Collarspace Discussion Forums


Home  Login  Search 

Another virus ? WOO HOO ! the heat is on


View related threads: (in this forum | in all forums)

Logged in as: Guest
 
All Forums >> [Casual Banter] >> Off the Grid >> Another virus ? WOO HOO ! the heat is on Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
Another virus ? WOO HOO ! the heat is on - 2/7/2011 8:18:33 PM   
Termyn8or


Posts: 18681
Joined: 11/12/2005
Status: offline 		This one survived a system restore. I assume the registry is now in the same state as it was at the restore point. Actually I don't think it's all that uncommon.

Now I am not worried about playing with it, it can't really do much propogating, I have no contact lists, I mean I just have not done so many things I can play with it, and learn. That's what I want to do.

Of course you might remember the Ghost in the machine thread. Some may think I'm stupid, but like a human immune system, it needs to be infected to learn. So right now, on reboot a program tries to install, I think it's call coCommon or something like that. Google was of no help.

It happened when I was in humor, about to reply to the "Cat called for jury duty" thread. I was looking for a video clip. Doing that, I saw the signs. "This is brought to you by..." some kind of update. I probably should've pulled the plug but I just held the power button down.

Whatever it is it seems to put up innocuous looking IE windows. I don't care if it is totally benign, which I doubt.

Now I was pretty damn good with this shit in the 98 days, but this is XP. I know almost everything is in the registry and I am not afraid of it. I got disks. But I got curiousity, and if it kills this cat, that is that.

The question is, where else does shit like this hide ? I mean AUTOEXEC.BAT and all that is a thing of the past, I know that. But somewhere there is a place to hide.

For exmple, I just did a clone on my sinister's PC. She now has a full backup that can be recloned at will to the boot drive. I told her if she started using the backup drive I would shoot her. She won't do it. I loaded her with AVG 2011 and all is well. But after the clone, Windows did not boot normnally, the cloning software interjected with a message. How did it do that ?

I know there is such a thing as a "runonce" in the registry. It obviously uses that. However a system restore should get rid of that, or any new entry. So why did it try to install after the restore again ? There is obviously another place for these little varmints to hide.

It's that kind of information that I am after. Antivirus software is giving a Man a fish. I want to know how to fish. Understand ? I don't want to be dependent on a program to protect my program. I have the means to play with it, and learn how to do things for myself. That is what I want.

For others, shit, just get AVG and a couple of other programs and live with it. That is not for me. I am not whining or complaining, I am asking for knowledge. I don't need to know how to write a computer program, just to whack the fucker. I don't see why I can't do it, but for the lack of knowhow.

So really I don't even need to know the specifics of this particulat infection, just how to make Windows ignore it. You don't need to eliminate a virus, just stop it from being "called" to run.

And really, back in the 95/98 days, I knew how to backup the registry on a floppy. A FLOPPY ! Then I just replace the file and that's that. Clean up the INI and BAT files and you're done. What I don't know is the specifics on how to do that in XP.

Any help ? Or am I going to figure it out about the time that XP is obsolete ? Actually there is one good thing about Vista. It won't let anything install without asking. That particular feature is worth the nag really.

But as I said, reloading actually takes less time than a virus scan here. And I have little to worry about when it comes to data loss. All the good stuff is not on the boot drive.

Regedit found nothing for the keyword cocommon. Where else could it be ?

T^T
Profile   Post #: 1
RE: Another virus ? WOO HOO ! the heat is on - 2/7/2011 8:35:18 PM   
kdsub


Posts: 12180
Joined: 8/16/2007
Status: offline 		You could try starting in safe mode with networking...download install and run malwarebytes.

_____________________________

Mark Twain:

I don't see any use in having a uniform and arbitrary way of spelling words. We might as well make all clothes alike and cook all dishes alike. Sameness is tiresome; variety is pleasing

(in reply to Termyn8or)
Profile   Post #: 2
RE: Another virus ? WOO HOO ! the heat is on - 2/7/2011 8:39:18 PM   
Termyn8or


Posts: 18681
Joined: 11/12/2005
Status: offline 		That's not the ticket for me. I want to find this SOB and whack it on my own.

I appreciate the advice, and if I have to fine. But I want to try it the hard way. Hard ways for hard heads ? maybe.

T^T

(in reply to kdsub)
Profile   Post #: 3
RE: Another virus ? WOO HOO ! the heat is on - 2/7/2011 8:49:05 PM   
PeonForHer


Posts: 19612
Joined: 9/27/2008
Status: offline 		When I had XP any scumware I thought I'd wiped kept coming back because they were hiding in System Restore. That used to replace a file that it 'thought' the system needed to run properly. So, pop, said scumware would came back again after a virus scan and wipe followed by a reboot.

_____________________________

http://www.domme-chronicles.com


(in reply to Termyn8or)
Profile   Post #: 4
RE: Another virus ? WOO HOO ! the heat is on - 2/7/2011 8:53:42 PM   
Missokyst


Posts: 6041
Joined: 9/9/2006
Status: offline 		I love battling the demons. My own computer travels everywhere on the net. All the most vile, dirty and disgusting places.. ooo.. And I have never had a virus I couldn't lick on my own system. Because I know what to look for. I use the programs, Avast, Malwarebytes, ect., but I only run them when I have someone else's hard drive in my system that needs scanning.
and yes, you can make a backup, sort of. When your system is running well, open the registry and make a backup. Anytime you need to call that up you can hit the restore from your saved copy in your documents.
I don't know what you have but if it's an XP, it can't be that bad. Launch it in safe with networking and head to administrator. Check this location, C:/Documents and settings/ Local.. and then application data. However that path goes. I have 7 on my system now and the path is different.
Since I am not sure what you have I cannot tell you where it is or how to kill it. But I do it all the time, I enjoy the challenge.

_____________________________

pain is the breaking of the shell that encloses your understanding ~Gibran, Kahlil

“The truth is, everyone is going to hurt you. You just got to find the ones worth suffering for.”
― Bob Marley


(in reply to Termyn8or)
Profile   Post #: 5
RE: Another virus ? WOO HOO ! the heat is on - 2/7/2011 9:21:21 PM   
Termyn8or


Posts: 18681
Joined: 11/12/2005
Status: offline 		UFR > both

Yes, hiding in system restore. So it modifies those backups ? Seems logical. So what I would need is to keep the backup on a stick or CDR or something. Seems like it would work, as well as give me a copy with which to compare. The problem might be reading it. You ever look at the registry in a text editor ? It's a mess. But that does send me in a certain direction. I also wonder if it modifies ALL copies of the backup. It would have to find them, so if I wanted to protect them, I might not even need it off drive, just rename one file to something like BULLSHIT.FUK. As long as I know how to reneme it properly afterwards and put it where it belongs. Thanks, I'll see about that.

Miss, vile, disgusting and dirty ? Intriguing. How bout sending me your favorites list :-) That I do know where to put. (no snide remarks please)

So it is in documents and settings ? That means it would differ for different users. I've really considered setting up a user without priveledges. I just never seem to get around to it. But I have become familiar with documents and settings. Actually I have it set to show hidden system files so I can manually add things to the sendto menu. It's not hard, just create a shortcut and drag it in. Then a picture can be forced to open in various image editors without tampering with file associations.

But isn't there a master registry ? Maybe not. Each one separate for each user in D&C ? Not inconcievable. I know the internet caches are, but I haven't been able to access them as of yet. Maybe that was before I forced it to show all files, I'm not sure right now.

If I knew programming I would surely decompile Windows. It can be done, but I have no reason to because I don't know enough to use it. What would I edit ? Really, I don't think I have to go that far. But if I learn enough, a virus is born every day. If I know how to exterminate manually, I would be able to squash the bugs before any antivirus could be updated enough to catch it. I think that would be pretty cool.

Thanks for keeping my gears greased folks.

T^T

(in reply to Missokyst)
Profile   Post #: 6
RE: Another virus ? WOO HOO ! the heat is on - 2/7/2011 10:00:14 PM   
Missokyst


Posts: 6041
Joined: 9/9/2006
Status: offline 		Let me know what your symptoms were and I will point you in the right direction. I know for me it is important I can kill something without tools if I can. Particularly since the newer 64 bit systems have blocked use of many of my tradtitional tools, I have had to learn to seek and destroy things on my own.
:) kinda like battling a mugger and overcoming him before I kick the shit out of him.

If people paid attention to their computers more there would be a lot less viral stuff in the world. LOL since I am a tech that would not be a good thing for me! But, I do encourage my clients to be proactive and most of them pay close attention.

Be observant. Pay attention to IE even though you may not be using it. Every now and then do a search for an antivirus, searching for that when you are infected will often send you on a redirect. Check out your host file once in a while, make sure there are no entries allowing bad pages to be installed. Visit your Prefetch folder in system32.. most of that is inocuous, but sometimes those programs you have tried to remove will just relaunch if they are listed there.
Dump out system restore after you clean your computer and create a brand new restore point. In fact, create a new restore point at least every two weeks on your own so you will have good points. Name them.

Dump out your temp files.


_____________________________

pain is the breaking of the shell that encloses your understanding ~Gibran, Kahlil

“The truth is, everyone is going to hurt you. You just got to find the ones worth suffering for.”
― Bob Marley


(in reply to Termyn8or)
Profile   Post #: 7
RE: Another virus ? WOO HOO ! the heat is on - 2/7/2011 10:25:52 PM   
Aneirin


Posts: 6121
Joined: 3/18/2006
From: Tamaris
Status: offline 		Is microsoft obsolete ?

_____________________________

Everything we are is the result of what we have thought, the mind is everything, what we think, we become - Guatama Buddha

Conservatism is distrust of people tempered by fear - William Gladstone

(in reply to Missokyst)
Profile   Post #: 8
RE: Another virus ? WOO HOO ! the heat is on - 2/7/2011 10:34:06 PM   
Missokyst


Posts: 6041
Joined: 9/9/2006
Status: offline 		heh... far from it. Happily though as apple gets larger I might find more work on that side of the OS. In Dec I removed viruses from 7 of them.

_____________________________

pain is the breaking of the shell that encloses your understanding ~Gibran, Kahlil

“The truth is, everyone is going to hurt you. You just got to find the ones worth suffering for.”
― Bob Marley


(in reply to Aneirin)
Profile   Post #: 9
RE: Another virus ? WOO HOO ! the heat is on - 2/7/2011 10:47:53 PM   
NocturnalStalker


Posts: 3858
Joined: 12/4/2010
Status: offline 		There's a guy on YouTube named "Danooct1" or something to that effect that specializes in showing viruses and their various fun payloads for your viewing enjoyment. You could try to get into contact with him and ask about how to remove your own. I believe he has a few XP viruses last I checked, and for the historians he has a disgusting amount of DOS/95/98 ones.

If you can find yours when browsing his videos he may tell you in the video's descrption how to rid of it manually.


_____________________________

"The road I walk is paved in gold to glorify my platinum soul."

(in reply to Missokyst)
Profile   Post #: 10
RE: Another virus ? WOO HOO ! the heat is on - 2/7/2011 11:33:59 PM   
Termyn8or


Posts: 18681
Joined: 11/12/2005
Status: offline 		"Let me know what your symptoms... "

At the moment, on reboot it wants to install something. I have to hit cancel a bunch of times. This PC has Norton security center but it is disabled. McAffees runs but it's so out of date it's not funny. There is nothing else except bigfix, and from day one it has one fixlet message.

The Norton tray icon has changed. Possibly the thing infects AV software, but I'm not taking that to the bank just yet.

When it happened I was looking for a video with Will Ferrel as a lawyer, dog lawyer named Blazingame. The specific search words were "dog lawyer". I hit a link about halfway down the page and then it popped up and said that this was brought to me by video update. That's when I hit the power button, for four seconds, not allowing a proper shutdown. Of course it was too late.

The state it's in now is analogous to HIV positive but without AIDS. Later I'll try a few more of my favorite haunts and see how it works. I'll be on the lookout, aware of any abnormal behavior. Next time I pull the plug, the power button isn't fast enough.

Also on reboot it tried to install something else, bo1 or something but it encountered an error and had to close. I probably stopped the download of that file midstream. Actually I'm considering building or getting a simple toggle switch that would shut the internet off NOW. Wouldn't even have to touch the power button. Maybe.

If I keep my dukes up I might never find out what the payload of this vermin is, and while curious, I'm not that curious.

I'll bum around a bit, but more info might appear on my next reboot. I don't think my OS is in any immediate danger, as long as I don't let anything install.

I don't remember, but I think the box with the cancel button came from Windows because I THINK it followed my custom color scheme. I don't think a virus writer would write anything like that into it. More likely the fucker figures it would be behind the active window, and probably doesn't know how to suppress it. If that's the case, this shouldn't really be all that hard to exTerminate.

I'll be around and keep you "posted", but that is all I know right now. And really, as long as I have disks, I am not worried all that much. The only possible risk is that now my media and technical libraries are on a drive in this PC. Not the boot drive, but it is connected. There were some virii that attacked all drives on the PC, but I don't think this one is among them. But that's my only concern really.

T^T

(in reply to Missokyst)
Profile   Post #: 11
RE: Another virus ? WOO HOO ! the heat is on - 2/7/2011 11:44:53 PM   
Termyn8or


Posts: 18681
Joined: 11/12/2005
Status: offline 		Now.....

An, Microsoft has been obsolete for a long time. From what I've heard they don't even use their own OS in their corporate office.

Miss, Macs might be a good idea to get into. I think as time goes by their market share will increase. This will of course make them a target.

NS, Danooct1 ? I'll have to check that out. Let's hope I don't need a video update to view the vids :-)

T^T

(in reply to Termyn8or)
Profile   Post #: 12
RE: Another virus ? WOO HOO ! the heat is on - 2/8/2011 12:36:10 AM   
came4U


Posts: 3572
Joined: 1/23/2007
From: London, Ontario
Status: offline 		Termy, having 2 anti-viruses (Norton and AVG) disabled or not, plus any basic windows security installed at the same time can cause all kinds of buggery to the system itself.

To start, remove both anti-viruses and install ONE back in.

Likely any problems will disappear without need to accuse an actual downloaded reg.file extension (real or imaginary).

Start there and see what the ONE anti-virus collects as possible trouble.


_____________________________

It hurts.....that you call me a masochist


(in reply to Termyn8or)
Profile   Post #: 13
RE: Another virus ? WOO HOO ! the heat is on - 2/8/2011 9:01:52 AM   
Missokyst


Posts: 6041
Joined: 9/9/2006
Status: offline 		Hey Term..
Can you go the the Run command box and type in MSCONFIG and drop me an email on the stuff listed which has the checkmarks?

Also, look in your programs list (start, all programs) and see if there is something listed under the catagory "startup"

_____________________________

pain is the breaking of the shell that encloses your understanding ~Gibran, Kahlil

“The truth is, everyone is going to hurt you. You just got to find the ones worth suffering for.”
― Bob Marley


(in reply to came4U)
Profile   Post #: 14
RE: Another virus ? WOO HOO ! the heat is on - 2/8/2011 9:53:21 AM   
kdsub


Posts: 12180
Joined: 8/16/2007
Status: offline 		Why not download and install a process killer and set it up with a hot key...quicker than task manager or forced shut down

Butch

_____________________________

Mark Twain:

I don't see any use in having a uniform and arbitrary way of spelling words. We might as well make all clothes alike and cook all dishes alike. Sameness is tiresome; variety is pleasing

(in reply to Termyn8or)
Profile   Post #: 15
RE: Another virus ? WOO HOO ! the heat is on - 2/8/2011 1:17:18 PM   
Missokyst


Posts: 6041
Joined: 9/9/2006
Status: offline 		It would be nice if a process killer would work on all of the nasties. If it were my computer I would just clean it up with process scanner since it is an XP computer followed by a scan with malwarebytes.
This is a pretty good place too http://www.eset.com/online-scanner
It is the first time I have seen an online scanner also take care of compromised hosts files.

< Message edited by Missokyst -- 2/8/2011 1:20:35 PM >

_____________________________

pain is the breaking of the shell that encloses your understanding ~Gibran, Kahlil

“The truth is, everyone is going to hurt you. You just got to find the ones worth suffering for.”
― Bob Marley


(in reply to kdsub)
Profile   Post #: 16
RE: Another virus ? WOO HOO ! the heat is on - 2/8/2011 2:40:14 PM   
Hippiekinkster


Posts: 5512
Joined: 11/20/2007
From: Liechtenstein
Status: offline 		http://www.bleepingcomputer.com/startups/

_____________________________

"We are convinced that freedom w/o Socialism is privilege and injustice, and that Socialism w/o freedom is slavery and brutality." Bakunin

“Nothing we do, however virtuous, can be accomplished alone; therefore we are saved by love.” Reinhold Ne

(in reply to Missokyst)
Profile   Post #: 17
RE: Another virus ? WOO HOO ! the heat is on - 2/8/2011 9:15:46 PM   
Arpig


Posts: 9930
Joined: 1/3/2006
From: Increasingly further from reality
Status: offline
quote:

I don't need to know how to write a computer program, just to whack the fucker. I don't see why I can't do it, but for the lack of knowhow.
Actually Termy, you pretty much do.
I don't know if you've tried it yet or not, but msconfig is a great place to start. As well a lot of those automatically reappearing bugs have an installer program hidden on your drive somewhere. Use your firewall...go into the configuration and deny absolutely everything, and then when it tries to install you get a message which should tell you what file it is...reboot into safe mode, track the sucker down and delete it...though some of them will replicate themselves with different names so you may have to repeat the process a few times to finally get rid of it.
Good luck and have fun!


_____________________________

Big man! Pig Man!
Ha Ha...Charade you are!

Why do they leave out the letter b on "Garage Sale" signs?

CM's #1 All-Time Also-Ran


(in reply to Termyn8or)
Profile   Post #: 18
RE: Another virus ? WOO HOO ! the heat is on - 2/8/2011 10:29:33 PM   
Termyn8or


Posts: 18681
Joined: 11/12/2005
Status: offline 		FR

OK

came4, only McAffes runs, and it is out of date. I am not sure of it's settings but when I installed AVG 2011 on my sis's PC it didn't slow it up nearly as much. I don't really count on McAffes for much, but the popup blocker seems to work well enough. And this infection did get by it via a popup, or was it ? Did Windows or IE throw that window up ? I think Windows because now it wants something on bootup.

Now mentioned is msconfig. I tried to copy it, but it will not. I swear I didn't even know msconfig was still around. It is in normal startup, and there is one unnamed item in startup. Could that be it ? It's displaying a registry entry of :

"HKLM\SOFTWARE\Microsoft\Windows\Currentver...."

I can't seem to get it to display more, the window will not resize or maximize, and the bottom scroll only goes that far. Wouldn't Windows name everything ? Now if I were to use selective startup, after disabling this particular key, won't it show in regedit with a "DEL" or "REM" in front of it ? Or do they do that differently ? I know if I had trepidations about deleting a key I could put that REM in front and it would be muted, so to speak. Is that still true ? If so I might be able to isolate the key. That means I might be able to,,,,,, restore the restore points.

I'm pleased as punch that msconfig is still available. Selective startup might just do the trick.

In the next day or two I'll try a few things, see what happens. Right now I don't feel klike playing caat and mouse with a reboot, so it remains the same for now. I just can't stay up all night with this thing tonight. And once I start, I will not stop.

Thanks all. HK, I bookmarked that link, and I will be checking it out later in detail. I know as I disable things certain things are not going to work, until I hit the right ones. Some insight in that respect can go a long way.

Thanks all. I'll be baack.

T^T

< Message edited by Termyn8or -- 2/8/2011 10:32:24 PM >

(in reply to Arpig)
Profile   Post #: 19
RE: Another virus ? WOO HOO ! the heat is on - 2/9/2011 7:17:38 AM   
poise


Posts: 9509
Joined: 7/3/2010
Status: offline 		Removing this application from Start Up (msconfig) is a good first step, but it is also located in the Registry as a Run program.
In Regedit, go to HKEY Current User - Software - Microsoft - Windows - Current Version - Run.
Then highlight and delete the bugger there as well.

< Message edited by poise -- 2/9/2011 7:18:55 AM >

_____________________________

When the path ignites a soul, there’s no remaining in place.

(in reply to Termyn8or)
Profile   Post #: 20
Page:   [1] 2   next >   >>
All Forums >> [Casual Banter] >> Off the Grid >> Another virus ? WOO HOO ! the heat is on Page: [1] 2   next >   >>
Jump to:





New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts




Collarchat.com © 2025
Terms of Service Privacy Policy Spam Policy

0.109