| Welcome to EmachineUpgraders. We hope you enjoy your visit. You're currently viewing our forum as a guest. This means you are limited to certain areas of the board and there are some features you can't use. If you join our community, you'll be able to access member-only sections, and use many member-only features such as customizing your profile, sending personal messages, and voting in polls. Registration is simple, fast, and completely free. Join our community! If you're already a member please log in to your account to access all of our features: |
| Another Electronic Door Stop; Viruses from Limewire | |
|---|---|
| Tweet Topic Started: Apr 3 2010, 10:31 AM (731 Views) | |
| tomb1 | Apr 3 2010, 10:31 AM Post #1 |
|
POSTMASTER GENERAL
![]() ![]() ![]() ![]() ![]() ![]() ![]()
|
Just had a 4th PC in the last month dumped in my lap. They all had the same symptoms. Virus pop up warnings popping up all over the place. Internet connection has been disabled. AVG will not run or scan. Malwarebytes will not run or scan. System Restore disabled. CPU running at 90 to 95 %. Hard drive spinning like a circular saw. Running in Safe Mode is no help at all. The only thing that seems to work is dumping everything on the hard drive and starting over with a fresh install of their operating system. They have all had one other thing in common. They have all been downloading files from Limewire. Anyone else seeing this out there? |
![]() |
|
| TJSEVEN | Apr 3 2010, 12:21 PM Post #2 |
|
OZ ... The Great and Powerful!!
|
Try Drweb cureit in safe mode. Download it from their site.... they change the name of the download daily to avoid the malware guys from blocking it from running. After that....you should be able to use the regular tools to cleanup....or go the Combofix route. The last figure that I saw.....stated that 35% of all music downloaded via fileshare was infected. TJ |
|
THE BLACK PEARL with a new sail! AMD Athlon 64 X2 4400+ Toledo Core 2MB L2 cache S939 Overclocked to something or other this week! ASRock 939Dual-SATA2 MOBO (3 PCI, 1 PCI-E x1, 1 PCI-E x16, 1 AGP, 1 Future CPU Port, 4 DDR DIMM, Audio, LAN) 4 Gig G.SKILL PC3200 DUAL DDR SDRAM and other Stuff....! ZOOM>>>ZOOM>>> I ALWAYS SAY," IF YOU HAVE TO SPEND MONEY TO OVERCLOCK THEN IT ISN'T REALLY AN OVERCLOCK!!" | |
![]() |
|
| tomb1 | Apr 3 2010, 12:45 PM Post #3 |
|
POSTMASTER GENERAL
![]() ![]() ![]() ![]() ![]() ![]() ![]()
|
Well, this PC is at the point where, when you now try to open any application like the one I just down loaded you get a pop up box titled: Open With ............Choose the program you use to open the file: cureit.exe |
![]() |
|
| tomb1 | Apr 3 2010, 01:28 PM Post #4 |
|
POSTMASTER GENERAL
![]() ![]() ![]() ![]() ![]() ![]() ![]()
|
Okay, the file association problem is fixed and DrWebb cureit is now working. |
![]() |
|
| TJSEVEN | Apr 3 2010, 02:01 PM Post #5 |
|
OZ ... The Great and Powerful!!
|
I didn't have a lot of time earlier to give you all the info, but wanted to get you started, if needed. These machines have multiple infections....it's like peeling an onion. These are pros writing these bots, viruses, root kits, malware whatever you want to call it all. The spybots of the world don't have a chance anymore. You'll have to use multiple products to get it all cleaned up and then access the damage....sometimes you need a clean install anyway. Keep me posted. If it's as bad as indicated a lot of things will have to reset in Windows and the registry....it's probably trying to run through some screwy proxy and you'll need an application to reset the settings that were changed in the registry. TJ BTW, if you download DrWEBcureit from majorgeeks...the file is usually called cureit.exe and is blocked by malware....if you download it direct from the DrWeb site it usually looks like gibberish....xwergt.exe or something and works more often. How about them Russians? |
|
THE BLACK PEARL with a new sail! AMD Athlon 64 X2 4400+ Toledo Core 2MB L2 cache S939 Overclocked to something or other this week! ASRock 939Dual-SATA2 MOBO (3 PCI, 1 PCI-E x1, 1 PCI-E x16, 1 AGP, 1 Future CPU Port, 4 DDR DIMM, Audio, LAN) 4 Gig G.SKILL PC3200 DUAL DDR SDRAM and other Stuff....! ZOOM>>>ZOOM>>> I ALWAYS SAY," IF YOU HAVE TO SPEND MONEY TO OVERCLOCK THEN IT ISN'T REALLY AN OVERCLOCK!!" | |
![]() |
|
| tomb1 | Apr 3 2010, 06:20 PM Post #6 |
|
POSTMASTER GENERAL
![]() ![]() ![]() ![]() ![]() ![]() ![]()
|
Dr. Webb cureit was downloaded from a Russian site. I believe it was the correct one. Here Took awhile to find the tab to switch the site to English so I could read it. Russian printing kind of looks like it is printed upside down and backwards. Cureit has been running for quite a while. The system has crashed and rebooted a few times and just froze up a few other times. It has found only 1 item so far. Tried to uninstal and reinstall AVG with no luck. Avast and Malwarebytes still have a few problems. Avast won't run because it says it is not installed correctly. Uninstalled and reinstalled it a few times now with no luck. Unistalled and reinstalled Malwarebytes a few times and that still will not run. Spybot S & D has kicked up about 50 items the first time it ran. |
![]() |
|
| TD25x | Apr 3 2010, 06:48 PM Post #7 |
![]()
Collector of Rocket Widgets
|
TJ is right.........I ran across something a few months a go called Ransomware. Forgot the name of the app, but it encrypts all media files, deletes restore points, etc., etc., and tries to get you to pay for the key to unlock your files.......very professional |
|
T5224 ‡ Intel DG33TLM ‡ Intel Core 2 Quad Q6600 ‡ 2 x 1GB Crucial PC6400 DDR2 ‡ EVGA GeForce 8800GT 512MB ‡ 1- WD 80GB SATA2 10,000RPM Raptor ‡ 1- WD 1.0TB SATA3 7200RPM ‡ Samsung 22x DVD-RW SH-S222L ‡ Corsair AX750W PSU ‡ Win7 Ult x64 ‡ Logitech wireless keyboard & mouse ‡ DELL - UltraSharp 2408WFP 24-inch Flat Panel ‡ Bose Companion 3 speakers | |
![]() |
|
| TJSEVEN | Apr 3 2010, 07:36 PM Post #8 |
|
OZ ... The Great and Powerful!!
|
Hell....go with Combofix....just make sure you read the directions....it's pretty much automatic....but it's the heavy artillery. http://www.bleepingcomputer.com/combofix/how-to-use-combofix I guess I should have given you the link to the english site: http://www.drweb.com/?lng=en |
|
THE BLACK PEARL with a new sail! AMD Athlon 64 X2 4400+ Toledo Core 2MB L2 cache S939 Overclocked to something or other this week! ASRock 939Dual-SATA2 MOBO (3 PCI, 1 PCI-E x1, 1 PCI-E x16, 1 AGP, 1 Future CPU Port, 4 DDR DIMM, Audio, LAN) 4 Gig G.SKILL PC3200 DUAL DDR SDRAM and other Stuff....! ZOOM>>>ZOOM>>> I ALWAYS SAY," IF YOU HAVE TO SPEND MONEY TO OVERCLOCK THEN IT ISN'T REALLY AN OVERCLOCK!!" | |
![]() |
|
| tomb1 | Apr 3 2010, 08:24 PM Post #9 |
|
POSTMASTER GENERAL
![]() ![]() ![]() ![]() ![]() ![]() ![]()
|
Cureit ran it's first complete run in safe mode without crashing or freezing up. It found 517 items listed as BackDoor.tdss.565 and an other BackDoor.tdss.xxxx. Not sure of the version. Running a complete scan now and we shall see what else pops up. Now we are getting somewhere! |
![]() |
|
| tomb1 | Apr 3 2010, 08:28 PM Post #10 |
|
POSTMASTER GENERAL
![]() ![]() ![]() ![]() ![]() ![]() ![]()
|
If we could only get these people to do something honest like run for Congress. The economy would be fixed in a day! |
![]() |
|
| TJSEVEN | Apr 5 2010, 05:59 PM Post #11 |
|
OZ ... The Great and Powerful!!
|
So, when do we get the rest of the story???????????? |
|
THE BLACK PEARL with a new sail! AMD Athlon 64 X2 4400+ Toledo Core 2MB L2 cache S939 Overclocked to something or other this week! ASRock 939Dual-SATA2 MOBO (3 PCI, 1 PCI-E x1, 1 PCI-E x16, 1 AGP, 1 Future CPU Port, 4 DDR DIMM, Audio, LAN) 4 Gig G.SKILL PC3200 DUAL DDR SDRAM and other Stuff....! ZOOM>>>ZOOM>>> I ALWAYS SAY," IF YOU HAVE TO SPEND MONEY TO OVERCLOCK THEN IT ISN'T REALLY AN OVERCLOCK!!" | |
![]() |
|
| tomb1 | Apr 5 2010, 11:21 PM Post #12 |
|
POSTMASTER GENERAL
![]() ![]() ![]() ![]() ![]() ![]() ![]()
|
Once upon a time............. Cureit made a full scan and found a few more infected files. Rebooted the system, the Internet connection started working. AVG came back to life, updated and promptly moved 54 infected files to the Virus Vault. Ran another complete scan with AVG which found no more infected files. Malwarebytes still would not run so we ran SpyBot S & D. It picked up about 10 items. Most of these were of the fake alert types, a firewall override, a few other things that I can't remember what they were. It was getting close to 2:30 AM. Most of them it fixed right away and the others it fixed after a rebooted scan. Windows Security page popped up and reported that Windows Firewall was turned off and Automatic Updates was also tuned off. Turned them back on with no problems. Unistalled Malwarebytes and reinstalled it. Unistalled AVG and installed Avast. Left them both scan and climbed in to the recliner and went to sleep. Woke up with Avast and Malwarebytes reporting they had found nothing. Opened up all the hidden Windows files and folders and ran all the scans again. System Restore would not run or let me turn it off. Had to replace the SR.inf file which I extracted from my Magical Dell XP CD and S.R. started working again. Turned S.R. off and dumped all the restore files and then turned it back on again. End result: SpyBot S & D..........0 infected files Malwarebytes.........0 infected files Cureit.....................0 infected files Avast.....................0 infected files Everything seems to be working and back to normal.........................THE END And once again......... Thank you TJSEVEN and TD25x for help and suggestions! |
![]() |
|
| TJSEVEN | Apr 6 2010, 09:26 PM Post #13 |
|
OZ ... The Great and Powerful!!
|
I'm glad me and the Ruskies could help you out! |
|
THE BLACK PEARL with a new sail! AMD Athlon 64 X2 4400+ Toledo Core 2MB L2 cache S939 Overclocked to something or other this week! ASRock 939Dual-SATA2 MOBO (3 PCI, 1 PCI-E x1, 1 PCI-E x16, 1 AGP, 1 Future CPU Port, 4 DDR DIMM, Audio, LAN) 4 Gig G.SKILL PC3200 DUAL DDR SDRAM and other Stuff....! ZOOM>>>ZOOM>>> I ALWAYS SAY," IF YOU HAVE TO SPEND MONEY TO OVERCLOCK THEN IT ISN'T REALLY AN OVERCLOCK!!" | |
![]() |
|
| tomb1 | Apr 12 2010, 02:28 PM Post #14 |
|
POSTMASTER GENERAL
![]() ![]() ![]() ![]() ![]() ![]() ![]()
|
More on the RANSOMWARE here |
![]() |
|
| 1 user reading this topic (1 Guest and 0 Anonymous) | |
| « Previous Topic · GENERAL CONVERSATION · Next Topic » |





![]](http://z1.ifrm.com/static/1/pip_r.png)





11:41 AM Jul 13