GAMEBOOMERS provides you with all the latest PC adventure computer games information, forum, walkthroughs, reviews and news.

GB Reviews

Latest & Upcoming Adventure Games

GB Annual Game Lists

GB Interviews

BAAGS

GB @ acebook

About Us

Walkthroughs

free games galore

Game Publishers & Developers

World of Adventure

Patches

GB @ witter

GameBoomers Store

Print Thread
Page 1 of 3 1 2 3
Need help with a virus #135633
04/30/04 07:06 PM
04/30/04 07:06 PM
Joined: Nov 2000
Posts: 8,557
Canada
hagatha Offline OP
BAAG Specialist
hagatha  Offline OP
BAAG Specialist

Joined: Nov 2000
Posts: 8,557
Canada
I obviously have a virus on my computer, which is shutting me down like the blaster worm a few months ago.

My Norton seems to have been disabled - the icon is no longer on my desktop header, Liveupdate won't work, and automatic scanning has been disabled and I can't turn it back on. In fact, any time I try to do anything with Norton it just shuts off (Norton, I mean). Live update starts to run and then stops, and when I try to start it up again, I get a message saying it's already running, which it's not.

I have no idea what to do here. I have a link to the SYmantec website, but I get a page error when I try to connect to it. Anyone have any suggestions?

the shutdown message says system32\lass.exe


I think I'm quite ready for another adventure.
Re: Need help with a virus #135634
04/30/04 07:49 PM
04/30/04 07:49 PM
Joined: Nov 2000
Posts: 8,557
Canada
hagatha Offline OP
BAAG Specialist
hagatha  Offline OP
BAAG Specialist

Joined: Nov 2000
Posts: 8,557
Canada
Here's the kicker - my system restore point is gone. The only one in there is today.

I anyone can help me with this I would really appreciate it because I have no idea what to do. I don't even know where to start.


I think I'm quite ready for another adventure.
Re: Need help with a virus #135635
04/30/04 09:12 PM
04/30/04 09:12 PM
Joined: Oct 2000
Posts: 40,644
southeast USA
Jenny100 Offline
GB Reviewer Glitches Moderator
Jenny100  Offline
GB Reviewer Glitches Moderator
Sonic Boomer

Joined: Oct 2000
Posts: 40,644
southeast USA
Are you able to use the online antivirus here
http://housecall.antivirus.com/housecall/start_frame.asp

Re: Need help with a virus #135636
04/30/04 11:54 PM
04/30/04 11:54 PM
Joined: Nov 2000
Posts: 8,557
Canada
hagatha Offline OP
BAAG Specialist
hagatha  Offline OP
BAAG Specialist

Joined: Nov 2000
Posts: 8,557
Canada
Apparently not. My ability use the Internet is sporadic and the antivirus never loads so I guess I'm being blocked from doing that, too.


I think I'm quite ready for another adventure.
Re: Need help with a virus #135637
05/01/04 12:52 AM
05/01/04 12:52 AM
Joined: Nov 2000
Posts: 8,557
Canada
hagatha Offline OP
BAAG Specialist
hagatha  Offline OP
BAAG Specialist

Joined: Nov 2000
Posts: 8,557
Canada
I got the online antivirus working. It cleaned one file, and found two others, but it can't clean them and I cannot locate them to remove them. The virus shuts down the virus scan before it is completed, so I have not been able to use the "delete" function on these files. Also, unfortunately, the virus scan window shows you the general direction of the location of the viruses, but it's not wide enough to show the entire string showing the exact location, so I can't pinpoint them.

They are WORM NACHI.B ; somewhere in my system32 config files

and

DOS AGOBOT.HM; somewhere in my system32 drivers file.

The problem with my computer persists, so the cleaned file was not the answer.

Why can I not locate these files? I've done a thorough search of the system32 config and drivers folders, but there are no files by those names. I tried looking by date but nothing came up either.


I think I'm quite ready for another adventure.
Re: Need help with a virus #135638
05/01/04 05:05 AM
05/01/04 05:05 AM
Joined: Mar 2001
Posts: 904
Philly
kwbridge Offline
Settled Boomer
kwbridge  Offline
Settled Boomer

Joined: Mar 2001
Posts: 904
Philly
Here asre instuctions on how to get rid of each of these problems manually.

Worm Nachi.B is a virus
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NACHI.B

Agobot.HM - is spyware and I think is a bigger problem than the virus
http://www.pestpatrol.com/pestinfo/b/backdoor_agobot.asp

Hope this helps.


(Anti) Social Development
Re: Need help with a virus #135639
05/01/04 06:35 AM
05/01/04 06:35 AM
Joined: Sep 2002
Posts: 13,701
Virginia
Jema Offline
Adept Boomer
Jema  Offline
Adept Boomer

Joined: Sep 2002
Posts: 13,701
Virginia
hagatha,

DOS AGOBOT.HM, or its relation WORM.AGOBOT.HM, is probably responsible for making Norton AntiVirus unusable, preventing you from connecting to any antiviral sites, deleting your System Restore files (with the exception of the one you mentioned which is more than likely infected), and possibly some other unpleasant things.

First, you should do a search for the Hosts file (no extension, just Hosts). Open it in Notepad and look for entries like the following:

127.0.0.1 localhost

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com

If they're there, delete all that begin 127.0.0.1 except 127.0.0.1 localhost - leave that one. Save the file and then close it.

If you find more than one Hosts file, do the above for each one.

Symantec recommends that System Restore be turned off until you've cleaned your system because any restore points that are created before then will be infected. I would think you should also delete the one you currently have.

After cleaning out the Hosts file, you should be able to connect to the link Jenny100 gave and run a virus scan.

Then follow the link kwbridge gave to TrendMicro's page about WORM NACHI.B. They also have a page for DOS AGOBOT.HM here with a link to their page on WORM AGOBOT.HM

On either of TrendMicro's pages there's a cleanup tool you can download that to me reads like it will take care of both of these nasties, rather than having to do it manually.

One other thing, on the page for WORM AGOBOT.HM, there's a link to a Microsoft program you can download to check whether or not all your services are protected. I'm assuming you're running Win2000, NT, or Xp because, from what I read, Agobot doesn't infect Win9X systems.

Good luck.

wave Jema


Wouldn't that jar your mustard!
Re: Need help with a virus #135640
05/01/04 11:16 AM
05/01/04 11:16 AM
Joined: May 2001
Posts: 3,424
WA. USA
lasanidine Offline
Addicted Boomer
lasanidine  Offline
Addicted Boomer

Joined: May 2001
Posts: 3,424
WA. USA
Once you did all the above and your system is clean and running and if it is XP you have check to make sure that your system files are not damaged.

You do this the following way:

Start>Run> on the command line type sfc /scannow(exactly)
> Ok

Follow instructions, you will be asked for your install disk put it in the drive, exit the menu and wait thill the computer does all the scanning and repair.

Update your virus protection and if it is not on turn on your built in firewall too.

Start>Network places> Local area connections> Properties >Advanced> Put a check-mark in the box for firewall.


"I am not young enough to know everything."

Oscar Wilde
Re: Need help with a virus #135641
05/01/04 03:30 PM
05/01/04 03:30 PM
Joined: Sep 2002
Posts: 13,701
Virginia
Jema Offline
Adept Boomer
Jema  Offline
Adept Boomer

Joined: Sep 2002
Posts: 13,701
Virginia
Good advice, lasanidine.

hagatha, I just checked the TrendMicro pages again and I couldn't find the link to the MS program I mentioned in my previous post, so I must have seen it somewhere else. Anyhow, here's the link: Security Check

You can read about and download it there.

wave Jema


Wouldn't that jar your mustard!
Re: Need help with a virus #135642
05/01/04 03:36 PM
05/01/04 03:36 PM
Joined: Jun 2000
Posts: 3,171
an Illinois cornfield
Jen in Chgo Offline
Addicted Boomer
Jen in Chgo  Offline
Addicted Boomer

Joined: Jun 2000
Posts: 3,171
an Illinois cornfield
I'm having similar issues. I keep getting shut-down with the same error message as Hagatha (lsass.exe). I was able (after a gazillion failed attempts) to use the on-line anti-virus Jenny suggested. It found 2 files (nachi.b). I deleted them just as the evil timer wound down & booted me.

I did what lasanidine suggested afterward, although nothing happened....it scanned & then just went away, never asking me for a disc. frown I went back on-line & ran the virus-scan again & it said I was clean but soon after I was booted yet again. I'm clueless what to do. So far I'm okay, I've been online for awhile & no boot but I'm not entirely sure it's gone.

Also, I disabled my system restore. Is it save to reactivate it or is it corrupt? If it's yucky, how do I clean it...or get a virus free restore?
ARGH!!!

laugh Love, Jen laugh


It's a hard-knock life. Wear wooden underwear.
Re: Need help with a virus #135643
05/01/04 05:21 PM
05/01/04 05:21 PM
Joined: Sep 2002
Posts: 13,701
Virginia
Jema Offline
Adept Boomer
Jema  Offline
Adept Boomer

Joined: Sep 2002
Posts: 13,701
Virginia
Jen in Chgo,

Since TrendMicro describes Worm Nachi.B as a memory-resident worm, if all you did was delete some files, I think it's safe to say you did not get rid of it. Every time you reboot Windows, the worm will reactivate.

Click on the link that kwbridge posted and either download and use the cleanup tool or follow the instructions to manually get rid of it.

Also check out the links there to some MS Security Patches - sounds like to me you need to apply one or more of those.

I don't know whether or not this worm messes with the Hosts file but, if it were me, I'd check that file or files (per my earlier post). Better safe than sorry. laugh

After doing all of that, follow all of lasanidine's good advice.

As for System Restore, if it were my system and since I couldn't be sure when it became infected, I'd delete all restore points. Then once my system was clean, patched, and updated, and after following lasanidine's advice, I'd reactivate System Restore and create a fresh restore point.

wave Jema


Wouldn't that jar your mustard!
Re: Need help with a virus #135644
05/01/04 07:07 PM
05/01/04 07:07 PM
Joined: Nov 2000
Posts: 8,557
Canada
hagatha Offline OP
BAAG Specialist
hagatha  Offline OP
BAAG Specialist

Joined: Nov 2000
Posts: 8,557
Canada
The Security Check link doesn't work. I get a timeout error.

Also, I'm really confused...I found the Hosts file and deleted the files, but ow I don't know what to do.

The links get me to pages that don't explicitly say that they take care of these specific problems...not sure what to look for partly because I have to rush before I get shut down. So I can't find a trendmicro page about AGOBOT B. The trendmicro cleanup tool I used only deletes the files but the problem is still there.

There is a way to manaully delete the AGOBOT files but Task Manager doesn't show any of those files running and anyway I don;t know what the instuctions mean when they say "kill" the files with Task Manager. And then I am supposed to delete them

So to recap - I have removed the Hosts files but don't know what to do next. The security check link does not work. I will try the link to pest patrol again but it only has an automatic removal for AGOBOT A, not B, as far as I can tell.


I think I'm quite ready for another adventure.
Re: Need help with a virus #135645
05/01/04 07:35 PM
05/01/04 07:35 PM
Joined: Nov 2000
Posts: 8,557
Canada
hagatha Offline OP
BAAG Specialist
hagatha  Offline OP
BAAG Specialist

Joined: Nov 2000
Posts: 8,557
Canada
Ok. I've gone to the trendmicro place where there is a dowload for AGoBOT but I cannot use it unless I also download something called a pattern file.

It gives a location to get the pattern file from, but I still can't do it:

1. The pattern file is called lpt$svpn.xxx and I am to save it as a zip file as lptxxx.zip

a)I have no idea what those xxx's mean.

b)Also, there IS no file by the above name on the pattern page, so I don't know which one to download.

2. Assuming that I can work out which pattern file to download, where do I download it to on my computer?

3. How do I save it as a zip file?


I think I'm quite ready for another adventure.
Re: Need help with a virus #135646
05/01/04 11:30 PM
05/01/04 11:30 PM
Joined: Sep 2002
Posts: 13,701
Virginia
Jema Offline
Adept Boomer
Jema  Offline
Adept Boomer

Joined: Sep 2002
Posts: 13,701
Virginia
hagatha,

First, the Security Check link works fine for me, so you may be getting the timeout error because your system is infected.

Second, if you've rebooted your system after cleaning out the Hosts file, since your system is infected, those files may be back in there and you'll have to delete them again so you can stay connected to TrendMicro's site long enough to download the files you need for the cleanup. Make sure you save the Hosts file after you delete the files so the changes take effect.

Now, for some explanations. Norton calls their virus updates "definitions". Apparently, TrendMicro calls theirs "patterns". The xxx in lptxxx.zip stands for whatever the number is of their latest pattern download. At the moment, that number is 881, so the file you want to download is lpt881.zip. The actual pattern file, lpt$vpn.881, is within the .zip file.

Following the instructions in the readme file at TrendMicro, this is how to use the cleanup tool.

1. Create a new folder on your hard disk. You can call it anything you want; for this, I'm going to call it Sysclean.

2. Download the cleanup tool, which consists of one file, sysclean.com, and save it to the Sysclean folder.

3. Download lpt881.zip and save it to your desktop or any folder of your choice. Unzip its contents into the Sysclean folder. Note: To do this, use whatever zip/unzip utility you have installed.

4. Now, you should have these three files in the Sysclean folder: sysclean.com, lpt$vpn.881, and whatsnew.txt.

5. Close all applications running on your system, INCLUDING any antivirus software.

6. Double click on sysclean.com to do the cleanup.

7. After sysclean.com does its thing, enable your antivirus software and perform a manual scan of your system.

8. You should now have a fourth file in the Sysclean folder: Sysclean.log.

Hope this answers your questions.

wave Jema


Wouldn't that jar your mustard!
Re: Need help with a virus #135647
05/02/04 08:02 AM
05/02/04 08:02 AM
Joined: Jun 2000
Posts: 3,171
an Illinois cornfield
Jen in Chgo Offline
Addicted Boomer
Jen in Chgo  Offline
Addicted Boomer

Joined: Jun 2000
Posts: 3,171
an Illinois cornfield
Jema, I did download the tool to "get rid of it". It was a zip file & I unzipped it & ran it. The log came out clean....no bad files. duh I also updated my MS security patches. Like I said, I tried to do what lasanidine suggested but I'm not certain it worked....never asked me to insert a disc, just ran for a few seconds & then back to desktop. I'll check those HOST files per your suggestion.

I seem to be okay & am not being shut down anymore. I'm not technically proficient so could you (or anyone) please give me step-by-step instructions on how to clean/fix my system restore?

laugh Love, Jen laugh


It's a hard-knock life. Wear wooden underwear.
Re: Need help with a virus #135648
05/02/04 09:31 AM
05/02/04 09:31 AM
Joined: Dec 2000
Posts: 4,516
North aurora IL
burpee Offline
Addicted Boomer
burpee  Offline
Addicted Boomer

Joined: Dec 2000
Posts: 4,516
North aurora IL
I'm ready to cry after reading this post.

I just got back from a week's vacation and checked my email and visited my 3 favorite sites. While responding to an email I got the NT authority system [url=C://windows/system32/lsass.exe][url=C://windows/system32/lsass.exe][url=C://windows/system32/lsass.exe]C://windows/system32/lsass.exe[/url][/url][/url] shutdown message. I can't be on the internet long enough to fix anything. Right now I'm on my old W98.

I've have visted this Symantec site:
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.ratsou.b.html

I don't know if this is the same thing.

QUESTION: how do I get into the Host file area? Is doing that so that the virus checker will work? Would I need to do that if my McAfee is working ok?

Re: Need help with a virus #135649
05/02/04 09:45 AM
05/02/04 09:45 AM
Joined: Mar 2002
Posts: 3,004
USA
looney Offline
Addicted Boomer
looney  Offline
Addicted Boomer

Joined: Mar 2002
Posts: 3,004
USA
If you know which files to delete, try booting XP in safe mode by pressing the f8 key when windows first starts to load. It may not load the virus in memory in this mode.


Banana phone!
Re: Need help with a virus #135650
05/02/04 04:05 PM
05/02/04 04:05 PM
Joined: Sep 2002
Posts: 13,701
Virginia
Jema Offline
Adept Boomer
Jema  Offline
Adept Boomer

Joined: Sep 2002
Posts: 13,701
Virginia
Jen in Chgo,

Click Here to read about how to disable/enable System Restore in XP.

Disabling it will purge all your restore points. Then, when you enable it, it begins monitoring your system again.

If scannow didn't ask you to insert your install disk, I would think that means it didn't find any files that needed to be repaired/replaced. I'm not familiar with scannow, so maybe lasanidine can tell you if that's true.

wave Jema


Wouldn't that jar your mustard!
Re: Need help with a virus #135651
05/02/04 04:40 PM
05/02/04 04:40 PM
Joined: Sep 2002
Posts: 13,701
Virginia
Jema Offline
Adept Boomer
Jema  Offline
Adept Boomer

Joined: Sep 2002
Posts: 13,701
Virginia
burpee,

The Hosts file can be used to list sites the user doesn't want to connect to. Unfortunately, it is also used by certain viruses/worms to prevent the user from connecting to any site of its choice - including all or most of the sites that have anything to do with virus protection.

looney's suggestion to reboot into Safe Mode is a good one. I've never tried it but it may be that if your computer is infected and your antivirus software won't work in Standard Mode, it will in Safe Mode.

To find the Hosts file, click on Start, go to Find and click on Files and Folders. In the Named field type Hosts, make sure Look in has your primary drive and that Include subfolders is checked, and then click on Find now.

Open the Hosts file in Notepad (making sure always use this program is unchecked). Once you delete the offending entries, save the file and close Notepad. If theres's more than one Hosts file, do the same thing for each of them.

wave Jema


Wouldn't that jar your mustard!
Re: Need help with a virus #135652
05/02/04 05:28 PM
05/02/04 05:28 PM
Joined: May 2004
Posts: 19
H
Hagathaone Offline
Shy Boomer
Hagathaone  Offline
Shy Boomer
H

Joined: May 2004
Posts: 19
As per last night's post I have downloaded the files, unzipped the pattern file and run the scan. I have AGOBOT.HM on my computer as well as a SASSER variant. The Virus scan did not remove either of them although it found them and I had it set to automatically remove them. I have tried it over and over; probably a dozen times. The scan will tell me that I haveno infected files but the next time I turn on my computer it's all back again.

I have deleted the "HOSTS" files about thirty times now, as well as running the scan.

My recycle bin is now called "Norton Protected Recyle Bin" and I can not empty it. If I click on it either on Desk Top or in Explorer my computer freezes.


I do note that the scan I downloaded last night, as well as today's update, do not list AGOBOT. with the .HM extension.

The first couple of times I ran the scan It seemed to think it had deleted AGOBOT. But now when I run it the log does not show any deletions even though it sayd it has detected 82 files. I am running it to automatically delete anything it finds.

Basically,nothing has worked so far.

Do I have any other options?

Re: Need help with a virus #135653
05/02/04 05:40 PM
05/02/04 05:40 PM
Joined: Dec 2000
Posts: 4,516
North aurora IL
burpee Offline
Addicted Boomer
burpee  Offline
Addicted Boomer

Joined: Dec 2000
Posts: 4,516
North aurora IL
Hagathaone, I am so sorry for your troubles. I just can't fathom why someone finds this so amusing...to hurt other people for no good reason. Would they do this to their own mother or father?

I was able to restore to a previous save point, reconnected to the web, McAfee updated and as soon as it finished I got off. A McAfee warning popped up on my desktop saying that it detected and deleted a W32/sasser.worm.b to complete the clean process. Said it was in [url=C://windows/system32/31869_up.exe][url=C://windows/system32/31869_up.exe][url=C://windows/system32/31869_up.exe]C://windows/system32/31869_up.exe[/url][/url][/url] and [url=C://windows/avserve2.exe.][url=C://windows/avserve2.exe.][url=C://windows/avserve2.exe.]C://windows/avserve2.exe.[/url][/url][/url]

It asked if I wanted to scan and I said yes. It found 14 files and deleted them. It then popped up with another warning saying the same virus but in systemvolume/info/_restore. It asked if I wanted to run the scan but the first one was already running so I said NO. Should I have said yes? Do I need to do anything else?

Jema, thanks for explaining the HOSTS location process.

Re: Need help with a virus #135654
05/02/04 06:17 PM
05/02/04 06:17 PM
Joined: Jun 2002
Posts: 5,766
FT. Worth ....Where the West b...
infernoj13usa Offline
The Radiant Moderator Staff Reviewer
infernoj13usa  Offline
The Radiant Moderator Staff Reviewer
BAAG Specialist

Joined: Jun 2002
Posts: 5,766
FT. Worth ....Where the West b...
is Hagatha and Hagathaone the same Boomer?

Inferno


Watching: Dark Shadows
Reading: Angelique's Descent
Playing: WoW and living in Kil' Jaeden
Re: Need help with a virus #135655
05/02/04 06:57 PM
05/02/04 06:57 PM
Joined: May 2004
Posts: 19
H
Hagathaone Offline
Shy Boomer
Hagathaone  Offline
Shy Boomer
H

Joined: May 2004
Posts: 19
Yes. I am using my partner's computer and couldn't remember my password, it's been so long since I registered. And he (my partner) needs a new keyboard, I see!

I've given up, basically. I don't think anyone can help me - the Recycle bin is probably the reason nothing is working for me because I can't really delete anything. And nobody else seems to have heard about this particular problem. Nothing has worked as it is supposed to, and I have lost my entire weekend (a nice touch after a 70-hour week and just before another one).

Yesterday I bought another computer for games which will never be connected to the Internet. When I have my other system fixed I'm putting Win 98 back on because it's less of a target. When I know my system is clean I'll download patches, updates and the like and burn a cd of them for my new computer.

You really have to wonder what's wrong with people that they get a rise out of this kind of mindless abuse of innocent bystanders. Then again, I don't hold out a whole lot of hope for the human race, anyway.

Re: Need help with a virus #135656
05/02/04 07:11 PM
05/02/04 07:11 PM
Joined: Jun 2002
Posts: 5,766
FT. Worth ....Where the West b...
infernoj13usa Offline
The Radiant Moderator Staff Reviewer
infernoj13usa  Offline
The Radiant Moderator Staff Reviewer
BAAG Specialist

Joined: Jun 2002
Posts: 5,766
FT. Worth ....Where the West b...
NO......No.......no! Don't give up... I'm working on it.
Hagatha... Take a break... Mix up a pitcher up Margaritas and drink one for me while your at it. (I'm not allowed to take alcohol because of the "Grave's" but you can drink one for me, I'm only allowed to write about it.)

Give me about an hour and then check back here. Do nothing to your XP just yet. There's got to be a way to fix it... we'll find it. Check back here for updates. I know your upset but remember this if nothing else; I'm here for you and so are all the other Boomies reading and watching this thread as well as your other one. We're all holding your hand.

We'll get through this.......together.


Inferno


Watching: Dark Shadows
Reading: Angelique's Descent
Playing: WoW and living in Kil' Jaeden
Re: Need help with a virus #135657
05/02/04 07:48 PM
05/02/04 07:48 PM
Joined: Oct 2000
Posts: 40,644
southeast USA
Jenny100 Offline
GB Reviewer Glitches Moderator
Jenny100  Offline
GB Reviewer Glitches Moderator
Sonic Boomer

Joined: Oct 2000
Posts: 40,644
southeast USA
Sasser seems to be a new worm that struck this weekend.
Yahoo news has a story on it.

Microsoft has this to say about the Sasser worm.
http://www.microsoft.com/security/incident/sasser.asp

Microsoft's tool to remove Sasser is here .

To protect yourself from future infections, get the Microsoft security update here
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

Page 1 of 3 1 2 3
Previous Thread
Index
Next Thread

Who's Online Now
3 registered members (oldbroad, Draclvr, manxman), 181 guests, and 0 spiders.
Key: Admin, Global Mod, Staff, Mod
Newest Members
bennyutzer, nafcom, grizz, MrTophat, GarrettFret
9401 Registered Users
Powered by UBB.threads™