Help with a virus / spyware?

[FragTek]

Hey guys I'm over at a friends house trying to troubleshoot an interesting problem that thus far I havent been able to take care.

It seems that there is a program running in the background (can't figure out what exactly it is) that is making the computer run dreadfully slow and not allow any applications to access the internet. Though browsing the internet, checking email, etc all works just fine. It's when I try and download an update for NOD32 or Spybot S&D that it gives me a server connection error.

Anyone have any experience with a problem like this? Similar thing happened to my dad not but too long ago and I seemed to have fixed the problem by disabling some random startup apps that I hadnt heard of. I tried the same thing on this machine and to no avail it's still running slow / not allowing programs access to the internet.

Quick help appreciated, thanks all.

:wavey:

 

[bloodthirst]

thats really weird, what about norton? can i suggest a reformat if possible

 

[FragTek]

thats really weird, what about norton? can i suggest a reformat if possible

Ur jumping way ahead of yourself mate.

A.) Norton sucks ass

B.) Formatting = last resort... Not quite there yet.

Anyone with a useful response would be greatly appreciated.

 

[Eguy]

Try bitdefender, its the #1 av for 2 years now and it truley works

Norton licks uber extreme cock, symantec fucking sucks

 

[RollerCam540]

Your friend's computer is most definetely infested with malware! I know because I've seen this type of behavior before. If it's a well coded piece of malware then it probably tainted your registry. However, if it's not that smart than it probably edited your HOSTS or LMHOSTS file. For example, your hosts file might look like this.

www.your_anti_virus.com 127.0.0.1

this means your_anti_virus.com dns name resolves to 127.0.0.1 or any other loopback IPs. If you try pinging your AV's website/update website it should spit back whatever the IP is. If you're lucky and quick, when you look at the bottom of your web browser it should show the IP when resolving the DNS name.

Check your C:\WINDOWS\DRIVERS\ETC\*hosts to see what's there. If you see your AV website listed get rid of it and then try doing your updates and whatnot.

Let me know if that helped solve the AV update problem.

 

[Dav0s]

wow roller, repped accoringly for that mate.

try safe mode frag, downlaod updates from your comp onto a cd etc and put them on in safe mode.

 

[FarFarAway]

Great advice Rollercam. And safe mode Frag?

 

[FragTek]

Thx Cam... Reps headed your way for that, I'll have a look when I go back over today.

Fired up in Safe Mode and everything works properly which leads me to believe that this little gem isn't too advanced / hasn't permanently altered with any system files.

I updated Spybot and Ad-Aware in Safe Mode, but couldn't update NOD32 as it can't be run in Safe Mode... Feck.

 

[Dav0s]

an AV that cant run safe mode? wtf?

 

[FragTek]

an AV that cant run safe mode? wtf?

Yeah I thought the same thing.... I was like double you tee eff???

 

[FragTek]

Ok all, I just got done doing a registry scan / repair. 419 errors were found in the registry but they all looked to be typical registry mislinks, nothing major. After a reboot the computer still doesn't act properly.

My next step was to look in to the host files as Cam suggested and there was nothing out of the ordinary placed them, just the usual 127.0.01 localhost string which I presume should be there telling the computer that that IP address is the same thing as "localhost".

So, the steps taken thus far to correct the problem are: Antivirus (NOD32), Spyware / Adware (Spybot SD & Ad-Aware), Registry (Registry Mechanic), HOST files (Manual check). Yet none of this has corrected the problem. I still find it interesting that everything works just fine in Safe Mode but the second I switch back over to a standard user account it gives these strange connection errors.

Any last minute ideas? I am going to try a system restore next. Hopefully restoring back to the last known good date will undo whatever caused it to go on the rampage that it's been on. Wish me some luck here.

 

[outrunner]

If the PC is working ok in Safe mode then I would suspect a driver causing the problem, what does A-squared report (I found this mentioned in another thread just now) or Hijack this?

 

[FragTek]

Actually I just got this bugger fixed... Norton Internet Security wreaked all havoc when the owner of the comp tried to uninstall it.

Ended up just needing to reinstall it, and then uninstall it again.

God damn Symantec products, they're the MS of AV.... I hope their HQ gets burned down by angry protestors.