CAUTION- viruses

donrc · Joined: Feb 16, 2003 Posts: 882

Was trying to find a program to download youtube videos. Tried a free program from an outfit called Virsoft and now I'm unable to run any antivirus programs or even to access the internet to download more antivirus programs. I should have been more cautious given the name. VIR soft.
The first thing that came up after I downloaded the program was a Russian xxxx site. Couldn't read the captions, but the pictures were pretty self explanatory. AVG didn't find it. Is there an antivirus that will run from floppy disk?

drc

goretsky · Posted: Wed Aug 26, 2009 2:13 am Post subject:

Hello,

There are quite a few standalone removers:

Alwil - Avast Bart CD (form for trial version)
AVG - VCleaner
Avira - AntiVir Rescue System and RescueCD.EXE (direct link to download)
BitDefender - Rescue_CD
Dr.Web - CureIt and LiveCD
F-Secure - Rescue-CD
G-Data - BootCD (German-only)
Kaspersky - Virus Removal Tool (also here)
Norman - Malware Cleaner
Symantec - Norton Recovery CDs NAV, NSW and NIS
Trinity - Trinity Rescue Kit (LiveCD)
VBA - VBA Rescue

Perhaps one of these will work for you.

Regards,

Aryeh Goretsky

donrc · Joined: Feb 16, 2003 Posts: 882

Goretsky,
Thank you for the list. I have tried AVG, Kapersky, Avast and three of the standalones you suggested. None seem to have worked. What the virus is doing at the moment is to block all browsers. I can reach all of the bookmarks in a browser, but when I try to reach a new website it comes up and says unable to open the website. I've tried to use Internet Explorer and Firefox. Both seem to be blocked.

drc

donrc · Joined: Feb 16, 2003 Posts: 882

P.S.
I see that I misread the name of the software company. It is nirsoft not virsoft.

drc

zlim · Joined: Mar 11, 2005 Posts: 2636

nirsoft is a very reputable web site. I run several of his programs on my computers.

Please link to what you downloaded from nirsoft so we can see exactly what you are using.
http://www.nirsoft.net/utils/

I suspect the problem was caused when you went somewhere to try and download another file for viewing - that website did the damage, rather than nirsoft.

donrc · Joined: Feb 16, 2003 Posts: 882

OK, but I never tried to use the program. I went to his site and saw the kinds of programs he was into and got suspicious. I deleted the program> It was right after I deleted it that my problems started. He was talking about false positives from the antivirus programs and I said," Yeah, sure." and decided to delete it.

It was this one:
http://www.nirsoft.net/utils/web_video_capture.html

I have run all these antivirus programs. A couple found trojans and deleted them. The only problem now is that I can't pull up websites with the browsers.

drc

goretsky · Posted: Wed Aug 26, 2009 11:58 pm Post subject:

Hello,

NirSoft has been around for about eight years and the owner/operator/developer Nir Sofer makes a number of valuable utility programs. Some of Sofer's programs perform some very powerful functions, and in a few instances, they have been classified as potentially unsafe or potentially unwanted programs by security software vendors because they are the kinds of things that a business might not want its average users to do, or because one of his programs was deployed by a lazy malware author who used it to do something instead of writing the code themselves.

I uploaded a copy of NirSoft's WebVideoCap v1.37 to VirusTotal, which is a multi-engine virus scanning service that uses forty-one (41) anti-virus engines to scan submitted files. The results of the scan are located at http://www.virustotal.com/analisis/25c56d79acd9e1538645c55e4b8425c95efb15a83c2b6544880f6746156891be-1251345437. Only one antivirus program out of the entire forty one engines reported a threat, which makes me suspect that the one report is nothing more than a false positive alarm.

Based on your description, it does appear there is a problem with your computer and it certainly sounds like it could be the result of a malware infestation, however, equating NirSoft as the infection source is likely a post hoc fallacy.

If you have antimalware software already installed on your computer, instead of trying a bunch of solutions from different vendors, why not contact their technical support department for assistance? I am sure their virus researchers would like to have a copy of the malware which bypassed it in the first place so they can add detection and removal routines for it.

Regards,

Aryeh Goretsky

donrc · Joined: Feb 16, 2003 Posts: 882

Goretsky,
It is of course impossible to know where a virus originated unless it is identified by an antimalware program. The following item was what pointed me to nirsoft. If you say they are OK that's good enough for me.

http://www.velocityreviews.com/forums/t475581-nirsoftnet-mail-passview...ojan-or

Since I use a free (AVG) anti virus program I cannot expect much help from them. They have better things to do with their time. Since the programs that I did use found and removed several trojans I will reinstall my browsers and see if that helps. If not I guess I'll have to reformat the drive. Anyway many thanks to you and zlim for your help.

drc

drwho07 · Joined: Nov 29, 2007 Posts: 1546 Location: Central FL, USA

In addition to AVG, you should be using one more FREE program and that is "Spybot Search & Destroy". It too, will find and remove a lot of trojans as well as adware and spyware.

In addition to these, I also install and keep up to date, Spyware Blaster, which will prevent your browsers from ever going to really BAD web sites.

Cheers Mate!
The Doctor Cool

donrc · Joined: Feb 16, 2003 Posts: 882

Doc,
I do use spybot though not as much as I should.
The strange sequel here is that I cannot use the browsers. I get a "cannot open the website" error. Also it will not allow me to reinstall Zone Alarm. It seems to resist installing any kind of anti malware.
Have you ever heard of one that disables browsers?

drc

goretsky · Posted: Fri Aug 28, 2009 1:32 am Post subject:

Hello,

Even with antimalware software it is often difficult to determine where a virus originated. One [i]might[i/] be able to determine the earliest time it was seen on a system, which can be helpful in some situations, but it is rare that the audit data is looked through to piece things together what happend, at least on a typical home computer.

I looked at the message thread with VirusTotal and Jotti logs in it, and noticed that my employer's software is listed in both logs and, yes, it does detect Nirsoft's MailPassView as a threat, albeit a low-risk one. And, it's for the reason I outlined earlier: The legitimate software was downloaded by other malware and used for malicious purposes on the infected system.

My guess is that you would actually receive a decent level of support from your anti-virus vendor, even though you haven't purchased their product (yet). There are severals reason(s) for this:

Malware does not discriminate between infected computers with free, trial or paid versions of a product. Receiving malware samples from free/trial users allows the anti-virus company to protect their paid users.
Anti-virus support technicians are typically more interested in solving malware problems than in discussing the finer points of software licensing.
This is an opportunity for the company to convert you from a free to a paying customer, and a satisfied customer is likely to generate both direct and indirect revenue for years to come from license renewals and product recommendations/testimonials.

At least, that's been my experience while running the support departments at two anti-virus companies.

So, if you have the time for it, consider helping the antivirus company help not just you, but all the other customers who might have this particular malware.

Regards,

Aryeh Goretsky

donrc · Joined: Feb 16, 2003 Posts: 882

Goretsky,
I would be glad to do so, but so far I have been unable to determine what virus I am dealing with. The only thing I know for sure is that it will not let me run a browser. I get the error message "the connection was reset while the page was loading". This happens with both Firefox and Internet explorer. If I know the url of the page and type that in it will go to the page. If I have a bookmark for the page, that will work. It is only when it is passed through Google (Firefox) or Bing (IE) that I get the error. I also get it when I type in the Google URL. Apparently the virus does not want me to be able to download an antivirus.

So i am faced with having to format the hard drive to get rid of this item. I have waited too long as it is. I have no way of knowing if I am losing critical information to this monster. I've tried 5 different virus cleaners and three or four standalone products. They found three different trojans which were deleted but I still have the problem. Therefore I assume that they are all missing something. I have even deleted and reinstalled the browsers. Still no help.

Would this virus be present in the System Restore files? I have not tried them as yet.

drc

goretsky · Posted: Sat Aug 29, 2009 3:54 am Post subject:

Hello,

I would suggest giving your antivirus vendor's technical support department a call and describing the behavior to them. From there, they can start having you perform checks to isolate the malware, send a specimen to their virus researchers and manually remove the malware and repair any damage it may have made to the operating environment.

One thing to keep in mind is that depending upon what is present, you could be in for a long phone call, so it is probably best to call when it is convenient for you to spend some time working the issue with them.

Regards,

Aryeh Goretsky

donrc · Joined: Feb 16, 2003 Posts: 882

Goretsky,
I have found a site (Tech Support Forum) who says they can help with removal. I have sent them the info requested. We will see how they do. If that doesn't work I will email AVG and see if they want to know about the problem.

I'll post back about results. Thanks to everyone for the help.

drc

drwho07 · Joined: Nov 29, 2007 Posts: 1546 Location: Central FL, USA

I know it's not the easiest thing to do, but when I have a HD that is badly infected, I remove it from its own PC and make it a slave on my own PC, where I can use my own library of anti-malware software to scan it and clean it.

Malware Bytes is a very effective program for removing malware that other programs just don't seem to be able to either find or remove.
I keep it on my own HD and keep it up to date weekly.

Good Luck,
The Doctor Cool

donrc · Joined: Feb 16, 2003 Posts: 882

Doc,
That's one I haven't tried. I'll download and try it thanks.

drc

donrc · Joined: Feb 16, 2003 Posts: 882

Doc,
I thought that Malware bytes had worked. It found a Trojan csrss8.dll and dleted it. Bur when I went back to the browsers they still give a "connection to server was reset while page was loading".

I wonder if the trojan is gone but the browsers are damaged? Would a simple repair from the XP disc take care of it? Remember I am triple booting with XP, Win 7 and Ubuntu. Would a repair mess up my boot menu?

drc

goretsky · Posted: Sun Aug 30, 2009 10:19 pm Post subject:

Hello,

You can try resetting the web browser to its default settings to see if that helps.

Regards,

Aryeh Goretsky

drwho07 · Joined: Nov 29, 2007 Posts: 1546 Location: Central FL, USA

Tip:

Always use Mozilla Firefox instead of MS Internet Explorer and if it gets corrupted for some reason, totally delete it and reinstall the latest version a'fresh.

Works for me! Wink

Doc

Combo Fix and Malware Bytes are both recommended by our HJT Expert.

donrc · Joined: Feb 16, 2003 Posts: 882

Goretsky,
Resetting the browser to default didn't change anything. Also I ran system restore which completely destroyed Firefox. Clicking on it doesn't do anything.

Doc,
This website I am waiting on in vain for help (techsupportforum) warns against us uninitiated using Combo Fix without their guidence. Is it really that complicated?

drc