Virus Problems

celliott · 18 Nov 2006 at 18:23

Hi,

I have recently noticed this Virus popping up on the Family PC. NOD32 puts the virus into quarantine and I have then deleted it. After running a full system scan including memory in safe mode, the system is clean.

2 days later its back again. Its as if the virus is building itself from nothing. I have checked the running processes and it all looks fine. Has anybody else had this virus or have any suggestions on how to get rid of it?

Heres the screenshot from NOD32.

Thanks,
Chris

bledd · 18 Nov 2006 at 18:25

disable system restore then run a full indepth scan

t31os · 18 Nov 2006 at 18:26

Are you using any shared folders and do you have a firewall or sat behind a router?

If you have network shares and no firewall, basicly you get the ip straight from the modem its pretty easy to access your shares and write to them (if they are writable).

t31os · 18 Nov 2006 at 18:28

bledd. said:
disable system restore then run a full indepth scan

Very good point, restore files can be a nasty place for viruses to hide.

celliott · 18 Nov 2006 at 18:31

I always disable system restore on any PC's I look after.

Yes files are being shared however each PC on my home network has the Windows firewall enabled, and is also sat behind a Firewall Router with I have stealthed, the chances of things getting in is very low.

All my home PC's have been fully scanned with the latest available NOD32 signatures and show as clean, yet for some reason this virus comes back on its own.

t31os · 18 Nov 2006 at 18:34

Was there anything in particular you were doing at the times it appeared?

As in, any programs open at the times, something that links it both times it appeared.

If it pops up at certain times, try getting a port monitoring program and watching to see if you get any incoming connections at that time.

Its either someone, something accessing a backdoor/hole in your security, which i hope is not the case or something is on the PC thats recreating the virus. Had my fair share of viruses that have done that... :mad:

celliott · 18 Nov 2006 at 18:45

Well the first time I saw this was when I was installing a firewall which someone on these forums reccomended. It was no good so I uninstalled and its been fine until recently.

I really cant see how anyone would get into my network. The router is configured to reject all incoming requests and as I said, the PC's also have the Windows firewall setup.

Think its worth writing their docs to a DVD and reformatting?

t31os · 18 Nov 2006 at 18:55

It would make more sense just to monitor the PC and try to catch it when it appears, find out the origin, if its on the PC still, then it should be relatively easy to get rid off since it isnt actually harming the PC at this time, just more of an annoyance.

If though it is indeed someone getting through the network then formating isnt going to stop them if they decide to have another go.

Priority should be to ascertain where the threat is coming from, ie. local or outside the network.

Is it happening on the one PC?......... does that PC have any extra ports forwarded for any reason?

rickyt · 18 Nov 2006 at 19:08

Yes ,most virus's start out as an .exe file . They execute and split up on to your drive , some create registry keys ,some create folders in program files ,there will be files in system32 and there could be a .exe in the Windows directory .Sometimes these files are hidden , so , you cannot find them . Firstly , unhide all files and view system files. Re-boot in safe mode and run your anti-virus checker and even your anti-spyware program. When on line and you suspect you've caught a virus , imediately come off line , clear out your temp internet files and do a full virus scan .
If your anti-virus program finds certain files , like .dll files associated with a virus , it may delete them . But , the minute you re-boot , the .exe will start and the whole process starts again. You have to find the .exe .I look in my windows folder for unusual .exe files everynow and again just in case somethings there that should'nt be.

t31os · 18 Nov 2006 at 19:15

Not sure he needs to be that drastic about it, its more important to find out where it originates, nod32 will take of the file once it becomes active, and its very good at scanning in-depth hidden files etc.....

So i'd have to ask why if the Virus is still on the PC it can't find it on a full scan, i'd wonder if someone is accessing the network, hence why i asked if the PC in question has any extra ports forwarded.

What differs that PC to the others on the network?...... why don't they have it?....

celliott · 18 Nov 2006 at 20:27

No idea why the other pc's dont have it, but I am very confident that its not someone accessing the PC. I have plenty of security in place, All incoming connections will be automatically rejected by the router and no PC's have open/forwarded ports except mine (which is not infected).

It doesnt seem to have any orgin, it can put itself in any directory on the hard disk, and on either partition.

I will have a go at locating where it is coming from again tomorrow but im not entirley sure where to start! I have got a backup Ghost image of the O/S installed on that pc so I think I will give that a go and see if it helps at all.

Thanks for your suggestions.

Chris.

masterk · 18 Nov 2006 at 20:38

The anti-virus program will only delete the exe, as already said there could be registry keys, services etc still running.

These need to be rooted out.

t31os · 18 Nov 2006 at 21:28

From the image its going to Debbies Documents, so 'My Documents' for that user i assume?

Lots of programs use My Docs for files, perhaps some dodgy ap or plugin, browser hijack. Just speculating here..

Certainly an odd issue anyway.