Mon May 02, 2011 3:14 pm 
Offline
User avatar

Joined: Wed Aug 01, 2007 3:14 pm
Location: Orange County, CA
Tony, if safe-mode fails, before starting fresh you should give this a try:

http://www.howtogeek.com/howto/14434/sc ... u-live-cd/

_________________
-Garrett


Last edited by Garrett on Mon May 02, 2011 3:22 pm, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: Got me a nasty little virus
PostPosted: Mon May 02, 2011 3:18 pm 
Offline
User avatar

Joined: Sun May 30, 2010 4:58 pm
Location: United Kingdom
It's not that Apple computers can't get viruses, they can, but the viruses themselves are few and far between or no longer a threat. It is more to do with the fact that they are less of a profitable target for viral attackers as they are a minority on the market when compared to Windows computers, with there being greater success to be had in attacking Windows computers as they are a) more common and b) an easier OS to exploit.

Ryan

_________________
Website | YouTube Channel |

Tony Fisher wrote:
Please can you reduce the size of your photos when posting. To see the whole of this thread I have to walk into the next room.


Top
 Profile  
 
 Post subject: Re: Got me a nasty little virus
PostPosted: Mon May 02, 2011 3:19 pm 
Offline
User avatar

Joined: Fri Feb 08, 2008 1:47 am
Location: near Utrecht, Netherlands
Mac can definitely get viruses. However, since there are not nearly as many Macs as Windows PC's, it's far less interesting and profitable to make viruses for Macs so there are just far less Mac viruses than there are Windows viruses.

I would really go for the safe mode solution, it's highly likely to work. If you do reinstall it should be fine to copy over the files so long as you are sure what kind of files they are. You should avoid, amongst others, .vbs, .bat, .cmd and .exe files. Shortcuts (.lnk) can also be really dangerous. They will not show their extension, so a file image.jpg.lnk will show up as image.jpg but opening it may cause malicious code to run. Something very clever I came across a while ago had a file photo1.jpg that really was an executable, not a photo. You couldn't open it as it wasn't a valid picture, but a second file, photo.jpg.lnk was a shortcut that executed the code from photo1.jpg.
I doubt the virus makers have gone this deep, and you should be fine copying your files over after scanning them from a non-infected machine. But try the safe mode thing, it really works a charm.

To get in to safe mode, hit F8 while your PC is booting and you will be presented with various options. I would choose "Safe mode (with networking)", you can then download updates for your AV and eliminate the virus. This works because some viruses load themselves on startup and prevent other applications (like AV software) from interfering with them. When you boot into safe mode, only essential programs are started so the virus has no chance to defend itself.

_________________
Tom's Shapeways Puzzle Shop - your order from my shop includes free stickers!
Tom's Puzzle Website


Buy my mass produced puzzles at Mefferts:
- 4x4x6 Cuboid for just $38
- Curvy Copter for just $18
- 3x4x5 Cuboid for just $34


Top
 Profile  
 
 Post subject: Re: Got me a nasty little virus
PostPosted: Mon May 02, 2011 3:19 pm 
Offline
User avatar

Joined: Sat Feb 03, 2007 10:03 pm
Location: Mississippi
Yes, "start fresh" is the only way to be sure you are clean... Or. you could always try safe mode with networking and do a trend micro house call scan online. Make sure you turn off system restore points first. Do this two or three times after rebooting each time to be sure.

And yes, Macs CAN get viruses too... just not as many of them out there... I have a PC and a Mac for the record... :)

_________________
Space for rent


Top
 Profile  
 
 Post subject: Re: Got me a nasty little virus
PostPosted: Mon May 02, 2011 3:21 pm 
Offline
User avatar

Joined: Fri Feb 08, 2008 1:47 am
Location: near Utrecht, Netherlands
Even a fresh start won't guarantee you're totally safe. If the safe mode thing doesn't clear it, it's quite possible a fresh install won't clear it either.

_________________
Tom's Shapeways Puzzle Shop - your order from my shop includes free stickers!
Tom's Puzzle Website


Buy my mass produced puzzles at Mefferts:
- 4x4x6 Cuboid for just $38
- Curvy Copter for just $18
- 3x4x5 Cuboid for just $34


Top
 Profile  
 
 Post subject: Re: Got me a nasty little virus
PostPosted: Mon May 02, 2011 3:23 pm 
Offline
User avatar

Joined: Thu Sep 24, 2009 12:21 pm
Location: Chichester, England
I would do what Tom says. A couple of months ago I got a pretty annoying virus; I followed Tom's advice and now it's locked away somewhere in the computer. I fear for the day it's released. :P

_________________
3x3x3 single: 5.73 seconds.
3x3x3 average of five: 8.92 seconds.
3x3x3 average of twelve: 9.77 seconds.

Buy the Curvy Copter Skewb, NovaMinx, and more here!


Last edited by Luke on Mon May 02, 2011 3:32 pm, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: Got me a nasty little virus
PostPosted: Mon May 02, 2011 3:31 pm 
Offline
User avatar

Joined: Sat Feb 03, 2007 10:03 pm
Location: Mississippi
TomZ wrote:
Even a fresh start won't guarantee you're totally safe. If the safe mode thing doesn't clear it, it's quite possible a fresh install won't clear it either.


Very true indeed. Make sure you scan any backups you have too. I once did a fresh install, only to find every .exe in my backups were infected too. It sure pays to have multiple backups! You can always try booting up Ubuntu or some other Linux variety from a CD and run virus scans from there too.

_________________
Space for rent


Top
 Profile  
 
 Post subject: Re: Got me a nasty little virus
PostPosted: Mon May 02, 2011 3:33 pm 
Offline
User avatar

Joined: Tue Jul 27, 2010 10:17 am
Location: Missourica
I got a virus too recently, and I used Safe mode/Spybot S&D with some task managing and that did the trick.

But just yesterday, it came back. And now it looks like the virus cleared my hard drive, but I suspect the files are just hidden... Sigh...

_________________
Adam Brown, Puzzle Builder/Modder

Past project: The Geode
Current Project: Replica RPK-74
Future Project: Possibly another master mental
Oskar wrote:
I am now adding dummy cubes to my models to cross the 10% density threshold and save myself money big time.


Top
 Profile  
 
 Post subject: Re: Got me a nasty little virus
PostPosted: Mon May 02, 2011 4:09 pm 
Offline
User avatar

Joined: Tue Jan 13, 2009 8:23 pm
My wife had a similar problem on her vista box. In the end I had to run a live CD of Ubuntu to scan and rescue the files to my external drive without infection. Then I had to do a full reinstall.

Viruses are not fun.

And to add to the debate Macs are not as at risk as windows PC for the same reason that Linux PCs are not as at risk - the OS (unix based) is designed with networking at it's core and network security built in, not bolt-on.

_________________
For Jasmine Rose... Happy 2nd Birthday in Heaven, 2nd Dec 2013 xxx


Top
 Profile  
 
 Post subject: Re: Got me a nasty little virus
PostPosted: Tue May 03, 2011 12:29 pm 
Offline
User avatar

Joined: Fri Feb 18, 2000 8:50 am
Location: chicago, IL area U.S.A
To get rid of the redirecting, running "Hi-Jack This" and disabling the redirects often takes care of things. I had to do that to my brother's computer a couple of times. If the virus is super nasty, it probably won't allow the program to run though.

-d


Top
 Profile  
 
 Post subject: Re: Got me a nasty little virus
PostPosted: Tue May 03, 2011 12:54 pm 
Offline

Joined: Sun Mar 27, 2005 7:37 pm
Thanks guys. I ran AVG again in safe mode but it found nothing.
I had a word with a guy in a (very good) computer repair shop. He said it's unlikely any virus remover will work on this. A recovery would almost certainly work but naturally I would have to reinstall everything. The best option seems to be for him to do an external scan and guaranteed removal. This would not delete my programs or data so seems like the sensible option.
I need to be certain it's gone or I risk infecting all my back-ups and ultimately my netbook.

_________________
Image


Top
 Profile  
 
 Post subject: Re: Got me a nasty little virus
PostPosted: Tue May 03, 2011 1:23 pm 
Offline
User avatar

Joined: Thu Dec 31, 2009 8:54 pm
Location: Bay Area, California
Tony Fisher wrote:
Through an ill advised decision I downloaded a trojan horse agent_r.xj. I've had a few trojans before and a quick AVG scan and removal gets rid of them, Well all the other times it did.
Hi Tony,

agent_r.xj is the name AVG has given the in-memory detection of the TDSS/TDL4 malware family. TDSS is one of the most sophisticated Windows rootkits ever made. The reason AVG can't remove it is that TDSS replaces your machine's MBR (Master Boot Record). The remainder of the rootkit is stored in a custom "filesystem" in the unpartitioned slack space at the end of your disk. TDSS subverts the Windows Kernel during boot and exists only in memory and outside of your NTFS volume. No amount of scanning files on your filesystem is ever going to remove TDSS.

You haven't said if you are running Windows XP or Vista/7 but I will assume XP. The easiest way to remove the remaining infection is to restore your MBR. You can do that by booting off of a XP CD and entering the "Recovery Console". From there you will want to issue the commands "fixmbr" and then "fixboot". The commands are a bit different for Vista/7 but I'm sure you can Google them.

This will overwrite your MBR which prevents TDSS from being loaded. Once you've done that you should boot your machine into safe mode and run a MBAM scan (Malware Bytes Anti-Malware). The reason I suggest safe mode after you've already replaced your MBR is that some variants of TDSS like to leave the original dropper somewhere were it will run on startup. If this is the case and if your scanning hasn't already removed this dropper then you will be immediately reinfected on first bootup. Safe mode will help reduce the chances of that.

Although I recommend an abundance of caution regarding changing passwords and watching bank statements, TDSS alone is not an infostealer so you most likely dogged a bullet in that regard.

_________________
Prior to using my real name I posted under the account named bmenrigh.


Top
 Profile  
 
 Post subject: Re: Got me a nasty little virus
PostPosted: Tue May 03, 2011 3:38 pm 
Offline
User avatar

Joined: Tue Jul 27, 2010 10:17 am
Location: Missourica
I also recommend using process manager (ctrl+alt+delete) to close any instances of the virus currently running, then run antivirus. That helped me, and I think it is gone now.

If you can get enough info on the trojan on the internet, with a little bit of Google-ing you can manually delete all of the files associated with it.

Best of luck, hope you can get your compy fixed!

_________________
Adam Brown, Puzzle Builder/Modder

Past project: The Geode
Current Project: Replica RPK-74
Future Project: Possibly another master mental
Oskar wrote:
I am now adding dummy cubes to my models to cross the 10% density threshold and save myself money big time.


Top
 Profile  
 
 Post subject: Re: Got me a nasty little virus
PostPosted: Tue May 03, 2011 5:29 pm 
Offline
User avatar

Joined: Sat Mar 24, 2007 6:58 pm
Location: Louisiana, US
Sometimes the trojans/viruses can do some nasty damage to the system registry. I had a similar experience a couple of years back. update.microsoft.com actually redirected to "Google English" and ditto for the malware bytes website. Apparently, the virus was so sneaky that it used a DNS redirect to guide Norton Antivirus to download a "dummy" update which made running it essentially useless. Norton scanned my entire hard drive only to find that there were no viruses detected, and I was 100% positive my computer was infected. Additionally, the only way to start the computer without loading the malware is to boot Windows XP into safe mode, since the virus disabled the "regedit", the startup dialog, and most other useful diagnostic tools, even the task manager. Well, stupid Norton cannot be started in safe mode, which makes it practically useless if that is the only way to bypass the malware.

I finally ended up doing some research on Google, and downloaded the Malwarebytes program onto a flash drive using a clean PC. I booted the computer into safe mode and ran the malware bytes application. It removed the trojans and viruses from my harddrive completely, but even though the malware was gone, I still had the DNS redirects. As it turns out, the DNS redirects are due to a registry entry and not the malware itself. If you can open regedit and locate the registry entry that is causing the browser problems, you can safely delete those malicious entries and the behavior of the computer will return to normal.

Usually, the malware will place the registry entries in some random location where it's very difficult to find; in my case the DNS hacks were buried somewhere alongside my soundcard drivers. You will need to use a separate registry scanner to find the delinquent entry and repair/delete it. Once the registry data has been repaired, your windows installation should be operating normally again. Windows update and/or the repair function on a genuine OEM or Retail Windows OS disc should be able to repair the system files if critical system components are still missing, broken, or corrupted. DO NOT USE THE QUICK RESTORE DISC PROVIDED BY YOUR SYSTEM VENDOR. These are custom windows builds and will restore data on your PC to the factory default state it was in when you bought it, which will delete all of your personal data and files. If you can't find somebody to borrow an official Windows OS disc from, you may have to get it serviced by a guru at a repair store.

Right now, I am typing this post on the same XP installation that was once corrupted very similar to yours. I have never once had to reinstall Windows. Once you reverse the registry damage the trojan/virus did, your computer should function normally again. Occasionally, removing the virus/trojan is only the first step.

Due to my bad experience with Norton, I now exclusively use Avast, which is totally free for personal use, and it uses less resources, and is perfectly happy if you start it in safe mode. I ditched Norton shortly after my subscription expired. Please be aware also, that no avtivirus sofware, no matter how powerful or up-to-date, can protect against "zero-day-attacks".
http://en.wikipedia.org/wiki/Zero-day_attack

_________________
My Creepy 3D Rubik's Cube Video
cisco wrote:
Yeah, Uwe is Dalai Lama and Paganotis is mother Teresa of Calcutta.


Top
 Profile  
 
 Post subject: Re: Got me a nasty little virus
PostPosted: Wed May 04, 2011 12:04 pm 
Offline
User avatar

Joined: Fri Feb 06, 2009 2:57 pm
Location: Pittsburgh
Tony, what's neat about XP (and I assume vista and win7, but I've never had to do) is the Repair Installation. You can do a repair install that only fusses with the original microsoft files, not anything you've installed afterwords.

_________________
3x3x3 PB: 00:48.10
"Study gravitation, it's a field with a lot of potential."
Image


Top
 Profile  
 
 Post subject: Re: Got me a nasty little virus
PostPosted: Wed May 04, 2011 12:18 pm 
Offline

Joined: Sun Mar 27, 2005 7:37 pm
theVDude wrote:
Tony, what's neat about XP (and I assume vista and win7, but I've never had to do) is the Repair Installation. You can do a repair install that only fusses with the original microsoft files, not anything you've installed afterwords.


The laptop is Vista. As I hinted in my last post I'm going to get it properly removed at a shop. That way I don't have to re-install programs or risk it still being around. £40 isn't (edit) too bad.

_________________
Image


Last edited by Tony Fisher on Thu May 05, 2011 12:33 pm, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: Got me a nasty little virus
PostPosted: Wed May 04, 2011 12:36 pm 
Offline
User avatar

Joined: Fri Feb 06, 2009 2:57 pm
Location: Pittsburgh
Bah, bad me for not reading.

I've had to go through and manually remove rootkits before, it's no fun. :(

Did you say what anti-virus software you use? I recommend Microsoft Security Essentials to everyone with vista/win7 these days. It's free, works well, and is low on resource use.

MalwareBytes (I saw you used it) is great to run every once in a while, too.

Before you send it off, you can try a repair install (http://www.vistax64.com/tutorials/88236 ... vista.html).

_________________
3x3x3 PB: 00:48.10
"Study gravitation, it's a field with a lot of potential."
Image


Top
 Profile  
 
 Post subject: Re: Got me a nasty little virus
PostPosted: Thu May 05, 2011 11:18 am 
Offline
User avatar

Joined: Fri Nov 04, 2005 12:31 am
Location: Greece, Australia, Thailand, India, Singapore.
Tony, I hope you have not done any drastic action like formatting. Indeed, the TDSS is an
extremely sophisticated backdoor, but so is the "fix" from Symantec:

http://www.symantec.com/security_respon ... 08-3309-99


As stated, following those steps will almost certainly guarantee that it will fix the problem:

***********************************************
1. Download the FixTDSS.exe file from: Backdoor.Tidserv Removal Tool.
2. Save the file to a convenient location, such as your Windows desktop.
3. Close all running programs.
4. If you are running Windows XP, turn off System Restore.
5. Locate the file that you just downloaded.
6. Double-click the FixTDSS.exe file to start the removal tool.
7. Click Start to begin the process, and then allow the tool to run.
8. Restart the computer when prompted by the tool.
9. After the computer has started, the tool will inform you of the state of infection.
10. If you are running Windows XP, re-enable System Restore.
11. Use some nice Antivirus and AntiMalware (mbam is very good) to remove the "remains".

************************************

The reason I am focusing on this particular virus is because it is notorious for *not* being
detected by normal antivirus programs. And the symptoms are really bad, like hogging
the system, causing from Win32 crash errors to audio, internet and mouse problems.
But when removed, all magically become perfect again. If this issue is happily resolved,
you may also want to change a few passwords, just in case.

That said, I may be no professional expert in security programming (though I am in programs
requiring mathematical simulations), but I do have my own history in fighting (successfully)
viruses, since 1984! (on a Sinclair ZX Spectrum 48K+).

I hope it works for you, as I know how troublesome those little buggers can be.

:)


Pantazis

_________________

Educational R&D, Gravity, 4D Symmetry, Puzzle Ninja, Matrix Mech, Alien Technology.


Top
 Profile  
 
 Post subject: Re: Got me a nasty little virus
PostPosted: Thu May 05, 2011 12:43 pm 
Offline

Joined: Sun Mar 27, 2005 7:37 pm
Thanks again guys.
I ended up taking it to the shop I know. I just want the peace of mind that it will be gone for good. I trust them totally since in the past they have given free advice and recommended cheaper options than they could have.
The guy seems certain that it can't be removed using the computer itself. The hard drive has to be externally 'cleaned'. He said there is only a 5% chance a re-stall is needed.

_________________
Image


Top
 Profile  
 
 Post subject: Re: Got me a nasty little virus
PostPosted: Wed May 11, 2011 1:04 pm 
Offline

Joined: Sun Mar 27, 2005 7:37 pm
Just got laptop back. Of course that 5% has come up. So now I have weeks of work getting rid of all those annoying default settings and reinstalling umpteen programs.
They found and destroyed the rootkill hiding in some tiny little corner. Apparently it did 1KB worth of permanent damage to my hard drive as well as corrupting the windows installation. The reinstall and complete clean was actually cheaper than a basic rootkit removal so pretty sure it was necessary.

_________________
Image


Top
 Profile  
 
 Post subject: Re: Got me a nasty little virus
PostPosted: Fri May 13, 2011 4:26 am 
Offline
User avatar

Joined: Sat Mar 24, 2007 6:58 pm
Location: Louisiana, US
1kb of permanent damage? How is it possible for software/data to irreparably damage the hard drive?

_________________
My Creepy 3D Rubik's Cube Video
cisco wrote:
Yeah, Uwe is Dalai Lama and Paganotis is mother Teresa of Calcutta.


Top
 Profile  
 
 Post subject: Re: Got me a nasty little virus
PostPosted: Fri May 13, 2011 12:10 pm 
Offline

Joined: Sun Mar 13, 2011 11:59 am
How did you get the virus?


Top
 Profile  
 
 Post subject: Re: Got me a nasty little virus
PostPosted: Fri May 13, 2011 12:25 pm 
Offline

Joined: Sun Mar 27, 2005 7:37 pm
stardust4ever wrote:
1kb of permanent damage? How is it possible for software/data to irreparably damage the hard drive?


No idea. However I know a blank CD can become unusable if a burning attempt goes wrong.

_________________
Image


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 27 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  

Forum powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group