This machine have an AVG free edition and it is always detecting the above virus. OS is Win2000 Pro and I'm currently downloading he updates right now but it's so long because of the slow internet connection and there is always a restart for for most of the updates....
Anyone here who could provide a permanent solution for this virus? Earlier upon googling I've tried installing Ewido anti-malware but suffered the blue screen of death and some other problems so I uninstalled it. This machine also have SpyBot and XoftSpy...
I am not the owner of this machine hence I cannot really tell when does the virus comes to life, its just that I am being called whenever the AVG promps for its existence and I've advised them to move it to vault everytime (no heal for it) but it's really bothering that it still comes out every now and then...
Thanks for any help...
Regards,
™
As a gesture of gratitude please consider rating helpful posts. c",)
Try using Avast. It scans during boot time, so any crap that's running can still be scanned/removed.
If you dont want to do that, you could always find the infected file and delete it. Then, go through the registry and find any entries you dont recognize (not really recommended unless you know the computer well). Once that is done, go into msconfig, and remove any programs from startup you dont recognize.
Thats usually how I fix viruses on my computer, and so far, it has never failed
I am already contemplating of using Avast on this machine but it may be a little heavy so I am still trying to permanently clean the virus with any 'light' remedies since this machine is somewhat slow. Problem is I am not sure what is the infeted file, it just seem that it produces the newexe.exe. I've tried looking in the start-up programs listed in the registry but there is nothing suspicious among them. I'll try downloading msconfig since Win2000 doesn't have them. Just finished the online scan of panda and it didn't caught anything...
Regards,
™
As a gesture of gratitude please consider rating helpful posts. c",)
Curiously (I have not been able to observe this on other machines) MSConfig lists 2 IExplore.exe in the startup tab, 1 in HKLM and 1 in HKCU, is this even normal?
Regards,
™
As a gesture of gratitude please consider rating helpful posts. c",)
try start>run>msconfig>services and check for unknown services that have been checked ,if u find one boot in safe mode ,uncheck the option and try to find the file that is registered against that service
also check sysinternals.com they have a light weight scanner that lists suspicious services and startup programs
Huh, Avast doesn't seem to recognize the virus, this is the result of the online test of Kaspersky, tried deleting all those exe's and their registry entries but to no avail, anyone got a hint on what should I do next? Aside from reformatting?
-----
KASPERSKY ON-LINE SCANNER REPORT
Monday, May 29, 2006 10:42:36 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 29/05/2006
Kaspersky Anti-Virus database records: 185117
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: false
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 24895
Number of viruses found: 1
Number of infected objects: 6
Number of suspicious objects: 0
Duration of the scan process: 00:34:06
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\01234567\chubsy[1].exe Infected: Backdoor.Win32.Agobot.agw skipped
C:\Documents and Settings\Administrator\Desktop\newexe.exe Infected: Backdoor.Win32.Agobot.agw skipped
C:\WINNT\system32\lat.exe Infected: Backdoor.Win32.Agobot.agw skipped
C:\WINNT\system32\Perflib_Perfdata_484.dat Infected: Backdoor.Win32.Agobot.agw skipped
C:\WINNT\system32\newexe.exe Infected: Backdoor.Win32.Agobot.agw skipped
C:\lat.exe Infected: Backdoor.Win32.Agobot.agw skipped
Scan process completed.
Regards,
™
As a gesture of gratitude please consider rating helpful posts. c",)
I found this on a forum I cannot link you to because it's in google's cache.
turn off system restore...delete the"SRDISKID.DAT" in the _restore folder...either the one on c:\, d:\, e:\, ect. depends how many partitions and drives you have.
check your msconfig startup items. Make sure there is not 2 IEXPLORE's running there. If there is, look to see if one has a zero (0) instead of an oh (o). Delete/disable it if it has a zero, as well as delete it's corresponding registry key.restart the computer.
make sure you have a good software firewall to make sure it is not "sending out" any info.
Virus Name: Rbot.FAY
Pervasiveness:
3 of 5
Destructiveness:
3 of 5
Wildness:
2 of 5
Type: Worm
Aliases: [Win32/]Rbot.FAY; [Win32/]Spybot.4wq!Worm (InoculateIT); [Win32/]Packed.Win32.PePatch.aw (Kaspersky); [Win32/]Rbot.FAY;
Date Modified: 11-May-2006
Date Published: 11-May-2006
Description:
Win32.Rbot.FAY is an IRC controlled backdoor (or "bot") that can be used to gain unauthorized access to a victim's machine. It can also exhibit worm-like functionality by exploiting weak passwords on administrative shares and by exploiting many different software vulnerabilities, as well as backdoors created by other malware. There are many variants of Rbot, and more are discovered regularly. Rbot is highly configurable, and is being very actively developed, however the core functionality is quite consistent between variants.
This particular variant of Rbot is distributed as a 71,578 byte, Win32 executable that exhibits the following specific characteristics:
When executed this variant copies itself to the %System% directory as W1nUpdate.exe and makes the following modifications to the registry to ensure that this file is executed at each Windows system start:
HKLM\Software\Microsoft\Wind ows\CurrentVersion\Run\Microsoft Windows Update Service = "w1nupdate.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Microsoft Windows Update Service = "w1nupdate.exe"
Note: '%System%' and '%Windows%' are variable locations. The determines the location of these folders by querying the operating system. The default location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.