IMPORTANT! - New Virus Info, what happened to me

Hardy · #1 03-17-2003, 06:50 AM

I got back from my WWE event (very very fun!) and I came into the computer room to see the screen was HUGE, the icons were the size of half the screen (exagerated a little, lol), and my awsome backround was gone :cry: I asked my step-dad how it happened, he said a program made an illegal operation, he said to close, then it said it needed to restart the computer, and he did. It came back up like that, he didn't mess with it since. Well, I looked at it, and ALL the drivers and windows settings were deleted. Even settings in games! (ie: D2 settings set back to default, as well as EQ, along with some others). I had to reinstall all my drivers, and then I notice Norton Antivirus won't work! So I reinstalled that, it finally opened for me. I click liveupdate, it updates virus definitions, then all of a sudden, it says it can't install them because I don't have antivirus installed. I look at the main norton screen, and there was no antivirus button, only utilities and cleanup. I installed again, told it to install antivirus only, took about 2sec and it still would not install. HELP! lol, I dunno what to do! If I reformat, i won't be able to play EQemu till it gets fixed with new EQ patch :cry: Mainly because patcher don't work for me (using win98 2ed). If you know how to get rid of this type of virus, please tell me! I might reinstall windows without reformating, see how that goes.

Oh yea, and under add/remove programs, NO programs were listed, they were all gone, yet I can still play D2 and everything. It also set my directx back to version 6.1!!!!!!!!

Piska · #2 03-17-2003, 07:25 AM

uhh try booting into safemode and installing antivirus there.

Galthus · #3 03-17-2003, 08:20 AM

Safe mode won't help if he has one of the types of viruses that turns off virus scanners. Some of them attach to the MBR (master boot record).

Examples of what I am talking about:
Ex 1:
http://www.symantec.com/avcenter/ven.../mailissa.html
<snip>
Similar to W97M.Pri, the virus turns off the security protection upon opening an infected document in MS Word 2000.
</snip>

Ex 2:
http://www.viruslibrary.com/virusinfo/Implantfamily.htm
<snip>
....very dangerous memory resident polymorphic and stealth multipartite viruses. They affect .COM, .EXE and .SYS files as well as MBR of the hard drive and boot sector of floppy disks.

When an infected file is executed, the virus writes itself to the MBR of the hard drive and returns control to the host program. While loading from infected disk the virus hooks INT 12h, 13h, 1Ch, ......
</snip>

Ex 3:
http://www.norman.com/virus_info/w32_klez_g_mm.shtml
It will add an entry in the Registry so that it is loaded from startup.
This thread will go through running processes and look whether they contain certain words (Ref WL01) within the first 512k of the process' own memory space. If any of these words are found, the process will be attempted killed, and the accompanying program file will be deleted (provided it does not reside in the dllcache directory).

Note that the fact that the word list contains virus names will not always affect the viruses in question since some of them do not contain their own name - but it will certainly affect antivirus programs and fixup tools.

The registry keys HLKM\Software\Microsoft\Windows\CurrentVersion\Run and
HLKM\Software\Microsoft\Windows\CurrentVersion\Run Services are checked for the precence of antivirus programs in the WL02 list. If so, they are removed from registry.

On Win9x/ME this thread also continuously refreshes the worm's own Run key in the Registry.

!!!!!!!!!!!!! Those were just a few quick example types.
What you can do (places to start, be sure to keep the link all together):
http://www.google.com/search?hl=en&l...=Google+Search

Or just manually download patch/fixes from your virus software website. Don't rely on 'autoupdates', currently your virus software could be compromised. This could be a much longer post, instead I suggest you inform yourself with google, and then get fix(es) from sites you trust.

Oh, and really think about where the virus came from. (some exe, or an Office 95/97/2000/2002 document, Outlook/Express email...)

Hardy · #4 03-17-2003, 04:28 PM

Yikes, sounds like a nice virus. I finally got the norton antivirus installed, I was so happy! Then I went into the program, click the box for the drop down menu so I could scan, and it won't drop down. Then I tried the one-button checkup (those with norton should know what I am talking about) and it skipped right past the virus scanning.

I went to norton.com and there online virus scan worked, yet it found no viruses. This seemed rather odd. I will browse through google and see what I can find, thx for the info, i appreciate it!

Not sure where the virus came from, my step-dad said that it just popped up an illegal operation and had him restart computer.

Trumpcard · #5 03-18-2003, 12:35 AM

I dont think you have a virus, I just think your registry got hosed...

I'd just reinstall windows on top of itself, it'll save pretty much everything..

Of course a fresh install is the smartest thing to do...

BLOOD_kane · #6 03-30-2003, 02:16 PM

the patcher works for me and i have win 98 2ed

Hardy · #7 03-30-2003, 05:21 PM

I did reformat, windows is working very well now, no more problems.

I am not sure why the patcher won't work for me, I extracted it into my EQ directory, ran the program and it always says it can't connect to the server. Since I formated, I might try it again, have yet to install EQ again though.