Questions

Worms & Trojans - Can't install Anti-SpyWare

+
0 Votes
Locked

Worms & Trojans - Can't install Anti-SpyWare

chandwpl
Hi,


I wonder if someone could help me.

Amongst other things, I have Win XP and McAfee AntiVirus software on my desktop PC.

A while ago, I downloaded something which came in a UIF format. Of course, this needs to be "un-UIF-ed" and I found a program which could do this. As soon as I ran this program - lets call it "prog-X " as I honestly can't remember it's actual name.

As soon as I ran prog-X, McAfee popped up and found a virus. At an alarmimg rate, the virus seemed to be working its way through my HDD, coming to an EXE file, and latching onto it. McAfee notices this and says "Arh, virus - Quarantine". I thought "its clearing out my EXE files". I didn't know what to do except switch off the machine. (I had tried SHUTDOWN 1st, but that didn't seem to stop the infestation.)

I rebooted my machine, and I got a blank screen. Next I rebooted in safe mode - I got the "Safe mode" messages in the corners, but otherwise, just a black screen.

I have had to go away since and so left the machine alone - I had pondered what to do about it. On my return, I had my laptop to use and the desktop issue went to the back of my mind. Then what happens? The laptop suffers the same scenario. I could not believe my luck.

I hadn't completely ignored the virus on my desktop, and so had researched into it - I think I have a W32 trojan, or something from that family. A number of forums seem to point in the direction of a reformat & re-install of WinXP. So, as I had never opened up my laptop, it seemed easier to attack my desktop 1st. I bought a new HDD with a view to using the old HDD as a slave.

I installed WinXP and McAfee AntiVirus on my new HDD successfully. Then attached the slave drive and made a scan of both HDDs. The software found 360 files infected. Most of these were cleaned, some deleted. I turned off System restore before I did this.

Last night, I tried to install "Spybot - Search & Destroy", but there were installation problems so I think the virus is still around, somehow locking my registry and not letting the software install.

In my attempt to install Spybot, whilst working through the installation process, I ticked on "search for updates". However, although my internet was working, the updates would not happen.

Therefore I went back, unticked "Search for updates" and continued installing. Again, it couldn't get to completion as there was an error installing. The message said something like "Error : installing, -b 205" if I remember correctly.

I searched on the net and some people recommend "CureIt!" from the Dr.Web antivirus website. I ran this, but no problems were detected.

After a reboot, Spybot still doens't install. Nor does SpySweeper, RegistryFix nor BugDoctor.

To me there is definitely something preventing me from (a) going to websites to update antispy software and (b) to complete installation of any spyware program.

Does anyone have any ideas on what I should do next here?

And what about my laptop (which also used WinXP and McAfee Antivirus)? I know which program caused the virus to strike and so renamed it (got into my PC by booting up from a UBUNTU disc). My laptop boots up fine, but some of the exe shortcuts dont work. I'm told the cables used to connect a laptop motherboard to a laptop HDD are different to those on a desktop - so, I can't go down the "buy a new HDD, attach the old HDD as a slave and copy data back" route.

Many thanks for your help in anticipation.
  • +
    0 Votes
    OldER Mycroft

    Suitably - a wordy response is required.

    UIF format: Universal Image Format (UIF) is a compression image file format for backing up CD/DVDs.

    So, now we know that you downloaded an illegal optical disc image for burning to your own disc. Any downloads of this type are either done by P2P or via a Torrent site: being that you are downloading from others that are probably as inept as yourself, you are effectively downloading someone else's infection.

    Now - to the matter in hand

    Is there any possibility that your desktop and laptop were connected together at any point? Even if they were not connected, did you transfer any files from one to the other?
    In this way the virus could have travelled.

    Alternatively if the laptop is 'net-enabled you may have contracted the same virus by duplicating your desktop actions with the laptop instead.

    "I bought a new HDD with a view to using the old HDD as a slave."

    The replacement of the HDD is not what is meant by 'reformat and reinstall'. Moreover by connecting the old, already infected, disk as a slave - you immediately infect the new HDD before you can run the anti-virus scan on it. So effectively you now have two infected harddrives.


    "In my attempt to install Spybot, whilst working through the installation process, I ticked on "search for updates". However, although my internet was working, the updates would not happen."

    Your current problems attempting to install Spybot is probably down to the prevalence of the virus you never eradicated. Also, it is completely imprudent to attempt to update something that has not successfully installed.

    "Again, it couldn't get to completion as there was an error installing. The message said something like "Error : installing, -b 205" if I remember correctly ... ... I searched on the net and some people recommend "CureIt!" from the Dr.Web antivirus website. I ran this, but no problems were detected. After a reboot, Spybot still doens't install. Nor does SpySweeper, RegistryFix nor BugDoctor."

    If you use a different antivirus program that returns an 'all clear' verdict, when you still cannot install programs it is rather silly to allow yourself to be fooled into thinking the problem has been cured.

    "To me there is definitely something preventing me from (a) going to websites to update antispy software and (b) to complete installation of any spyware program."

    Yes mate, there is - You still have a virus infection!


    "Does anyone have any ideas on what I should do next here?"

    I'm sorry to be so blunt, but you cannot do 'anything next' until you have actually done something.

    "And what about my laptop (which also used WinXP and McAfee Antivirus)? I know which program caused the virus to strike and so renamed it"

    I've got some sad news for you. You don't stop a viral file by renaming it! It is also highly unlikely that this is the only file infected by the virus.

    "I'm told the cables used to connect a laptop motherboard to a laptop HDD are different to those on a desktop - so, I can't go down the "buy a new HDD, attach the old HDD as a slave and copy data back" route."

    Here we go again! You don't stop a virus by buying a new harddrive then connecting the infected one as a slave!

    That is called PERPETUATING the virus.


    Clearly McAfee is not 'cutting the mustard' in this instance. Firstly, disconnect your desktop slave drive and attempt to thoroughly clean your new, infected internal drive. I recommend using AVG anti-virus. You can download it from here:

    http://www.free.grisoft.com/freeweb.php/doc/2/

    Once you have installed (assuming it WILL install) this program, shutdown and reboot into Safe Mode. Run it from there.

    As an interim measure I suggest you combat the virus on one drive at a time. Once you know your desktop internal drive to be clean, post back.

    Preferably in less than 750 words....


    <Edited offline due to word count, at BOTH ends>

    +
    0 Votes
    chandwpl

    Hi Old Mycroft,

    Thx for your reply - you've certainly taught me a few things there.

    AVG anti-virus wont install - I get this msg.......

    =========
    Local machine: installation failed
    Installation:
    Error: Action failed for file avgupsvc.exe: creating service....
    The system cannot find the file specified. (2)

    =========

    So, no luck. Is there a way to say, create a boot disk to clear out the virus?

    Do I have to disable/uninstall McAfee 1st? I still have McAfee installed.

    Thanks again!

    +
    0 Votes
    OldER Mycroft

    But I needed to be sure.

    I reckon your best bet is to go the boot-disc route.

    If you can, download the image for UBCD - Ultimate Boot CD.

    You can download from here:

    http://www.ultimatebootcd.com/download.html

    The download files are about two-thirds of the way down this page.

    Burn it to disc, then power-down. Insert the disc and boot from it, making sure your CD is first in your BIOS boot order.

    It is self explanatory, loaded with virus checkers etc.

    +
    0 Votes
    chandwpl

    Hi,

    Just as a side issue ......

    The virus I have probably reared its ugly head in August this year

    When I looked into the UBCD and tried to use the AntiVirus software, I got the message "Virus definitions are 4 months out of date".

    Is there away to update these?

    Thx!

    +
    0 Votes
    chandwpl

    I uninstalled McAfee AntiVirus and installed AVG AntiVirus successfully.

    Will do the scan tomorrow night.

    Thanks for the Ultimate Boot CD link. I'll still get a copy of that for future use <smile>

    Many Thanks again!

    +
    0 Votes
    chandwpl

    Hi - I think the new HDD is clean now.

    a) Ran AVG from from WinXP - found a couple of things - then

    b) Installed Spybot successfully. Ran and deleted more trojans including AntiSpyWareBot.

    c) Rebooted, and ran Spybot again - only thing it found are cookies from Advertising.com and similar ones.

    d) Rebooted in Safe Mode, then ran AVG. Nothing found.

    OK, how do I install/scan the 2nd (old) HDD and retrieve my data files?

    I'll await your kind instructions.

    Thanks in anticipation.

    +
    0 Votes
    OldER Mycroft

    You now need to clean your 2nd HDD.

    On the basis that No 1 disk is virus-free, connect you 2nd drive, boot up but DO NOT explore drive No 2 in any way.

    If you have AVG installed properly you should be able to access it from your Context Menu.

    Navigate to Start > left click My Computer > right click (assuming is your 2nd drive) - the context menu should have an entry named 'Scan with AVG' which you left click on.

    You can sit back and wait now.

    AVG should take a while but it will find all instances of what you inadvertently transferred from drive number 1.

    Hit drive No 2 with Spybot as well.

    Repeat the processes you used for drive No 1.

    Post back when Drive No 2 is clear.

    +
    0 Votes
    chandwpl

    Hi OM,

    Thx for the reply.

    Did as U said and scanned HDD2 with AVG, and then SpyBot.

    Had to delete 60 threats and 47 pieces of spyware. Wow!

    OK, Is it now fine to copy my data across from the HDD_old to HDD_New?

    Thanks!

    +
    0 Votes
    OldER Mycroft

    Can you give me some idea of what you want to copy back ?

    Depending on the types of files, some transfers would be better as a reinstall - rather than copying.

    If your transfer files have registry entries attached/associated with, transferring them will result in nothing but headaches for you when you attempt to run them.

    Give some thought to what you are attempting to copy - data files will MAYBE work, if the host program already exists on HD No 1.


    <Edited for typo>

    +
    0 Votes
    chandwpl

    Thx OM for the reply.

    Yah, mainly data - txt, doc, xls, MP3's and data for my finance package, Quicken.

    I'll install everything again on the new HDD and format the old once I've lifted all the data off.

    In terms of my old C: drive, I can only think of retrieving :-

    a) bookmarks for firefox
    b) my Outlook emails
    c) some bits here and there in "My Documents" folder.....

    That's it isn't it? Anything else you would retrieve?

    (I usually use Firefox and when in ie7, I'll just import Favourites from the Firefox directory)

    Thanks!

  • +
    0 Votes
    OldER Mycroft

    Suitably - a wordy response is required.

    UIF format: Universal Image Format (UIF) is a compression image file format for backing up CD/DVDs.

    So, now we know that you downloaded an illegal optical disc image for burning to your own disc. Any downloads of this type are either done by P2P or via a Torrent site: being that you are downloading from others that are probably as inept as yourself, you are effectively downloading someone else's infection.

    Now - to the matter in hand

    Is there any possibility that your desktop and laptop were connected together at any point? Even if they were not connected, did you transfer any files from one to the other?
    In this way the virus could have travelled.

    Alternatively if the laptop is 'net-enabled you may have contracted the same virus by duplicating your desktop actions with the laptop instead.

    "I bought a new HDD with a view to using the old HDD as a slave."

    The replacement of the HDD is not what is meant by 'reformat and reinstall'. Moreover by connecting the old, already infected, disk as a slave - you immediately infect the new HDD before you can run the anti-virus scan on it. So effectively you now have two infected harddrives.


    "In my attempt to install Spybot, whilst working through the installation process, I ticked on "search for updates". However, although my internet was working, the updates would not happen."

    Your current problems attempting to install Spybot is probably down to the prevalence of the virus you never eradicated. Also, it is completely imprudent to attempt to update something that has not successfully installed.

    "Again, it couldn't get to completion as there was an error installing. The message said something like "Error : installing, -b 205" if I remember correctly ... ... I searched on the net and some people recommend "CureIt!" from the Dr.Web antivirus website. I ran this, but no problems were detected. After a reboot, Spybot still doens't install. Nor does SpySweeper, RegistryFix nor BugDoctor."

    If you use a different antivirus program that returns an 'all clear' verdict, when you still cannot install programs it is rather silly to allow yourself to be fooled into thinking the problem has been cured.

    "To me there is definitely something preventing me from (a) going to websites to update antispy software and (b) to complete installation of any spyware program."

    Yes mate, there is - You still have a virus infection!


    "Does anyone have any ideas on what I should do next here?"

    I'm sorry to be so blunt, but you cannot do 'anything next' until you have actually done something.

    "And what about my laptop (which also used WinXP and McAfee Antivirus)? I know which program caused the virus to strike and so renamed it"

    I've got some sad news for you. You don't stop a viral file by renaming it! It is also highly unlikely that this is the only file infected by the virus.

    "I'm told the cables used to connect a laptop motherboard to a laptop HDD are different to those on a desktop - so, I can't go down the "buy a new HDD, attach the old HDD as a slave and copy data back" route."

    Here we go again! You don't stop a virus by buying a new harddrive then connecting the infected one as a slave!

    That is called PERPETUATING the virus.


    Clearly McAfee is not 'cutting the mustard' in this instance. Firstly, disconnect your desktop slave drive and attempt to thoroughly clean your new, infected internal drive. I recommend using AVG anti-virus. You can download it from here:

    http://www.free.grisoft.com/freeweb.php/doc/2/

    Once you have installed (assuming it WILL install) this program, shutdown and reboot into Safe Mode. Run it from there.

    As an interim measure I suggest you combat the virus on one drive at a time. Once you know your desktop internal drive to be clean, post back.

    Preferably in less than 750 words....


    <Edited offline due to word count, at BOTH ends>

    +
    0 Votes
    chandwpl

    Hi Old Mycroft,

    Thx for your reply - you've certainly taught me a few things there.

    AVG anti-virus wont install - I get this msg.......

    =========
    Local machine: installation failed
    Installation:
    Error: Action failed for file avgupsvc.exe: creating service....
    The system cannot find the file specified. (2)

    =========

    So, no luck. Is there a way to say, create a boot disk to clear out the virus?

    Do I have to disable/uninstall McAfee 1st? I still have McAfee installed.

    Thanks again!

    +
    0 Votes
    OldER Mycroft

    But I needed to be sure.

    I reckon your best bet is to go the boot-disc route.

    If you can, download the image for UBCD - Ultimate Boot CD.

    You can download from here:

    http://www.ultimatebootcd.com/download.html

    The download files are about two-thirds of the way down this page.

    Burn it to disc, then power-down. Insert the disc and boot from it, making sure your CD is first in your BIOS boot order.

    It is self explanatory, loaded with virus checkers etc.

    +
    0 Votes
    chandwpl

    Hi,

    Just as a side issue ......

    The virus I have probably reared its ugly head in August this year

    When I looked into the UBCD and tried to use the AntiVirus software, I got the message "Virus definitions are 4 months out of date".

    Is there away to update these?

    Thx!

    +
    0 Votes
    chandwpl

    I uninstalled McAfee AntiVirus and installed AVG AntiVirus successfully.

    Will do the scan tomorrow night.

    Thanks for the Ultimate Boot CD link. I'll still get a copy of that for future use <smile>

    Many Thanks again!

    +
    0 Votes
    chandwpl

    Hi - I think the new HDD is clean now.

    a) Ran AVG from from WinXP - found a couple of things - then

    b) Installed Spybot successfully. Ran and deleted more trojans including AntiSpyWareBot.

    c) Rebooted, and ran Spybot again - only thing it found are cookies from Advertising.com and similar ones.

    d) Rebooted in Safe Mode, then ran AVG. Nothing found.

    OK, how do I install/scan the 2nd (old) HDD and retrieve my data files?

    I'll await your kind instructions.

    Thanks in anticipation.

    +
    0 Votes
    OldER Mycroft

    You now need to clean your 2nd HDD.

    On the basis that No 1 disk is virus-free, connect you 2nd drive, boot up but DO NOT explore drive No 2 in any way.

    If you have AVG installed properly you should be able to access it from your Context Menu.

    Navigate to Start > left click My Computer > right click (assuming is your 2nd drive) - the context menu should have an entry named 'Scan with AVG' which you left click on.

    You can sit back and wait now.

    AVG should take a while but it will find all instances of what you inadvertently transferred from drive number 1.

    Hit drive No 2 with Spybot as well.

    Repeat the processes you used for drive No 1.

    Post back when Drive No 2 is clear.

    +
    0 Votes
    chandwpl

    Hi OM,

    Thx for the reply.

    Did as U said and scanned HDD2 with AVG, and then SpyBot.

    Had to delete 60 threats and 47 pieces of spyware. Wow!

    OK, Is it now fine to copy my data across from the HDD_old to HDD_New?

    Thanks!

    +
    0 Votes
    OldER Mycroft

    Can you give me some idea of what you want to copy back ?

    Depending on the types of files, some transfers would be better as a reinstall - rather than copying.

    If your transfer files have registry entries attached/associated with, transferring them will result in nothing but headaches for you when you attempt to run them.

    Give some thought to what you are attempting to copy - data files will MAYBE work, if the host program already exists on HD No 1.


    <Edited for typo>

    +
    0 Votes
    chandwpl

    Thx OM for the reply.

    Yah, mainly data - txt, doc, xls, MP3's and data for my finance package, Quicken.

    I'll install everything again on the new HDD and format the old once I've lifted all the data off.

    In terms of my old C: drive, I can only think of retrieving :-

    a) bookmarks for firefox
    b) my Outlook emails
    c) some bits here and there in "My Documents" folder.....

    That's it isn't it? Anything else you would retrieve?

    (I usually use Firefox and when in ie7, I'll just import Favourites from the Firefox directory)

    Thanks!