Unremovable Virus

[OrangeWire]

You guys...if anybody can help me out id REALLY appreciate it.

Ive been battling a damn virus for about 2 months now...I format and think its gone but slowly the computer starts to slow and more and more membory is used.

Eventually the virus starts to do stuff like block the find files window, block copy and paste, block drag and drop, when i goto services and attempt to see the properties of a service, the window does NOT show....then i cannot close the services window because the properties window is "not closed."

So something is in the background hiding my windows and messing with me.

Task manager shows there are NO apps taht are suspicious and i have even used Process Explorer (excellent app btw) and Taht shows nothign out of the ordinary is running.

The only thing i have noticed that is strange is my services executable is using a pretty good chunk of memory, but not THAT much.

Im using win 2k adv server so most Antivirus apps do not want to work. Does anybody have ANY insight or info?!?! Thank very much!

=(((

 

[tahoe2]

The same thing happened to me. Here's how I fixed it.

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.gaobot.html

http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html

Follow instructions on both these pages, then go to windows update and get all security updates for programs you use.

Also, look to see if your AV Defs are really up to date.
Then run it on every machine in your network.

Hope this helps.

Corie

 

[hdingman]

Is the server itself the source of the virus? We had one like this on an engineering network with peer-to-peer as well as client-server, and we had to pull every machine, clean each one, and add them back one-by-one. One guy had an "emergency" and plugged his back in before cleaning. We started all over again cleaning every machine. It was a mess, took almost 3 months to fix. Virus was spread across workstations by peer-to-peer, and just kept re-infecting them.

Worst part was that the original infection came from a manufacturer's hardware driver disk.

Oops.

hd

 

[paulray]

First keep in mind that most virus' propagate over network shares. That being said, you can remove a virus from a server or pc, but it can and does usually return on a network because another pc on the network could have been "hosting" it, without showing any of the symptoms. So you have to look towards this problem from two aspects. One obviously is to clean and remove the virus, the second is to determine how it's coming back and prevent it from returning. Is this a corp network or small office? How many PCs on the network?
Paul

 

[OrangeWire]

well my network is actually a home network...it consists of 4 PCs via a wireless network behind a linksys router.

My school provided me with 2k adv server so i have been running it and playing with the features just for educational purposes... this is nothing close to a corp network.

All other computers run win 2k.


What im confused about is HOW the virus can spread? Even if there are network shares, i mean doesnt the virus need to be executed in order to "install?"

I am about to get Symantec antivirus corporate edition which should work on 2kas, but i highly doubt this will fix the prob bc on the 2k pro boxes we had norton running and the virus completely diabled NAV.

Do you guys have any tips as far as formatting to insure that EVERYTHING is wiped off the disk???

 

[dodger6]

Here are a few ones to try.

First, what makes you think it is a virus? Other than the services using more memory than expected? Have you checked out the Event logs to resolve any warnings/errors being reported? You could be chasing a ghost.

McAfee

http://vil.nai.com/vil/averttools.asp

Download the stinger it is a self contained virus scanner. You can run it from a floppy if you wanted.

Symantec (Norton)

http://www.symantec.com/avcenter/tools.list.html

Also check the system for spyware. Irecomend Adaware6 but Spybot and a few others are just as helpfull.

http://www.lavasoftusa.com/support/download/

 

[dodger6]

After I read my inital reply I noticed it sounds a bit hostile, it wasn't meant to be. In the past I could have sworn I had a problem that was virus related and ended up having a hung service I hadn't noticed and found an error in the Event log that resolved the issue.

Just wanted to clear that up in case it came off as rude.

Good luck Orangewire.

 

[hdingman]

OrangeWire,
to answer the HOW, understand that once one machine is infected, many viruses will install themselves as a system process, or even part of the boot sector, so that they keep coming back every time the system starts.

As paulray said, many viruses spread via network shares. An astute virus writer will copy a file onto the share, and modify AUTOEXEC.BAT, CONFIG.SYS, or the registry of the target (victim!) machine to run the virus when it boots next time. (A very good reason NOT to share the C:\ directory) Many viruses also just append themselves to a legitimate file (.EXE, .COM, .SYS and .DLL are favorite targets) and patch a byte or two in the original file so the virus gets itself executed.

Not being a "corporate" network doesn't matter. Once the virus gets loose, it just infects everything it can find. Big or small, the problem is the same.

Our best success was to disconnect all the stations, then re-connect them one-by-one AFTER they were cleaned out.

Good Luck. (You'll need it)


Howard Dingman
Pro-Tel Communications
Endicott, NY

 

[thepilo]

Your best defence for virus's is a good offence. That being, be very proavtice, and install every patch when they come out from micosoft. you need to update the serve as soon as you build it with every patch that is out there. this can help close out the holes that virus's will use to attack your computer. Once you get that done, then you shoudl be protected. Do this on every computer all the time. This should help stop the virus from re-apearing when you rebuild a machine.