Avast WEBforum
Other => Viruses and worms => Topic started by: ONEBADMK8 on November 07, 2006, 02:10:00 AM
-
Well I did the process explorer and looked for the duel.exe entry and even tried the process explorer program and dint see it, yet I cannot reboot with F8 and I had to switch to an oldschool keyboard to do this and I believe it is still here trapped in OneCare maybe? Only reason I say this is because OneCare is doing what Avast did when I was infected, you CANNOT open it but I ran every single scanner known to man and it says I am safe? WHat to do?
I forgot, I also went to remove OneCare from my computer and when I did add/remove programs it said it was already removed and it asked if I wanted to just remove it from the list which I did, yet the program is still running and tells me I am at risk? This is 3 weeks past bizzarre. I went into Crogram files and went to the microsoft onecare folder and it's all there?
What the hell to do now?
-
After reading your post, I assume you already have mentioned your problem earlier somewhere here. Please keep continuing posting in the same thread next time.
So, you want to remove OneCare, right?
Here is the way:
1) delete the oncare folder and all that is in it manually. (you may have to do this in safe mode)
2) reboot (you may get a error, about onecare, but just ignore it)
3) run CCleaner and CleanUp! in normal mode. (Both are free utils and easy to find with google.)
- Close ALL applications before running them.(you may want to use taskmanager for this)
- Don't forget to configure them as you wish, before running them.
- In CCleaner, also run the "check for problems" and delete everything it finds.
- Run CCleaner first, let it finish and then run CleanUp!
- When CleanUp! is finished it will ask if you want to log-off, say no.
4) reboot
That should take care of OneCare.
Now about the keyboard (the F8 issue):
This is normal when you use a usb keyboard and/or multimedia keyboard.
Don't worry, this is just a setting in the bios and is not a error/fault/problem and has nothing to do with Windows or a installed application.
If you want to change the bios setting for this is up to you.
If you can do it depends on your bios.
Consult your motherboards manual for this and look for something like "usb legacy support" or "usb dos support"
At this point I recommend to leave the bios alone and do not worry about it.
-
Ill try it, how do I get into safe mode from the command promt? Thanks in advance.
-
safe mode is usually the F8 while you are booting isnt it? and bios is delete key
sounds to me like you have a rootkit that is concealing itself and any folder/program that messes with it .
Is it possible for you to get Blacklight or rootkit revealer and see what they find.
Might be a good time to back up any important files in case you have to format
good luck :)
-
I just did Blacklight and it didn't find anything. I think Im all right now.
-
When you keep flitting from topic to topic it is very hard to help with information and answers scattered to the winds. This should all be in one topic, it will be easier for you and for those trying to help.
I already told you how to get into safe mode and the fact that this issue was more likely to be hardware (USB/BIOS) not recognising the keyboard F8 input and suggested using a ps2 keyboard.
-
yES i DID USE ANOTHER OLD STYLE KEYBOARD TO GET INTO f8 AND IT WORKED, TURNS OUT MY usb BOARD WOULDNT WORK. tHANKS FOR THE INPUT.
-
yES i DID USE ANOTHER OLD STYLE KEYBOARD TO GET INTO f8 AND IT WORKED, TURNS OUT MY usb BOARD WOULDNT WORK. tHANKS FOR THE INPUT.
It's normal... the usb keyboard drivers were not loaded at that time, boot time.
Second, no need for CAPS... you're not yealing ;)
-
Hi all,
A friend of mine called me to fix his computer, he was having the SmitFraud.c thing. There were obviously other problems too, like Windows Firewall service got disabled etc.
I disabled system restore, removed the outdated (a year or so) NAV and installed Avast in safe mode, updated it from file (since I had disabled the internet connection), then ran a boot-time scan. Several instances of the Luder-F and Banwarum viruses were quarantined, including many executables from common programs like Adobe Reader and Flas Player, and some seemingly unimportant files in the Windows dir. At one point it said drive c: was full, so from then on, I deleted the infected files. After booting up Windows, I ran Spybot which removed around 30 differents spyware etc., and nasty ones too. I checked the processes with Process Explorer, didn't find anything suspicious (like duel). Also verified the registry keys supposedly modified by these malware.
But after rebooting, and not even in normal mode, Luder-F came right back and even killed Avast and every following attempt to run it (even after reinstall). When I started Avast, it said the program file had been modified and it might be dangerous to continue. I tried dr.web's CureIt, which also said it removed several instances of the virus. Unfortunately somewhere in the above process (not necessarily drweb's) the system was probably also damaged, because applications started to crash. Even common ones, like rundll or the Administrative tools console. These crashes spawned some dr watson error messages. When clicked, these watsons crashed too, thus generating an infinite loop :).
I ran SFC which found some system files to be damaged or replaced - sweet! It needed the XP home CD to restore them. However, the computer was a damn Sony Vaio desktop pc, which came with strange install/reinstall dvd-s, which SFC did not accept as a valid installation media. XP Prof cd was also not good for it.
Now most of the programs and system components (like display properties etc.) won't start. I left the computer on, in safe mode with networking, so they can use Word and Thunderbird (for some reason I can't start Firefox or Outlook Express which they use). Usually, I would suggest to reinstall the OS, or do a "recovery" from the Vaio dvd (that's probably a reinstall from an image file), but before I do that, I wonder if you have some ideas.
Can this Windows still be repaired and cleaned? If so, what steps would you take? Are the things I have done alright, where could I have done better?
I was shocked that Avast didn't remove the viruses at the boot-time scan... how could this happen? Maybe a rootkit?
Please note that I don't currently have access to the computer (so can't check things you ask), nor will I have many attempts to fix the computer. I will go there again this afternoon, so I'd be grateful if you could advise me before that time.
thanks,
David
-
Hi David,
As Luder-F infects legitimate .exe files, deleting infected files would cause problems. Did you try the repair option on any of these files? - the write-up suggests that it should be possible to remove the infected part of the .exe file.
As you found so many serious problems, it would certainly be far better just to flatten the system with the recovery disc you have- Don't forget to go to Windows Update as soon as you've done this and download all the critical updates.
As Windows firewall had been brought down, it's quite possible that a hacker had access to the computer and download more malware as soon as you reconnected. Also, with that much malware found, I wouldn't be surprised if there was a rootkit or two.
You could spend hours trying to clean the computer, without any guarantee of success, so I wouldn't recommend trying- just make sure your friend has avast! up and running before you leave, so they are not left without protection. Some advice about how to avoid viruses in the first place might be useful too...
So how did I get infected in the first place?
http://www.castlecops.com/postlite7736-.html
-
???
Can Luder-F infect DOS programs, in our office with 20 computers working software is in DOS!!!!
please somebody help cause 2 computers has already infected and many exe. files....
-
Hi Frank, and thanks for the swift response!
I did not try repairing the files for two reasons:
- most of the viruses I encountered so far couldn't be repaired anyway and
- I hoped I could do this later, from the quarantine in necessary.
However, since the virus modified Avast too, I was unable to run it again, even after a reinstall. So it denied my access to the quarantine, or maybe even wiped it at the uninstall. I sure learned from that :).
Problem is, according to them, the machine was usable when they called me (even if with several popups, side-effects and totally compromised :D), and it was not when I left, so they are kind of thinking I broke it (because they need it to work with each day). Of course they didn't consider using an up-to-date antivirus, Firefox and Thunderbird etc., which I recommended to them ages ago, and installed them on their old machine :). It is clean to me that these things happen, but they don't seem to realize how deep their system was infected, they just see that we'll probably have to reinstall because I failed to fix it. But that's not a problem you can help me with so... :) I will show them the document you linked, thank you.
We'll have to use the Vaio recovery disk, because they did not get a "normal" Windows cd, nor any serial key. I hope it won't ask for one...
Thanks again!
-
Hello all together!
Time to say what kind of experiences I made with WIN32:Luder-F !!! I can tell you, it's a real Luder!
This fu..ing virus did infect my hole system, Avast and nearly all programs on partition c:\ were infected by this bloody virus.
I tried to remove it with the help of Ad-Aware and Avast but without success, all EXE-files infected couldn't be repaired, just deleted.
What I got to see, was messages about
WIN32:Luder-F
and something like
MatrixHasYou
in Ad-Aware!
Maybe, I once forgot to delete an EXE-file and so the virus could spread on my system! It didn't came from e-mail, it was included in an EXE-file, I got from the internet.
More and more files were compromised. A lot of unknown EXE-files were generated in the TEMP-directory and some of them were included to run during start. I took Codestuff Starter application to remove those entries, but in the same moment I deleted them, the entries were re-added. If I disabled them, all those entries were doubled and activated!
Since even Avast got infected, telling me it's changed and dangerous to start, more and more programs were unable to start at all. The system got heavy stress and I saw a lot of BSOD's due to heavy load on the system. My system never got a BSOD so far.
After I realized that it's nearly unable to clean my system, I decided to re-install an image from a couple of days ago.
Work could go on and I started to scan my system with Ad-Aware and Avast and I was astonished how this fu..ing virus worked and now I know why my system got heavy load and was stressed.
To me, it seems, the virus began to replicate alphabetically on my data-partition trying to find all kind of SCR- and EXE-files it could find, infected them and created a lot of *.t files in the same directory.
I have a 440GB data-drive with a lot of directories and files and a lot of exe-files as well and so I started to check all my directories, killing those *.t files which are hidden flagged and can't be find with Windows search. Thankfully I used Servant Salamander which can select a multiple of *.t files.
All EXE-files infected so far are useless! If I delete them and that stuff goes into the RecycleBin, Avast yells for infection with a WIN32:Luder-F virus, so I have to delete those EXE-files with the Shift-key.
My ISO-files, my image and my TrueCrypt-archives are not infected. Also, 16-bit EXE-files from MS-DOS or Windows do not get infected, just Win32 application files EXE and SCR.
I have learnt, that surfing in the Internet is fun but running EXE-files from unknown sources, even if you have an up-to-date AntiVirus-scanner and firewall and all known OS-updates and AntiSpyware program is no guarantee not to be infected with any kind of unknown bloody virus.
For me the solution is to use virtualization for the Internet asap. If it's infected, it gets deleted, I will take the backup and continue.
I have the impression that this virus, which is very destructive, is not the WIN32:Luder-F, even if Avast reports it. Maybe another variant. I haven't find an antivirus-program to cure the exe-files.
Best regards,
Marc
-
Вопрос: Как поступить, если этот самый luder-f заразил и программные файлы самого Avast! ?
-
Hi KingLEV,
The answer to your question is a general cleansing routine with two external programs, that is described here at the bottom of this thread:
Ответом к вашему вопросу будет вообще cleansing режим с 2 внешними программами, то описан здесь на дне этой резьбы: (Babelfish translation)
http://forums.majorgeeks.com/showthread.php?p=878024
polonus
-
Hello,
Finally the problem got solved by reinstalling with the vaio recovery dvd's. Now they are armed with Avast, Spyware SD, Firefox, Thunderbird, Kerio firewall, automatic windowsupdates etc... thanks for your help :)
David