Flare Sci-fi Forums
Flare Sci-Fi Forums Post New Topic  New Poll  Post A Reply
my profile | directory login | search | faq | forum home

  next oldest topic   next newest topic
» Flare Sci-Fi Forums » Community » Officers' Lounge » Battling computer virus...

   
Author Topic: Battling computer virus...
Nim
The Aardvark asked for a dagger
Member # 205

 - posted      Profile for Nim     Send New Private Message       Edit/Delete Post   Reply With Quote 
Well, after seven uneventful years, and two weeks before I'll get the last components delivered to build a new computer, I've gotten a virus.
It's called face*****.exe (i don't remember what it said after "face", and it renamed itself before i could copy-paste yesterday) and it seems to be impervious to any effort of removal by F-Secure, AVG, Lavasoft Ad-Aware and today also Eset Nod32 antivirus.

It masks itself as iexplore.exe and rundll32.exe in the activity manager list and spawns popups every second to third time I open up a web browser window. It also delete every 6 of my keypressings, making typing erratic.
I can type in web adresses and go there but I can't use any search engine, as soon as I press "Search" in google or any other engine, it just stands there, loading indefinitely, never coming up with any hits.

Also, at random times, the computer starts beeping and doing a windows sound effect, though I don't have any windows sounds active, save for email notification (haven't had for years).
It stops if I kill the fake "iexplore.exe" or "rundll32.exe" virus applications in the Activity Manager, though they bounce back up if I start a browser or other software.

I don't have the time to do a complete harddrive wipe and reinstall windows, I'll be needing my comp intact this coming week for a few events and I'm running out of options.

Anyone have a tip for busting this crap except for a total wipe, or those antivirus programs I listed above?

Registered: Aug 1999  |  IP: Logged
The Ginger Beacon
Senior Member
Member # 1585

 - posted      Profile for The Ginger Beacon     Send New Private Message       Edit/Delete Post   Reply With Quote 
If you aren't using the latest version of F-Secure, they have a program called "backlight" you can download that detects this sort of shit, so that the program can remove it. I'm sure that other anti-virus software programs have something similar.

Or you might be able to use a live disk or find a copy of the pristine environment software for your OS to detect and kill it.

In my experience it's far easier to just wipe and reinstall the OS, but it is possible to fix it without doing this.

I don't realy know how though.

--------------------
I have plenty of experience in biology. I bought a Tamagotchi in 1998... And... it's still alive.

Registered: Apr 2005  |  IP: Logged
Daniel Butler
I'm a Singapore where is my boat
Member # 1689

 - posted      Profile for Daniel Butler     Send New Private Message       Edit/Delete Post   Reply With Quote 
Unfortunately I agree with Ginger - in my experience an infection this bad has to be formatted. You can't really clean it out of any programs it's infected (like Internet Explorer for example, if it's detecting its launch it might have infected it) without having an inoculation database with a clean copy of the program. If you haven't ever inoculated, the best the antivirus could do would be to delete the program (which would probably be undesirable) and there still are probably files infected lying dormant somewhere random.
Registered: Jul 2005  |  IP: Logged
Nim
The Aardvark asked for a dagger
Member # 205

 - posted      Profile for Nim     Send New Private Message       Edit/Delete Post   Reply With Quote 
Damn, I was afraid of that.

My only concern right now is if this virus can jump over into my next computer, since there are a few files I'll want to bring with me from my old one. I'll be taking some media files, documents and uniques with me. Anything I can reproduce I'll leave behind, including bookmarks.

Now, if I load these files into a USB RAM-stick and insert it into a neutral "middleman" computer, any eventual virus piggybacking on the files can't jump over into that computer just by being plugged in, right? It could only multiply if I open one of the files on the stick (which I won't)?
So technically, I should be able to use F-Secure to scan the memory stick and kill any eventual virus before loading the files onward into my new comp?

Registered: Aug 1999  |  IP: Logged
Fabrux
Epic Member
Member # 71

 - posted      Profile for Fabrux     Send New Private Message       Edit/Delete Post   Reply With Quote 
I actually once managed to transfer a virus using a USB stick. It was damned annoying, cause I then had to wipe both computers. Blah.

--------------------
I haul cardboard and cardboard accessories

Registered: Mar 1999  |  IP: Logged
Daniel Butler
I'm a Singapore where is my boat
Member # 1689

 - posted      Profile for Daniel Butler     Send New Private Message       Edit/Delete Post   Reply With Quote 
If it's the type of virus that infects files (as opposed to the boot sector of a bootable disk, which your USB stick probably doesn't have anyway) then yes, you have to open the file for the virus to activate. In fact you can mount the drive in read-only mode - I'm not sure how you do that in Windows, but there might be a write-protect switch on your USB stick (or not). That might help other files on the USB stick from being infected (although it wouldn't do anything to protect the PC you plug it into ;P). Anyway it's probably not necessary; just plug it in and scan it. The only files I'd be worried about would be documents which can contain macro viruses. Pictures and other data-only filetypes can't be infected in theory. Of course if your 'uniques' include programs or DLLs of any sort, you'd be better off not saving them, unless you happen to have the proper MD5 checksum of clean versions of those programs lying around [Razz]
Registered: Jul 2005  |  IP: Logged
Nim
The Aardvark asked for a dagger
Member # 205

 - posted      Profile for Nim     Send New Private Message       Edit/Delete Post   Reply With Quote 
I see, good info there. Yes, I'll only be moving images and text files, no games or dlls.

In fact, I'm kicking it up a notch (bam!), putting in a clean HD and have now installed Windows on it (using a ready-made ghost image), I'll attach my old HD as slave and do a full F-Secure 7.12 scan of the shit, hopefully that'll reach deep enough.

The Windows on the old HD still works, so I can still switch back to it until I've cracked this thing.

Registered: Aug 1999  |  IP: Logged
B.J.
Space Cadet
Member # 858

 - posted      Profile for B.J.     Send New Private Message       Edit/Delete Post   Reply With Quote 
quote:
Originally posted by Daniel Butler:
The only files I'd be worried about would be documents which can contain macro viruses.

Yeah, those can be nasty. Just look what they did to Voyager & her crew! [Big Grin]
Registered: Jul 2002  |  IP: Logged
The Ginger Beacon
Senior Member
Member # 1585

 - posted      Profile for The Ginger Beacon     Send New Private Message       Edit/Delete Post   Reply With Quote 
Don't forget to use your spice weasel.

--------------------
I have plenty of experience in biology. I bought a Tamagotchi in 1998... And... it's still alive.

Registered: Apr 2005  |  IP: Logged
Teh PW
Self Impossed Exile (This Space for rent)
Member # 1203

 - posted      Profile for Teh PW         Edit/Delete Post   Reply With Quote 
Do you have any idea how you aquired it (the virus) in the 1st place?

--------------------
*shrug* Ready, shoot, aim.

Registered: Jan 2004  |  IP: Logged
Nim
The Aardvark asked for a dagger
Member # 205

 - posted      Profile for Nim     Send New Private Message       Edit/Delete Post   Reply With Quote 
I do indeed.
Against better judgement I downloaded and installed LimeWire on a recommendation, I was trying to find a particularily rare TV-series from my early days ("Private Eye", 1987, Michael Woods, Josh Brolin).
Upon downloading what I thought was a very cryptic but similarly-named file bundle (turned out to be some crazy asian soap opera also named "Private Eye") I noticed the processor fan was moving at 100% speed, for the last five minutes, which is rare since it autoadjusts. After rebooting, I had all these colorful popups every time I opened a browser window.

Originally it called itself Facetick.exe or Face(something), after the first antivirus software quarantined the file it renamed itself into both iexplore.exe and rundll32.exe, it looks like.

Long story short, LimeWire is a supertransmitter of digital STDs, it seems. Maybe it's because of the way it samples the search hits, drinking a bit out of every bottle it finds, even from the trainyard hobos (no offense to trainyard hobos, a stout breed).

Registered: Aug 1999  |  IP: Logged
Daniel Butler
I'm a Singapore where is my boat
Member # 1689

 - posted      Profile for Daniel Butler     Send New Private Message       Edit/Delete Post   Reply With Quote 
P2P in general is like that, Nim. Just don't trust anything and be really suspicious. For example, it seems that for 2/3 the searches I try in LimeWire, the top result with several hundred peers is "*whatever I searched for* girl has orgasm on web cam." "Red Hot Chili Peppers girl has orgasm on web cam," "adobe girl has orgasm on web cam," etc. Always the same file size, too, usually well under what I'm searching for would be. I do not want to download this file and see what happens [Wink]
Registered: Jul 2005  |  IP: Logged
Mars Needs Women
Sexy Funmobile
Member # 1505

 - posted      Profile for Mars Needs Women     Send New Private Message       Edit/Delete Post   Reply With Quote 
Nothing happens, just some posing. Stick to torrents, that's what I sez. I had a similar problem (unrelated to what happened in the first sentence)and I think I solved it by a mixture of root-kit cleaners and spyware search and destroy thingys. But of course different programs seem to find different things, so it might be a matter of finding that one program that specifically targets face***.exe files.

This might be of some help.
http://www.greatis.com/appdata/d/f/face.exe.htm

Registered: Feb 2005  |  IP: Logged
Nim
The Aardvark asked for a dagger
Member # 205

 - posted      Profile for Nim     Send New Private Message       Edit/Delete Post   Reply With Quote 
Great link, I went and used the "RegRun Reanimator" freeware, against rootkits. It took about 10 reboots, since it operates just at the pre-desktop load moment and kills the hardest files during the next reboot.
I think I got them all, since at the tenth-or-so reboot the software didn't engage any more.
I've been crashtesting the browser to try and bring out pop-ups but so far nothing. Will take a while before I feel certain though.

Thanks tiddy bear, and all of you who added your 2 cents.

Registered: Aug 1999  |  IP: Logged
   

Quick Reply
Message:

HTML is enabled.
UBB Code™ is enabled.

Instant Graemlins
   


Post New Topic  New Poll  Post A Reply Close Topic   Feature Topic   Move Topic   Delete Topic next oldest topic   next newest topic
 - Printer-friendly view of this topic
Hop To:


© 1999-2024 Charles Capps

Powered by UBB.classic™ 6.7.3