I have a weird virus! Can someone help me remove it?

Sadly, one of the very rare things in life seems to have happened to me. My antivirus definition subscription expired a couple of days ago, and yes – you’ve guessed it – some weird virus creped into my laptop wrecking havoc all over the place.

I had Norton Antivirus, and my subscription expired on the 25th May. Yesterday while surfing I got a weird notification from yahoo and, contradictory to my behaviour, I actually clicked it (no point in saying I wasn’t planning to click it). It turned out to be a virus / Trojan something and it has now hijacked my machine.

I can no longer access the Regeditor, I can’t change the home page in my browser, and every time I log into Yahoo IM it sends weird offliners to all the people I have in my list! Luckily I don’t have that many people on my Yahoo list, and I managed to contact them all telling them “not to click” on any links sent from me.

Now, the sad part is that neither Norton nor Panda antivirus has been able to “fix” the problem. The virus is “contained” but not removed from my machine, by that I mean it no longer causes any more damage that what it has already done. As for my ability to access Regeditor, and change the default home page of my browser (which I used to have set at “blank” and is now set to the virus’s home page), well these two issues haven’t been resolved!

Has anyone encountered something similar to this? Is there a known fix out there; if so, I would greatly appreciate a link.

I am considering, and have prepared myself mentally and emotionally for a full system reformatting and reinstalling all my applications from scratch.

But, of course I would love to find a fix instead of spending 2 ~ 3 days doing that tedious job.

Thanks, in advance, for any help.

 

sorry for you... btw... i think you can try the free antivirus for the time being... cause i never buy anymore antivirus since 2 years ago... previously i was Mc Affee user... try use Grisoft AVG antivirus... at least till now my PC still clean from any virus... you can download it from here... I use ccleaner too to scan for my registry in my XP pc... eventho ccleaner did work that well in Vista...

 

Maybe an online virus check will help.

http://www.pandasoftware.com/products/activescan

There are many online different ones online. Can try others if this one doesnt work.

 

Hello Wail,

I came across a similar situation 2 weeks ago on a friend's laptop. I wound up doing the following:

- Acquiring and updating new AntiVirus software
- Updating Ad-Aware - SpyBot S&D - SpyWare Blaster
- Disabling System Restore
- Rebooting into Safe Mode and running all tools (networking disabled)
- Rebooting into Normal mode
- Rerunning ALL tools (networking disabled)
- Upon clean scans, re-enabling System Restore
- Rebooting, enabling networking, done

Trust me I spent DAYS trying to clean this machine up, but as badly as it was infected, it now works like a charm without having to reformat & reinstall everything.

Best wishes!

net2000man

 

Thank you all for the feedback ...

I have since tried AVG and it doesn't get rid of this "bug" ....., thanks for the sugggestion.

Panda is the antivirus I now have installed, but it too doesn't get rid of the "bug" but has "contained" it ...

It seems like a tedious job to go through and I am reluctant to do any tweakings with my registry .... but I may give that a try .... I am in favor of just doing a reformat and reinstall ... would sure as hell clean up a lot of the bloated system I have.

One more thing I have just discovered this virus to have done, it has disabled my ability to access Task Manager ... when I press Ctrl Alt Del I get an error massage saying that Task Manager has been blocked by the "Adminstrator"!

Now my new found resident is my Tablet's Admin., if only I could shoot him!

 

Two questions ...

How do I disable System Restore?
How do I boot into Safe mode, seems like a stupid question but I have never had to do it!

Thank you all, again, for your feedback and input. Very much appreciated.

 

Do you know what it is called??

Many of these nasties can be cleared up by booting Windows in safe mode and then either running special tools (for example, see Symantec) or doing a manual cleanup. McAfee also has several utilities.

Disabling the registry editor is not a new problem. There are various fixes around. Read here but you might find that this tool from Symantec does the necessary.

Another possibility is to try a different AV product such as AVG.

John

PS: To enter Safe Mode press F8 just as Windows is starting to boot (the timing is quite critical - you may have to try several times)

 

I think the Virus/bug/spyware has change your account to a limited user account.

 

Try some of the other AV software out there too, like Kaspersky, NOD32, BitDefender (not at the same time though). They all offer free trials, and they might be enough to help get rid of this thing.

 

Disabling System Restore:
- Right-click My Computer icon, select 'Properties' from the pop-up menu.
- Click the 'System Restore' tab, and check the 'Turn Off System Restore' box
- Click 'OK' to close the 'Properties' dialog box

Rebooting into Safe Mode:
- Reboot WindowsXP
- At flashing cursor (PRIOR to seeing the WindowsXP splash screen), press F8
- Select 'Safe Mode' from the menu and press Enter to go into Safe Mode
- When Safe Mode begins you will see a dialog box warning you about entering Safe Mode. Click 'Yes' to continue into Safe Mode

Good Luck!

 

Thanks for all the links, good reading material there.

Yes, it does seem that my account has been changed!

I must say, in all due respect to the anger I have for this virus, it is a very elegant virus.

 

what u mean elegant virus? lol

 

Try NOD32, it's the best Anti-nasty program out there IMHO. There are a few other free ones as well, like kapersky. For the future download "Adaware SE Person". It's another excellent program that stops you from getting spyware and adware.
good luck!
You could also probably do a force removal of the file through DOS. I'll have a look into it....
EDIT: NOD32 and kapersky are free trials

 

By elegant, I mean it has done just a few things to be annoying while causing no real file / system damage what so ever!

It has, ... a) set the home page to it's own home page; b) disabled my ability to run regedit; c) disabled the Task Manager; and I think it has also disabled the "run" command.

Other than these issues, and sending itself to all on my Yahoo list, it has done no "real" damage what so ever, unless we want to factor in the time it will take me to reformat and setup my Tablet as "damaged".

Basically, I would say this is a "polite" virus that just wants to get notices ... of course I hope you realise that I am trying to see a humorous side to all this since I am about to have a nervous breakdown ...

Again, to all of you who've given me suggestions, links, and pointers; thank you from the bottom of my processor.

I have tried for the past hours to get this resolved to no avail. ... I am afraid it is going to be relatively "easier" to just reformat!

 

ok u have one of the more sophisticated virus/trojans that ran rampant 2yrs ago and it has auto executed itself and has hijacked youre browser

Your registry has been comprimised and disabled to any user attempts to change or modify

What you need is HiJackThis
With HiJackThis you will be able to get into your registry and remove the modified registry keys thats not allowing you to change your homepage back to what it was etc.

 

mikeymike,

Thank you for the feedback.

Update ... I have managed to gain "some" access into my registry and other "lost" items by logging in under my Admin. user, instead of my daily login user-name. So, I was able to see the registry, and was able to do some tweakings. I am sure that I can resolve the matter form there on.

But, this is the annoying part, I am a bit paraniod about the possibility that I may not remove all elements of the virus. Also, I have already uninstalled most of my applications, and all of my data.

So, the only thing left for me to do now is to connect my DVD ROM to my tablet, insert the restore DVD that came with the machine and do a full reformat and install.

I figure I would be done with all this by later today, if not then by tomorrow at the latest.

One question I have at this stage; when I use the resotre CD / DVD, does that automatically format my hard drive, or do I need to format my hard drive seperately? If so, can someone tell me what's the best way to do that? For the record, I am using a Toshina Portege tablet PC.

Thank you all for your support and assistance.

 

Another thought just came to mind ....

Since I have two user's accounts on my tablet.. Admin and Private, I only use Private and when I got this attack I loged in under Admin and didn't see any traces of the virus there.

So, such a virus, does it attack only the current user accout, or does it spread throughout the whole machine? What I am trying to get to is, what if i deleted my Private user account, and just created a new user account (say, Private2) .. would this cure the problem?

 

Challenge No. 1: Disable the virus from being active. It looks as if you are making progress there.

Challenge No. 2: Cleaning up to avoid all trace of the virus to avoid risk of reinfection. Once you have made the virus inactive, do a thorough scan with at least one good anti-virus software. This should detect and clean up and infected files.

I don't recall reading the name of what you have caught. Once you know the name then it is easy to search for specific cleanup measures.

Reformatting and reinstalling your operating system and software should not be necessary.

John

 

You might try installing HijackThis and then requesting assistance at a site such as TechSupportForums - they're very good at resolving issues.

 

In my anger, I managed to delete the virus, thanks to over zealous AV, and I didn't note down the name of the virus ... what I do recall, from the Symantic site is that this virus was out since 2004, was reintroduced a number of times since then and the latest version was released on 28th May 2007 (the same day I caught it)!

Now, it seems that my attemtpt to delete it has worked; I have since deleted my user's account and created a new one, and it seems that I have regained full control over my PC. I am still not sure if I have deleted the virus for sure or if it just hybernating somewhere! I have done full scans using a number of AV with no traces of the culprit ... I hope it's gone for good.

Once I get the name, I will look around for it, I will post it here. I am now reinstalling some of the applications which I've uninstalled, and will move back my "Fav." & "My Documents" ... yes, I have had these checked too, incase the virus was "hiding" there!

So, to all of you, a million million Thank You for the feedbacks and support.

Lesson learnd from all this ... NEVER click on any link you get from an unknown source ..

 

These things suck, I know. Even I get 1 every couple of years. I dont run virus scanners (These slow my computer down too much and I need my power) But there are things that you can do to make the recovery process quick and painless. Use MyDocuments. Everything you "create" or "save" a document you create, save it to a folder in MyDocuments. Back that folder up weekly, daily, etc. I use an external drive and Adonis. I also have my original state also backed up. If I get "sick" I immediadly save mydocuments and format and restore my original backup, then take my most recent backup of mydocments and I am normally back up and running virus free is less than 30-45 minutes. I know this is too late for your situation, but I hope that in the future, you prepare yourself for such a tragic event. GL

 

I believe you have a trojan vundo virus try this utility. use the virtumundobegone utility.

http://www.bleepingcomputer.com/forums/topic18610.html

/\ ONE LOVE \/

 

I believe this is the virus that I was hit by: -

http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-052817-2128-99&tabid=1

As I've said ealier, I didn't note down the name while I was running around like a chicken without a head trying to find a solution; but I do recall that Symantic's site said it's latest build was on 28th May .. and this is the only virus on Symantic's site with that date. Plus, from the "Removal" page, it seems very much like what I read back then.

I am now able to access my regeditor, and as such I will check with it and see if my values are as Symantic specified, if so then I can rest assured that I have removed this £$%$£%$£ from my machine. Otherwise, I may still go with the full system reformat.

 

I have just done the regedit corrections, as Symantic specified ... and have checked for what I am supposed to remove (it seems to have been removed alread).

Am about to do a restart of my machine and will post back.

 

Ordeal is over.

Again; thank you all, for all the support, links, and hints, etc. you've been very helpful and supportive.

The last stage of what I did was to reset some registry keys (as per the Symantic page I've posted) ... Even though I think I have completely removed the threat, I still went ahead with Symantic's recommendations and did the change to the registry (this was my first time to tweak with the registry, and I didn't take a backup .. if something went wrong, I would have just used that as my excuse to reformat)... So, I checked what I had to remove, and they weren't there; I then checked what I needed to change, and found that I had to change a couple of values. Gave it a shot, did a reboot and viola ....

My system is running smooth, thank God.

Again, thank you all for being "here".

 

Thanks for the good news.

I see that the virus is first reported on 28th May. This highlights the problem of not getting anti-virus updates immediately they are available.

John

 

Yeah, tell me about that .. what are the chances and odds of something like this happenning? For a moment I thought Symantic, I was using Norton AV, were behind this in some form of industrial conspiracy theory!

Well, I know no longer believe that ... and am a happy camper all over again.

 

I think you had some bad luck to catch something so quickly. Wrong place and wrong time, as the expression goes.

Any new virus is most dangerous in its first day, depending how quickly the AV companies issue an update and then how quickly the users get the update onto their machine.

I think we all have to go through this at least once in life as part of the learning process.

John

 

Go here:
http://www.democrakey.com/

And follow the instructions for install the software to a USB Thumb Drive. Make sure you do this on a non-infected computer. Then, take the drive with the software installed on it to your infected machine and Portable Apps should start. Run ClamWin.