PDA

View Full Version : just got a virus seems nasty


freonr22
04-24-2010, 4:50 PM
Was not doing anything abnormal. Security essentials ms. Popped up w/ houston we have a problem. Darn. Says removed but still locked pc up. Started is safe mode running spybot, mbam, security essentials now. Posting from phone. Titles are. "Trojan:win32/hiloti.gen!D". And "trojandownloader:Win32/Cutwail.AY" and "PWS:Win32/Daurso.A". We will see if what I'm running will kill them. Descriptions are "executes commands from an attacker". And "captures User passwords" and "downloads other programs". Will post screen shots when/if pc survives.

freonr22
04-24-2010, 4:55 PM
Maybe it was karma from bumping old threads :(

sholling
04-24-2010, 11:01 PM
I've been a tech for 20 years or so and in the old days we'd run an AV program and it would be clean. These days so many viruses are written by such skilled programmers that you can never be sure of totally getting rid of an infection. If it were me I'd back up my data, format the drive, and reload the OS. It's one reason that I recommend people use disk imaging software to make an image of their drive as soon as they are happy with how their PC is running and store it on an external drive. That way when something like this or a drive failure happens you can just blow the image on a clean drive and you're back up and running in an hour.

freonr22
04-24-2010, 11:21 PM
Thanks! I have image at work pc never thought about at home. Will do. Spybot seemed to kill it. System restored to last week. Seems ok/good now. Older xp sp3. I just don't know where it came from. I was googling the bcm 50 upper seller in commercial sales thread right before. But I would think they could set delays on the trojans?

Cyclepath
04-25-2010, 11:07 AM
+1 on this.

Have been an IT tech for about the same time. I have always recommended to rebuild a machine from scratch or from a known good image. If your virus scanner did not intercept it and eradicated it immediately, there is a good chance there are still some remnants of it on your machine.

I've been a tech for 20 years or so and in the old days we'd run an AV program and it would be clean. These days so many viruses are written by such skilled programmers that you can never be sure of totally getting rid of an infection. If it were me I'd back up my data, format the drive, and reload the OS. It's one reason that I recommend people use disk imaging software to make an image of their drive as soon as they are happy with how their PC is running and store it on an external drive. That way when something like this or a drive failure happens you can just blow the image on a clean drive and you're back up and running in an hour.

freonr22
04-25-2010, 11:58 AM
here what came up, machine seems to be fine now. 53519

53520

53521

and i found info on them

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=PWS%3aWin32%2fDaurso.A&threatid=2147623149

and

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32/Cutwail

sholling
04-25-2010, 4:46 PM
The reason that Cyclepath and I suggested suggested starting from scratch are two fold. 1) The guys that writing viruses these days aren't the pimply faced kids of the 80s that were getting back at the world for the fact that they were never going to get a date. Crime syndicates now employ sophisticated programmers that study how popular AV programs work and test their creation against those AV programs. 2) Most leave a small ticking time bomb that detects the main Trojan has been removed and reinstalls that Trojan or another to replace it. I've tried to explain that to average users before and they always say "well it looks like 'X-AV' got rid of the virus so I think I'm okay, and besides I have to get this online banking done now". :rolleyes:

These Trojans aren't just a pain in the butt - they steal user IDs and passwords for your shopping, bank accounts, and credit card accounts. Personally after an infection I wouldn't take a chance that something isn't still hiding there. But that's your decision.

Now let's talk about keeping it clean after you reload your system.

Make sure you are behind a hardware firewall (router) during setup and that no other PCs are on until you are done. Many viruses detect undefended PCs on a network and infect them.
Forget Microsoft Defender/Security Essentials and the first thing you install after Windows is a top quality commercial antivirus program. I use NOD32 but pick something you like and buy it and keep it current.
Keep all windows patches up to date and your AV program current.
Forget Internet Explorer and use Firefox or Chrome. They are far less vulnerable to website hijacks. If you use Firefox then use the free Ad Block Plus add-in to block pop-ups.
Never open a link in email - I don't care if your mother sent it to you.
Never fall for one of those website pop-ups saying your computer is infected and offering to scan your PC - it's a trap.
Never close a pop-up by clicking on an offered close button or by clicking on the close X - it's a trap and may install a Trojan. Use task manager to close it.

Good luck.

IronCobra
04-27-2010, 8:52 PM
If you have window vista or 7 & cant get rid of it with your AV, Get out your restore disk and do a system restore. That should fix pretty much any virus problem, B/C it will reset comp to status BEFORE virus. I've never had anything get through this, and i've seen some pretty bad stuff (like those trojan AV programs).

HotRails
04-29-2010, 9:46 PM
The reason that Cyclepath and I suggested suggested starting from scratch are two fold. 1) The guys that writing viruses these days aren't the pimply faced kids of the 80s that were getting back at the world for the fact that they were never going to get a date. Crime syndicates now employ sophisticated programmers that study how popular AV programs work and test their creation against those AV programs. 2) Most leave a small ticking time bomb that detects the main Trojan has been removed and reinstalls that Trojan or another to replace it. I've tried to explain that to average users before and they always say "well it looks like 'X-AV' got rid of the virus so I think I'm okay, and besides I have to get this online banking done now". :rolleyes:

These Trojans aren't just a pain in the butt - they steal user IDs and passwords for your shopping, bank accounts, and credit card accounts. Personally after an infection I wouldn't take a chance that something isn't still hiding there. But that's your decision.

Now let's talk about keeping it clean after you reload your system.

Make sure you are behind a hardware firewall (router) during setup and that no other PCs are on until you are done. Many viruses detect undefended PCs on a network and infect them.
Forget Microsoft Defender/Security Essentials and the first thing you install after Windows is a top quality commercial antivirus program. I use NOD32 but pick something you like and buy it and keep it current.
Keep all windows patches up to date and your AV program current.
Forget Internet Explorer and use Firefox or Chrome. They are far less vulnerable to website hijacks. If you use Firefox then use the free Ad Block Plus add-in to block pop-ups.
Never open a link in email - I don't care if your mother sent it to you.
Never fall for one of those website pop-ups saying your computer is infected and offering to scan your PC - it's a trap.
Never close a pop-up by clicking on an offered close button or by clicking on the close X - it's a trap and may install a Trojan. Use task manager to close it.

Good luck.

Thanks for this great guidance. I had a pretty nasty virus which took down my hard drive, luckily I was eventually able to get an enclosure device and download most of my old files onto my new computer. From then on, I have a backup hard drive.

Turbinator
04-30-2010, 8:26 AM
I like the idea of keeping a fresh, clean image somewhere, and using that to restore your PC if you ever get a virus attack. I know that every couple of years, I do a clean wipe and reinstall from scratch just to keep the PC going strong.

Turby

freonr22
04-30-2010, 11:20 AM
well, i dont have the orig disks, im sure i could get support from dell or ms even though its about 4yearsish old, seems to fine now. wiped out the virus but i told my wife for now, anyonline payments do elsewhere..

Question, how do you know if when you backup things like word docs, pics, etc. the virus isnt buried in there? like if i saved what i wanted to, did a wipe, how do you know they arent buried in there to execute later in the registry etc?


And by the way, Thank you for all the excellent responses!

Anyone know how to delete webwatcher? atww? thx

sholling
05-02-2010, 8:52 AM
Question, how do you know if when you backup things like word docs, pics, etc. the virus isnt buried in there? like if i saved what i wanted to, did a wipe, how do you know they arent buried in there to execute later in the registry etc?
A virus is an executable program. For the most part that means that data files are safe - however that is only true when there are no macros embedded. Macros can be written to act like a virus. That's why Word can be configured to disable macros.

Real jpegs are harmless. Where the hazard lies is Windows' habit of hiding known file types. For example you see a file labeled picture.jpg but the actual file name is picture.jpg.exe. It's an executable but because Windows hid the known file-type (.exe) you don't realize that you are launching a program when you click on it.