rebjr 0 Posted May 22, 2008 There is a new virus going around, we have had 17 computers in since Friday last. KillAV.KR. So far we have been able to kill it with reloads. But, keeping it off is/has been a bear. Saving customers emails/documents/music/pics etc., is almost out of the question right now as one we put those back on the computer it comes back. As well, all of our utilities are usually put on via USB Flash drives, all of them are infected that we have in the shop, so far. We can find the thin in the root of c drive, labeled either "bs", "santa", "gr", or a couple of others. We have traced into IE files under the name "planet". Seraches do not pick them up, and even when we find them and delete them once we start the computer back up they come back. Kaspersky (my fav), AVG free (my second fav), and a host of other stuff removes the basic "bs", but then it rebirths. Had a virus a couple of months ago that once found the basic problem, as we were watching it on the computer screen, and trying to delete it, it was changing names. Every split second one of the letters in them name would change. Anybody has a cure for this please let me know. Delivered a brand new server last night and as Matt was getting ready to leave the owner hollered at him "What's this?" ... and poof, it was on the server. Our servers are clean, are tech computers also. It did invade our flashes....arrrrrgggghhhhhhhhhhhhhh! Share this post Link to post Share on other sites
swaneejuggalo 0 Posted May 22, 2008 this may be a stupid question considering you know what your doing did you remove in safe mode not connected to the internet Share this post Link to post Share on other sites
Guest fivestar Posted May 22, 2008 I would think malwarebytes or smitfraud would pick it up and take care of it. BTW, thanks for the warning on it. Share this post Link to post Share on other sites
BannerJohn 1,324 Posted May 22, 2008 what does it do? Symptoms? Share this post Link to post Share on other sites
Knobhill 0 Posted May 23, 2008 Just a thought, did you try making a live CD preconfigured for virus hunting so as not to boot from the infected drive? I had nasty little buggers evade me untill I started using this method. Also I use more than one program for virus hunting. My 2cts. Share this post Link to post Share on other sites
rebjr 0 Posted May 23, 2008 Yes, we have tried both safe mode, and have all disconnected from the internet. Malwarebytes, smitfraud, nor vundo pick it up. Nor does Norton, AVG 8, Kaspersky, as of today. Also ran several different spyware proggies just to see what might happen. We did trace it to a relationship to a file "planet.exe", but that is not the root of the virus either as once it is deleted it continues to rebirth. The writers of viruses have begun to write viruses not only to be offensive, but to be defensive. I don't know if I put this in an earlier post or not, but a couple of months ago we had a visus that mutated and changed it's name while we were looking at the file ..... This virus has many of the quailites of the newer viruses. Most notably is that it turns of the task manager and turns of the automatic updates, neither of which can you turn back on. One of the computers that came in had a screensaver that had cockroaches crawing around eating the screen, now on that computer it starts up and as soon as windows opens it is to a black screen It is the one that has had the virus on it, in the shop, the longest = since Monday. If you open the c drive, in the root you will see a file that uses a generic square icon, simply labeled "bs", or "santa". We have also found one that I can't recall the name of. You're anti-virus will alert you to having a virus called KillAV.KR, or KillAV.GR. John, your idea has merit. Can you please tell me how you did it? The guy that owns the shop might understand what you are saying, but I'm pretty illiterate, considering my experience .. remember I'm a jack of all trades, master of none .. just like to tinker .... Share this post Link to post Share on other sites
Guest fivestar Posted May 23, 2008 Hiren's boot cd is what I use alot. Just need to keep virus definitions updated. Share this post Link to post Share on other sites
rebjr 0 Posted May 23, 2008 FStar, I tried using Hiren's once. But what I ended up with was just a CD full of links to other stuff, not really anything that worked on it's own. Did I miss something? The guy what owns the shop has his only little bag of tricks, calls it simply the "Work CD", has lots of exe's on it for thing's like Ccleaner, AVG free, has SmitFraud, Vungo, and a bunch of that kind of stuff. He has some kind of deal on his servers that update it all automatically and we just go in and reload our flash or make cd's every so often. We started using flash dirves due to convienence and it is a lot faster working from them. However, this virus has taught us a lesson. With CD's we probably would have less infections in the shop. I know that at least 2 of the computers in shop did not have viruses on them prior to us installing some stuff from the USB,s. They were in for reloads for other reasons. I forgot, there is also a geveric "autorun.inf" associated with this virus. Share this post Link to post Share on other sites
BannerJohn 1,324 Posted May 23, 2008 It wasn't my idea..but booting from a live CD means that you have the OS on a CD...usually Linux (there are several versions) and you by-pass the hard drive altogether. BUT,you can access the hard drive from the live CD. Share this post Link to post Share on other sites
Guest fivestar Posted May 23, 2008 You must of had a fake hiren's, it doesn't have links to anything that I know of. It's just full of programs full of useful things. Share this post Link to post Share on other sites
Knobhill 0 Posted May 23, 2008 Ya'll had it pass over head. Pay attention now. If you have a virus scanner that gives you the ability to create a live CD you can boot from eliminating the need to boot from the hard drive infected, you can boot from the disk and scan the infected hard drive and eliminate the threat. The disk is created thrugh the antivirus program using Bart PE. It creates a WinXP live CD. I've been using Kaspersky for years and find it works 99.9% of the time. Share this post Link to post Share on other sites
Guest fivestar Posted May 23, 2008 Ya'll had it pass over head. Pay attention now. If you have a virus scanner that gives you the ability to create a live CD you can boot from eliminating the need to boot from the hard drive infected, you can boot from the disk and scan the infected hard drive and eliminate the threat. The disk is created thrugh the antivirus program using Bart PE. It creates a WinXP live CD. I've been using Kaspersky for years and find it works 99.9% of the time. That's exactly what hirens does, except it has more then just antivirus. I have about every boot cd for antivirus/spyware/malware there is and I keep using hiren's. I even have a couple Geek Squad cd's that the Best Buy's boys use and it isn't in the same league as hiren's. You just got to keep virus defintions updated. Share this post Link to post Share on other sites
rebjr 0 Posted May 23, 2008 Knobhill, Gotcha, we have done that. Problem is that thru today when I left the shop none of the anti-virus folks had a definition for this virus as of yet. So, booting to the cd didn't do us any good. I'm just a basic mechanic, but the guy who owns the shop has 20+ years at computers, presently he is the IT for over 60 businesses here in town and on the fringes constituting over 300 computers. He said he's not seen one as nasty as this, after spending the day trying to get rid of it. He's a direct AVG reseller (although we only put AVG Free on computers, except for businesses) and was on the horn with them a bit, but no anwers beyond .. they were working on it. I love Kapernsky. He tried to set up as a direct reseller with them, but they signed a deal with some large marketing company who wanted him to buy all of his components/repair parts/etc. thru them in order to resell Kapersky. Told 'em to fly a kite, signed with AVG and sold 60 in 1 week. I have Kapernsky at home, love it. We ran Kapernsky on this thing, it does as the rest did, picks up the superficial, the "bs.exe" and the "planet.inf" but neither is the parent virus. I don't like these defensive viruses, is the cost of the industry advancing. I had 3 on my bench Monday, all with virus attacks, all requiring reloads, figured it'd be a nice little bit of work. They still are there. Share this post Link to post Share on other sites
Beardown 0 Posted May 23, 2008 why not disable it from your startup prosses menu that way it cannot start itself? Share this post Link to post Share on other sites
Guest fivestar Posted May 23, 2008 It's a little more complex then that bear, BTW good to see you. These virus' attach themselves to other files and hide themselves deep into the registery, they also change their names duplicate themselves, do all kinds of weird stuff. Share this post Link to post Share on other sites
Guest Terry Posted May 23, 2008 I use registry programs and MS Config also to find it in the background. And at least 12 different programs to pull it. I could type forever on this post, but don't have it in me. I have loads of ways I remove them, and software. Winternals EMD commander will get you in if it won't boot. Always turn off updates, restore, routers, internet lines, etc... Share this post Link to post Share on other sites
BannerJohn 1,324 Posted May 23, 2008 It's a little more complex then that bear, BTW good to see you. These virus' attach themselves to other files and hide themselves deep into the registery, they also change their names duplicate themselves, do all kinds of weird stuff. they can (and often do) atach themselves to system files, which means if you delete them (IF you can) you could stop Windows from booting altogether. The only way to be 100% sure that you have rid of a virus is to wipe the hard drive,do a clean install from a known good source. That's the gist of it. Share this post Link to post Share on other sites
Guest fivestar Posted May 23, 2008 I agree John, but it gets to be a pride thing for me at times. I'll spend 6-8 hrs trying to rid a virus when I could format and reload everything in a couple hrs. Share this post Link to post Share on other sites
Guest Terry Posted May 23, 2008 It's a little more complex then that bear, BTW good to see you. These virus' attach themselves to other files and hide themselves deep into the registery, they also change their names duplicate themselves, do all kinds of weird stuff. they can (and often do) atach themselves to system files, which means if you delete them (IF you can) you could stop Windows from booting altogether. The only way to be 100% sure that you have rid of a virus is to wipe the hard drive,do a clean install from a known good source. That's the gist of it. LOL, I had those before, rename my HD as recycle bin, Also do like five says, I won't give up. I always get it, but some have taken a week like John said. Share this post Link to post Share on other sites
rebjr 0 Posted May 23, 2008 Lot's of good response here, but no answers yet. We have reloaded all of them, wiped to the backbone before doing so. Last night I LLF'd one, and wrote zeroes twice to another before reformatting them and reloading. I am in hopes that the lil' bugger got onto one of the flashes and was transferred from there. But, all of these 'puters that came in had virus activity, only one had the bugs on the screen. On that one I had it cleaned up, no traces, nothing picked up on restarts. When the customer came to pick it up I was showing her some new proggies we put on and their features .. ccleaner, avg8, etc., and while doing so the thing came out of hiding, screen froze up, wated a couple of minutes .. nothing .. hit contrl/alt-delete and got the dreaded "task manager has been turned off" message. Soon the bugs were eating the screen, and now it has a screen at start-up, goes into a black screen that can only be cancelled by pushing the power button to turn the machine off, then it comes off in the shut down process. The ones reloaded last night will have the add ons that we usually do either put on via cd or directly downloaded. We will wait to put customer files back on after somebody figures a definition for this thing that gets rid of it for sure. Meanwhile I have a 500GB external that I back up customer documents & settings, pics, musice, etc, to that may look like a haven for bad guys inside ;-( Share this post Link to post Share on other sites
Guest Terry Posted May 23, 2008 My daughter had one that took a week to find, it was embedded in a jpeg. Share this post Link to post Share on other sites
Guest Terry Posted May 23, 2008 go here for the heck of it, free register, I save the file when done and it tells me the location of the virus. http://www.pandasecurity.com/activescan/index/?track=1&Lang=en-US&IdPais=63 Share this post Link to post Share on other sites
Guest Terry Posted May 23, 2008 Something else I did was look at all the dll files in one computer, then compared checked in the virus computer, I found the name of it, every professional program I had would not find it so I went here http://www.pctools.com/spyware-doctor-antivirus/download/ scanned it and it found it, so I bought it with my pride gone, and it freaken removed it. Share this post Link to post Share on other sites
Guest Terry Posted May 23, 2008 Another thing I do is NOT install explorer 7.0 I leave 6.0 in, if I get a virus I update to 7.0 and do not import files. I have also uninstalled explorer, put in old AOL 9.0 CD, it comes with 6.0 explorer on it. Then go to Mozzila firefox and do not import files from explorer, uncheck the box. I do this because explorer is the place the virus comes in so leaving it as just 6.0 gives you a place to update to. Share this post Link to post Share on other sites
Guest Terry Posted May 23, 2008 http://www.windowsecurity.com/trojanscan/ Share this post Link to post Share on other sites
