Virus Troubleshooting

[Shavx]

I'm fixing a computer for a friend of mine who has managed to get alot of virus/spyware on his computer. One of the main virus's is the Koob Face virus which comes from myspace/facebook. It sets up this proxy thing and i cleared it out but for some reason i cannot get his computer to connect to the internet (o and explorer.exe wont start at the start up i have to use task man to start it).

The desktop can see shared folders and such on the network but not browse the internet. So on my Linux box on the network i decided to do a port scan to see whats up. I disabled his Windows Firewall and when i do nmap -sX <ip add> i get all ports closed, and nmap -sP <ip add> same result. Yet just pinging his IP i get replies just fine.

Where should i go from here to figure out how to fix his internet connection? Also if you have any tips to fix explorer.exe to start up again automagically that would be great!

[wick86]

I'm fixing a computer for a friend of mine who has managed to get alot of virus/spyware on his computer. One of the main virus's is the Koob Face virus which comes from myspace/facebook. It sets up this proxy thing and i cleared it out but for some reason i cannot get his computer to connect to the internet (o and explorer.exe wont start at the start up i have to use task man to start it).

The desktop can see shared folders and such on the network but not browse the internet. So on my Linux box on the network i decided to do a port scan to see whats up. I disabled his Windows Firewall and when i do nmap -sX <ip add> i get all ports closed, and nmap -sP <ip add> same result. Yet just pinging his IP i get replies just fine.

Where should i go from here to figure out how to fix his internet connection? Also if you have any tips to fix explorer.exe to start up again automagically that would be great!

take a look in your windows folder and see if you have a file called explorer.com I got a virus one time that added a bunch of .com files to my windows folder. It didnt remove the .exe files it just added the .com files and it played havoc with my system.

[killadaninja]

I'm fixing a computer for a friend of mine who has managed to get alot of virus/spyware on his computer. One of the main virus's is the Koob Face virus which comes from myspace/facebook. It sets up this proxy thing and i cleared it out but for some reason i cannot get his computer to connect to the internet (o and explorer.exe wont start at the start up i have to use task man to start it).

The desktop can see shared folders and such on the network but not browse the internet. So on my Linux box on the network i decided to do a port scan to see whats up. I disabled his Windows Firewall and when i do nmap -sX <ip add> i get all ports closed, and nmap -sP <ip add> same result. Yet just pinging his IP i get replies just fine.

Where should i go from here to figure out how to fix his internet connection? Also if you have any tips to fix explorer.exe to start up again automagically that would be great!

You do realise this is a forum for linux right?

[streaker69]

You do realise this is a forum for linux right?

Technically though, he should have posted this in the General IT area instead of the PenTesting area. But I believe it's ok for him to ask, as long as it is in the correct area.

[Shavx]

Ok i looked and i came across explorer(2).exe, explorer.exe and explorer when i double click on explorer(2).exe or explorer.exe it opens up My Documents and explorer opens up My Computer. they have modified dates of back in April

[imported_=Tron=]

I'm fixing a computer for a friend of mine who has managed to get alot of virus/spyware on his computer. One of the main virus's is the Koob Face virus which comes from myspace/facebook. It sets up this proxy thing and i cleared it out but for some reason i cannot get his computer to connect to the internet (o and explorer.exe wont start at the start up i have to use task man to start it).

Did you use a program to sanitize the computer or attempt to remove the files manually. Giving the computer a few run-throughs with both antivirus and anti spyware software to get rid of all traces of the virus should be the first step.

[killadaninja]

Hey just my 2cents, sound more like a question that would better suit http://www.techsupportforum.com/, but then again who am I to have an opinion.

[streaker69]

For now, ignore the advice of looking for random files, chances are, you're not going to find the source of the infection that way.

Pull the drive out of the machine, attach it to a machine with a reliable up to date AV program and do a full scan of the drive. Let it remove everything that it finds.

Then once the scan is done and the drive is still attached to a known good machine, go into the windows directory and do this:

dir /o:d

At the bottom of that list, you'll find all the files that were most recently created and that were not killed by the AV, chances are, those are bad files as well. Compare them to timestamps of known good windows files.

Do the same thing in the system32 directory.

Go into the /windows/prefetch directory and delete everything in there.

Go into /windows/temp and delete everything in there.

If there's any executable files in any temporary directory anywhere on the drive, delete them.

if there's an executable file in the root of the user profile under documents and settings delete it.

Re-Read these instructions at least 3 times before you do any of this.

[killadaninja]

Whoops, sorry Shavx my bad.
1. I didnt realise it was you asking the question I thought it was a forum n00b.
2. I didnt even realise that your post even mentioned linux, i saw IE and got excited, im a bad boy and deserve to be punished.

[streaker69]

Oh, one thing I forgot. If Explorer isn't loading as the Shell, then there's a problem with the Shell registry key. You'll need to fix that. chances are it's loading a custom shell. Which is of course, very bad.