Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Virus Troubleshooting

  1. #1
    Member
    Join Date
    Apr 2007
    Posts
    155

    Default Virus Troubleshooting

    I'm fixing a computer for a friend of mine who has managed to get alot of virus/spyware on his computer. One of the main virus's is the Koob Face virus which comes from myspace/facebook. It sets up this proxy thing and i cleared it out but for some reason i cannot get his computer to connect to the internet (o and explorer.exe wont start at the start up i have to use task man to start it).

    The desktop can see shared folders and such on the network but not browse the internet. So on my Linux box on the network i decided to do a port scan to see whats up. I disabled his Windows Firewall and when i do nmap -sX <ip add> i get all ports closed, and nmap -sP <ip add> same result. Yet just pinging his IP i get replies just fine.

    Where should i go from here to figure out how to fix his internet connection? Also if you have any tips to fix explorer.exe to start up again automagically that would be great!
    This is a hackers forum :P
    root ~# aircrack-ng pwnd-01.cap
    Lenovo Thinkpad R500, OS: Ubuntu 8.10, BackTrack3, Windows XP (VirtualBox), Windows Vista, Windows 7 beta

  2. #2
    Member wick86's Avatar
    Join Date
    Mar 2010
    Posts
    113

    Default

    Quote Originally Posted by Shavx View Post
    I'm fixing a computer for a friend of mine who has managed to get alot of virus/spyware on his computer. One of the main virus's is the Koob Face virus which comes from myspace/facebook. It sets up this proxy thing and i cleared it out but for some reason i cannot get his computer to connect to the internet (o and explorer.exe wont start at the start up i have to use task man to start it).

    The desktop can see shared folders and such on the network but not browse the internet. So on my Linux box on the network i decided to do a port scan to see whats up. I disabled his Windows Firewall and when i do nmap -sX <ip add> i get all ports closed, and nmap -sP <ip add> same result. Yet just pinging his IP i get replies just fine.

    Where should i go from here to figure out how to fix his internet connection? Also if you have any tips to fix explorer.exe to start up again automagically that would be great!
    take a look in your windows folder and see if you have a file called explorer.com I got a virus one time that added a bunch of .com files to my windows folder. It didnt remove the .exe files it just added the .com files and it played havoc with my system.

  3. #3
    Very good friend of the forum killadaninja's Avatar
    Join Date
    Oct 2007
    Location
    London, United Kingdom.
    Posts
    526

    Default Hey

    Quote Originally Posted by Shavx View Post
    I'm fixing a computer for a friend of mine who has managed to get alot of virus/spyware on his computer. One of the main virus's is the Koob Face virus which comes from myspace/facebook. It sets up this proxy thing and i cleared it out but for some reason i cannot get his computer to connect to the internet (o and explorer.exe wont start at the start up i have to use task man to start it).

    The desktop can see shared folders and such on the network but not browse the internet. So on my Linux box on the network i decided to do a port scan to see whats up. I disabled his Windows Firewall and when i do nmap -sX <ip add> i get all ports closed, and nmap -sP <ip add> same result. Yet just pinging his IP i get replies just fine.

    Where should i go from here to figure out how to fix his internet connection? Also if you have any tips to fix explorer.exe to start up again automagically that would be great!
    You do realise this is a forum for linux right?
    Sometimes I try to fit a 16-character string into an 8–byte space, on purpose.

  4. #4
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by killadaninja View Post
    You do realise this is a forum for linux right?
    Technically though, he should have posted this in the General IT area instead of the PenTesting area. But I believe it's ok for him to ask, as long as it is in the correct area.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  5. #5
    Member
    Join Date
    Apr 2007
    Posts
    155

    Default

    Ok i looked and i came across explorer(2).exe, explorer.exe and explorer when i double click on explorer(2).exe or explorer.exe it opens up My Documents and explorer opens up My Computer. they have modified dates of back in April
    This is a hackers forum :P
    root ~# aircrack-ng pwnd-01.cap
    Lenovo Thinkpad R500, OS: Ubuntu 8.10, BackTrack3, Windows XP (VirtualBox), Windows Vista, Windows 7 beta

  6. #6
    Senior Member
    Join Date
    Apr 2008
    Posts
    2,008

    Default

    Quote Originally Posted by Shavx View Post
    I'm fixing a computer for a friend of mine who has managed to get alot of virus/spyware on his computer. One of the main virus's is the Koob Face virus which comes from myspace/facebook. It sets up this proxy thing and i cleared it out but for some reason i cannot get his computer to connect to the internet (o and explorer.exe wont start at the start up i have to use task man to start it).
    Did you use a program to sanitize the computer or attempt to remove the files manually. Giving the computer a few run-throughs with both antivirus and anti spyware software to get rid of all traces of the virus should be the first step.
    -Monkeys are like nature's humans.

  7. #7
    Very good friend of the forum killadaninja's Avatar
    Join Date
    Oct 2007
    Location
    London, United Kingdom.
    Posts
    526

    Default

    Hey just my 2cents, sound more like a question that would better suit http://www.techsupportforum.com/, but then again who am I to have an opinion.
    Sometimes I try to fit a 16-character string into an 8–byte space, on purpose.

  8. #8
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    For now, ignore the advice of looking for random files, chances are, you're not going to find the source of the infection that way.

    Pull the drive out of the machine, attach it to a machine with a reliable up to date AV program and do a full scan of the drive. Let it remove everything that it finds.

    Then once the scan is done and the drive is still attached to a known good machine, go into the windows directory and do this:

    dir /o:d

    At the bottom of that list, you'll find all the files that were most recently created and that were not killed by the AV, chances are, those are bad files as well. Compare them to timestamps of known good windows files.

    Do the same thing in the system32 directory.

    Go into the /windows/prefetch directory and delete everything in there.

    Go into /windows/temp and delete everything in there.

    If there's any executable files in any temporary directory anywhere on the drive, delete them.

    if there's an executable file in the root of the user profile under documents and settings delete it.

    Re-Read these instructions at least 3 times before you do any of this.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  9. #9
    Very good friend of the forum killadaninja's Avatar
    Join Date
    Oct 2007
    Location
    London, United Kingdom.
    Posts
    526

    Default Sorry

    Whoops, sorry Shavx my bad.
    1. I didnt realise it was you asking the question I thought it was a forum n00b.
    2. I didnt even realise that your post even mentioned linux, i saw IE and got excited, im a bad boy and deserve to be punished.
    Sometimes I try to fit a 16-character string into an 8–byte space, on purpose.

  10. #10
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Oh, one thing I forgot. If Explorer isn't loading as the Shell, then there's a problem with the Shell registry key. You'll need to fix that. chances are it's loading a custom shell. Which is of course, very bad.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •