sick, sick computer

Hi dennis7280,

Ok. Do the usual things.

1) Download Adaware (http://www.lavasoftusa.com/) and Spybot S&D (http://www.safer-networking.org/en/index.html) or other spyware sweepers if you want). Run both of them and delete what they find. You can click Immunize on S&D to help have constant protection.
2) Run your antivirus.
3) Go to Start->Run->%TEMP% and delete all
4) Go to Start->Run->sfc /scannow
5) Right click Local Disk C and select chkdsk.
6) Download Hijackthis and post your log here after running it.

Regards,
Zyloch

Oh bother, I was hoping to get it in before you this time lmao. Maybe another time then.

Regards...

Post back ur results and remaining problems, and we will move further from there !!

one more thing,,,, after u finish the above cleaning process, in the end Download HijackThis v1.98.2 from here, run it and Save the LOG file:
http://www.spychecker.com/program/hijackthis.html

Then Post it at this site >> http://www.hijackthis.de/index.php?langselect=english
Check if it reports anything Nasty or not ??

>> Oh bother, I was hoping to get it in before you this time lmao. Maybe another time then.

lol... I was offline the whole today,,,so its time to do some hardwork here ;-)

wow! knew this was going to be fun.:) Thanks I'll do what you sugest and see what happens.
Thx very much
D-Man

>> wow! knew this was going to be fun.:)

sure,,, those nasty malwares are fun to mess with :D

Fun =) My computer was really messed up. Downloaded Adaware and Spybot and deleted 2000 files at once. Never felt better in my life.

Ha, Ha. You guys/gals are the best.
thx

OH! Did I mention that all this stuff has prevented me from getting on the net? I run through a cable modem. I keep getting a DNS error when I try the access the internet.

Hmm... that's happened to me before with spyware. Try the steps above that don't need spyware first, i.e. deleting files in the TEMP folder and running antivirus or sfc /scannow etc.

Is it possible you can get on with dialup? Do you have AOL, for instance?

>> I keep getting a DNS error when I try the access the internet.

ok then do one thing first.... if this error os due to proxy hijack, then it can be corrected by using hijakcthis,,,, so first use hijakchtis and have it analysed on that site !!

Fix the Nasty entries that it mentions and then check if any progress ??
If NO then Try running this Winsock Repair for XP:
http://www.spychecker.com/program/winsockxpfix.html

Wait... how are you talking to use if you're not on the net? I knew I was missing something lmao

after u get the connection u can download and update the above products to run them :)

and if by chance u cannot manage to get the internet in either way, then u can use the system from where u are typing to download the above tools and then can transfer then to the infected system to use them =)

I have three computers and this is my super computer. It is very clean.

If what SheharyaarSaahil said about the winsock and proxy error fix don't do anything, the spyware sweep should fix it. Just some added info because I'm bored :) The only other new question I could answer was a simple Javascript one on escaping quotes. Ah well, gotta go eat dinner soon

>> because I'm bored :)

yeah its weekend,,, not much work today =)

Duh!! Never thought of that, how stupid of me.
Well, looks like I'm in for some work so I'll get to it and let you guys know if my computer found the trash can.:)

>> Well, looks like I'm in for some work

sure u have, so wish u good luck from us :)

Good luck, heh. If you need any help, just post. I'm probably going off to fool around with Macromedia Director, bbl ;)

Well, right from the start I have a problem , Start>Run>msconfig>Startup, produced nothing, meaning the popup window never opens. NEXT?

Dont tell me u are using Win2000 ??  =\

ok okkkk.... what are u doing dude,,,, u have to hit Start button and choose Run
type msconfig (hit enter)
and then goto Startup section !!  :D

No, using win xp sp1, and I know how to do it , but the popup window that is susposed to come up  DOESN'T POPUP, start>run>msconfig> then click OK , and nothing, just a desktop. Checked "task Manager" and no apps. running However there are 60 Process, the system I'm typing on only runs 29.  Should I just get out my sledgehammer and make some minor repairs:)

hmmmmmmm it shud be present in C:\WINDOWS\PCHealth\HelpCtr\Binaries
if its not there, then get it from here >> http://www.perfectdrivers.com/howto/msconfig.html

Now u can use it and can put it also in the above location :)

Ok. Went there. the popup window opens for about 1\2 a second and then closes.

ok so that means u are having one of those viruses which are mentioned here =\

Task Manager, MSCONFIG, or REGEDIT disappears while opening:
http://www.mvps.org/sramesh2k/ToolsQuit.htm
( site credit goes to Ramesh >> https://www.experts-exchange.com/M_926622.html :)

Among others, yes that is one of them.  I check the link and see whats up.
thnx

ok so now the situation has gone a more bad =\

so do this,,,, first of all boot into safemode, and run all those tools there Plus ur AV software !!
in this way atleast some of them will be deleted, and we will have less items to work with.... what do u think :-?

Back. Pretty complex, looking at those threads...

Well, I checked the link you sent. Renamed the msconfig ex file and now I get the popup window. soooooooo I will proceed with you prior instructions and see what happens.

just something that you can try for the virus's
http://www.ultimatebootcd.com/ has a couple virus scanners on their cd so you can download it on your clean computer burn the cd and then scan your other computer getting rid of most of the viruses

Ok, I'm still working on my problem and ran into a group of files with the extension of ".RBO" can anyone tell me what this is?

Doesn't look too good
http://filext.com/detaillist.php?extdetail=RBO

Tried to pull up the link that Zyloch sent and got a DNS even on the good computer, so that doesn't work.  But wait, I tried again and it came up, what luck, I think:) It said that I need, "magb_dis.zip". Said to unzip and run it.

Magistr.b disinfection
 ----------------------

The virus uses ComputerName as key to encrypt victim file data. To disinfect
such files we need to get ComputerName. From database (from disinfection
routine) we can't use Win32 API function GetComputerNameA to do that.


Solved. Solution will be sent to AVP_Files list.

1. Run DISINF.EXE file.  It will create DISINF.INI file with different data in
it, including ComputerName.

2. Scan DISINF.INI file.  A routine in database will get computer name from
DISINF.INI file.

3. Scan machine and disinfect Magistr.  The disinfection routine will use
ComputerName from 2.


Note: the virus _does_not_ use ComputerName to encrypt files in two cases:

 if file length < 20000h
 if file is infected on remote machine.

Ok, I did exactly what it said, now a stupid question, sorry, how do I get it to scan my "C" drive? I mean it says to scan machine but HOW?

That was as vague as it gets. I would recommend pulling up this page:

http://www.sophos.com/support/disinfection/magbremove.html

on your good machine. It says to download the thing on your good machine and read the instructions. Dunno, but give it a try.

I'll give it a try thanks, and yes I thought it was pretty vague also.  It also said it was the worse virus to date, but didn't give a date :)

dennis are u sure these are .rbo files and not .rb0

coz .rb0 are the antivirus backup files, which it creates before fixing the infected files >> http://filext.com/detaillist.php?extdetail=RB0

I thought it coz surely u had viruses, and can be possible that when u ran av tools, they created these backups !!  :)

DNS stands for Domain
         Name System, and that is what converts www.lockergnome.com to an II’ addre~
         that the computer can understand. That would explain why the Internet would n
         work, but what about e-mail you ask? Well, unless you put the IP address in the
         mail server address field, then it is running off DNS too. The best way to see if
         your DNS is causing the problem is to try going to Google.com the next time yc
         start having trouble. If that doesn’t work, then try typing Google’s IP address o
         216.239.51.101 in the address field. If that works, then you just aren’t getting ti
         address of your ISPs DNS server. You can work around a DNS problem two
         different ways. One way is to call up your ISP and ask them to talk you though
         manually entering their DNS information. The second way depends on your
         version of Windows. If you are running Windows 9x or ME, (1) click the Start
         button, (2) click Run, (3) type “winipcfg” (sans quotes), (4) and press OK (mak
         sure you are dialed up to your ISP first). If you click “More Info” on the
         Winipcfg windows, you will see where it says “DNS Servers.” Just write down
         those numbers. To do the same thing in Windows 2000 or XP, just type in “cm
         (sans quotes) in the “Run” dialog box and click OK. At the command line, type
         “ipconfg/all” (sans quotes) and hit Enter on your keyboard. Write down the Dt’
         server JP addresses listed to the right of
         DNS.
         
         So now you have your DNS addresses, how do you apply that to your dial-up
         connection? In Windows 9x or ME, just double-click My Computer and then
         Dial-up Networking, Right-click your ISP and choose Properties. You should si
         a Server Types tab and next to TCP/IP you need to click Setting. Put the IP
         addresses in the DNS fields and click OK to get out of the windows. To do the
         same thing in Windows 2000 or XP, go to Start I Control Panel 11 Network and
         Dial-up Connections. If you right-click the icon for your dial-up connection and
         choose Properties, you will see where you can click on the Networking tab. Clü
         on Internet Protocol (TCP/IP) and then Properties. On the General tab, click
         “Use the following DNS server addresses” and then type in the DNS server P
         addresses. Click OK to get out of all of the windows and then reboot. You
         



Dale May:)
       

Thanks Dale, but I am on a cable modem not dialup.  I have managed to access the net on my infected computer.  I went to "Trend's" site and ran the free scan, and these are the viruses it say's I have; "malware.bkdr", "berbew.I worm", "korgo worm", "agobot-5", "pe-bagle.t.o", "bobax.c worm", pe-begle 1.t", "w/32begle.q". I can not get rid of "PE-BAGLE.T.O", plus, when I think I am making progress, I reboot and everything is back. I am almost bald now, so can anybody help me.

I did run the programs SheharyaarSaahil recomended and they cleaned allot of crap off, but I still have the viruses. :(

SheharyaarSaahil, you were right about RBO virsus RB0, I discovered that. Thanks.

I would suggest putting the "infected" hard drive into another computer as a secondary drive, make sure it won't boot from it otherwise you will just spread the infection. As it is not the boot drive nothing on it will be run.

Then it should just be a case of copying the required files over.

Then you can fdisk the old drive and start from scratch.

>> when I think I am making progress, I reboot and everything is back

dennis dont tell me,,,, that ur System Restore is turned on !!!  =\

No. System restore is off.  Putting the hard drive in my other computer is a very good idea, wish I would have thought of it.  Thanks allot:) Back to work.............