Virus!!!! Help!!

[Cap'n Refsmmat]

My parents just received a few emails on their computer from someone saying they had received emails from my parents with a virus. My parents hadn't emailed them in a long time.

Then the E-mail part of Norton Anti-virus quit working. I rebooted it in safe mode and the thing said that windows needed to be reactivated because of "significant hardware changes." Norton AV said it had been tampered and needed to be reinstalled.

 

 

WHAT SHOULD I DO? I'm looking at Symantec's site to see what it says and what virus it is...

[Cap'n Refsmmat]

Symantec doesn't seem to have anything since September like it...

[Sayonara]

http://www.sophos.com

[bloodhound]

http://www.kaspersky.com

[Cap'n Refsmmat]

I can't download anything on that computer either, as the internet won't work.

The closest virus I've found is http://www.symantec.com/avcenter/venc/data/w32.donk.s.html

[Cap'n Refsmmat]

Tell me a) what it might be and b) what I can do about it.

[philbo1965uk]

ahhhh so pleasent when my true expertise is called upon.Unfortunately if your antivirus software has failed you and you truely have a virus im here.First you will have to be more specific so i can help.Tell me from boot up what happens ,which programs wont work,your internet etc,and i will tell you how to proceed.forget sophos its shite so is norton....but first you will have to give me more info...

[Cap'n Refsmmat]

Ok, here goes.

At boot-up Windows pops up and says it needs to be reactivated because of "significant hardware changes" (none have actually occurred). It tried to do it on the internet but could not connect. Then Windows totally boots up, and I try to get norton up. It says there was a "significant program error" and it needs to be uninstalled and reinstalled. I hit OK and go into it. Norton AV for all of the status things (It's the 04 version of Internet Security) says it's been "Tampered" and thus refuses to do anything until it is uninstalled and reinstalled.

The same thing happens in safe mode.

 

Currently that computer is off completely so nothing else will happen.

[Jordie]

Ok' date=' here goes.

At boot-up Windows pops up and says it needs to be reactivated because of "significant hardware changes" (none have actually occurred). It tried to do it on the internet but could not connect. Then Windows totally boots up, and I try to get norton up. It says there was a "significant program error" and it needs to be uninstalled and reinstalled. I hit OK and go into it. Norton AV for all of the status things (It's the 04 version of Internet Security) says it's been "Tampered" and thus refuses to do anything until it is uninstalled and reinstalled.

The same thing happens in safe mode.

 

Currently that computer is off completely so nothing else will happen.[/quote']

 

It may not be a virus causing this problem but maybe something else. I think a program has modified values in the registry and you are getting these errors. I suggest you boot up into safe mode, uninstall Norton and re-install it. Update it and re-activate windows. I also suggest you upgrade to Xpsp2 if you have not already done so.

 

Also I suggest you go to start > run and type in 'sfc /s ' (err it could be 'fsc /f' I get the two confused. ) without the ' marks. This should check your system files and make sure all required files are there and have not been tampered with.

 

Hope this helps. You more then likley have the problem resolved.

[Cap'n Refsmmat]

It won't let me uninstall norton!! It says that there's a serious error!

 

 

Should I delete the files manually?

[5614]

you know when they say 'you need to be there', well this is a case of it.

 

could be anything, dont jump for the worst

 

a virus is possible (if you think this is the case, i suggest you take it to a proffessional shop, they may charge, but it is the safest thing unless you are an advance user, a friend tried to remove his own virus.... idiot... anyway, eventually the whole computer was formatted (everything wiped off the hard drive disk (HDD))).

 

the disk will have become corrupted, starting in safe mode will take you to DOS, now DOS versions vary, but in XP type 'chkdsk' for check disk, actually, you want 'chkdsk /f' which fixes the things it finds wrong.

 

not having internet isnt good!

 

try inserting the norton disk and force another instal and try to run it, however it will NOT be up to date and will not catch the latest viruses

so try uninstalling/re-installing

then try uninstalling from start pannel

then try installing new version of it

if you delete the old version, it wont register it as uninstalled, so wont want to instal a new version.

 

telling what has happened

 

start in safe mode, a basic virus will not run under safe mode conditions, if problem still happen then it may just be a corrupted disk.

 

chkdsk will need to restart your computer, damn, my found some errors, its nothing to worry about though, (as long as it fixes em!) which it nearly always does, remember to add /f or tick 'fix errors' (DOS or normal way, right click on HDD in explorer > propertires > tools > error checking (also tick the 2nd box, assuming your using XP)

 

see what you think of that and write a reply, remember every time that other computer goes on you run the risk of loosing all as it will give the virus time to spread, so know and write down what you are going to do first so you dont forget and have all the needed CDs with you.

[Cap'n Refsmmat]

I CAN'T UNINSTALL IT!!!!!!!! It gives me an error and tells me it can't be uninstalled!!!

 

We tried booting it off of the Norton disc to let it do a scan but the disc is too old to get anything.

 

And no, it does NOT take me to DOS when I boot up. This is XP. It just boots up with a different start bar and a thingy saying you've fiddled with the startup options.

[Jordie]

I CAN'T UNINSTALL IT!!!!!!!! It gives me an error and tells me it can't be uninstalled!!!

 

We tried booting it off of the Norton disc to let it do a scan but the disc is too old to get anything.

 

And no' date=' it does NOT take me to DOS when I boot up. This is XP. It just boots up with a different start bar and a thingy saying you've fiddled with the startup options.[/quote']

 

Press F8 when you first start your machine until you hear a beeping noise. It will then ask you how you want to start Windows. Go into safe mode and try it from there. If not back up all your data onto a removable disk and re-format. If you reformat make sure you next time install all security updates, up-to-date antivirus software and so on.

 

That is the easiest way out. Or you could download Linux for free from Linuxiso.org install it and not have to worry about the 12,000+ Windows viruses!

[5614]

im assuming youve tried uninstalling from control panel>add remove programs?

 

ok, hmmm, i think if you start up from the windows XP CD (change the BIOS to load from the CD first) then you can get into DOS mode somehow, im sure its the safemode, try it and follow appropirate steps and see what happens.

 

i think doing a thoruogh scan disk (with fix errors on) is essential, as it checks for HDD corruption.

however, if you have a virus, this may be a bad idea.

 

if you have nothing important on the computer you can take a risk

if you have a lot of money (or just a bit to spend on computers) take it to a proffessional shop, where they can remotely scan/fix it properly (only applies if you have a virus)

are there any symptons other than norton being all screwed up?

 

My parents just received a few emails on their computer from someone saying they had received emails from my parents with a virus. My parents hadn't emailed them in a long time.

this can be due to a virus on or off your computer, this doesnt mean you have a virus, though can suggest it, its not certain.

 

I rebooted it in safe mode and the thing said that windows needed to be reactivated because of "significant hardware changes."

safe mode and significant HARDWARE changes? thats wierd, why hardware? it could have just been you were in safe-mode, thus stopping unneeded hardware drivers running in the background, so it would detect different hardware setting, thinking, thats probably why, has this message re-appeared?

 

Norton AV said it had been tampered and needed to be reinstalled.

this is wierd and suggest a hacker or trojan, viruses have never so far attacked an AV, it is possible you have a new virus thats just come out (someone has to have it first!) but this is very unlikely, as its people who get loadsa spam and regular who get those... was your AV up to date? to you have a secure firewall? do you have a secure network? if it is wireless, is it encrpted data? those effect trojan abilities to get in and disable AVs.

im guessing that norton isnt running in the background anymore!

go run>msconfig>startup

in command column, find your norton stuff, make sure its all ticked to start at start up.

 

WHAT SHOULD I DO?

this is an unusual problem, thats hard to deal with remotely... remember to do these you need to turn kn your computer, and to do that means (if you have a virus) risking your whole computer (reffer to bit in bold).

[Dave]

The same thing happens in safe mode.

 

Don't think that'll help too much

 

My best advice is to take it to someone and get them to sort it out. The drive should ideally be mounted as read-only on another computer so that you can de-infect any important files and make a safe backup of them. After that, I suggest a low-level format of the drive and a complete re-install.

[5614]

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam

safe mode from symantec!

 

or press F8, but i think there is a safe mode XP CD version which takes you straight to DOS, the main thing is stopping windows from loading, keep doing things on the CD before windows has loaded and in the end you get to DOS, i did it when my windows went a bit corrupt! (just a simple error, reinstalled the correct section, didnt lose any data, all find now!)

[5614]

I suggest a low-level format of the drive and a complete re-install.

high level format

new advance viruses bypass the basic stuff, indeed half life 2 beta version was leaked on the net due to a keylogger (home made never seen before, no one could stop it) which avoided complete formats. [just an example that this can happen, if your going to format, do it properly].

[Dave]

http://www.seagate.com/support/kb/disc/faq/ata_llfmt_what.html

 

I can assure you, it's called a low level format. Fills the disk with zero data, overwriting all the partitions on the drive. It should also format the boot sector as well, although it's pretty hard to get a virus in that because it's so damned small.

 

Edit: Just for the record, high level formatting is just overwriting the partitions. The original data is still there after a high level format - exactly what you don't want.

[5614]

ok then, mistake on my behalf, you want a high followed by low level format, you need both, basically you wanna reinstall your OS. this sounds drastic but basically a format deletes the accessable part of the drive (not including behind the OS partition) which means that low level formats, stuff survives (the OS) this is how viruses and keyloggers (post #17) stay on your system....

i suggest remove primary DOS partition, remake primary DOS partition and reinstall your OS (which includes a total format high + low)... this should remove the virus.

 

however formats are not suitable for all, so other options are mainly listed above (in rest of thread) and invovled either money or a risk.

[Jordie]

ok then' date=' mistake on my behalf, you want a high followed by low level format, you need both, basically you wanna reinstall your OS. this sounds drastic but basically a format deletes the accessable part of the drive (not including behind the OS partition) which means that low level formats, stuff survives (the OS) this is how viruses and keyloggers (post #17) stay on your system....

i suggest remove primary DOS partition, remake primary DOS partition and reinstall your OS (which includes a total format high + low)... this should remove the virus.

 

however formats are not suitable for all, so other options are mainly listed above (in rest of thread) and invovled either money or a risk.[/quote']

 

Are you trying to tell me a low level format will keep the os on the drive? Doing a format wipes the partition/drive of any data on it. Once done you re-install a os. Using fdisk you can easily fix the mbr or you can use the xp cd-rom. Just backup your data and reformat as I have suggested! It's easy and not to hard. If this is a corporate computer then take it to someone who knows what they are doing. They can remove the virus without the need of formatting. I wish I was there I could remove it in a flash!

[Dave]

ok then, mistake on my behalf, you want a high followed by low level format, you need both, basically you wanna reinstall your OS. this sounds drastic but basically a format deletes the accessable part of the drive (not including behind the OS partition) which means that low level formats, stuff survives (the OS) this is how viruses and keyloggers (post #17) stay on your system....

 

Sorry, but that's kinda wrong.

 

A low level format will zero the entire drive - which means no data survives at all. Everything - the MBR, partition tables, filesystem, other bits and the data itself - gets overwritten with zeros. It's like having a brand new drive all over again. You can then proceed to do whatever you want to do.

 

A high level format will simply take out all the filesystem stuff and ignore the fact that the "empty" space still has data in it - this is how programs like UnErase work. The data will simply be overwritten at some point in the future.

 

It's not an easy task for a virus to stay on your system after a format. I believe it has to corrupt the MBR in some way to survive a high-level format, but I could be very wrong on that. You certainly don't need to do both to format your drive properly.

[5614]

i am not familiar with terms low level and high level format and from what ive just learnt they seem quite misleading, however a basic format of a HDD will keep the OS on the system... ive seen it done! becuase it doenst delete the primary DOS partition and doesnt penetrate deeper than that, thus the OS is left in contact.... im not sure if this is refferred to as low level / high level, but it is a type of format which does not include the OS, you need a thorough format including DOS partitions and OSs to be safe and thats the fullest format you can do.

 

soz i left my computer and never refreshed the page, what i said still applies but thanks for the above post dave.

[Cap'n Refsmmat]

Press F8 when you first start your machine until you hear a beeping noise. It will then ask you how you want to start Windows. Go into safe mode and try it from there. If not back up all your data onto a removable disk and re-format. If you reformat make sure you next time install all security updates, up-to-date antivirus software and so on.

Uh... I did try that, and it didn't work. Didn't you read what I said?

 

And this computer has quite a few files on it that we need, and by "quite a few" I mean more than a gig. And it has no CD burner!!!!

 

this is wierd and suggest a hacker or trojan, viruses have never so far attacked

Many of the ones on Symantec's website try to shut down the AV program.

 

 

Would redoing it all in Linux make the virus not able to run? And would I be able to get all of the Word documents back?

[Cap'n Refsmmat]

Update:

 

• Deleted Norton entirely
  
• Tried to install it again
  
• Was missing a .dat file, so it could not install
  
• Went and got AVG (internet works on the computer now)
  
• Scanned with AVG
  
• It found nothing, even after being updated
  
• Rebooted
  
• Tried to reactivate Windows at the prompt
  
• It showed the background but nothing else, and sat and did nothing
  
• Hit the "emergency reboot" button on the computer
  
• Rebooted
  
• Skipped activating
  
• None of the icons appeared
  
• Went through the Start menu to Firefox and got Zone Alarm, since we have no good firewall on it now
  
• Installed Zone Alarm properly
  
• Rebooted for installation
  
• None of the icons appeared
  
• After about five minutes the background turned blue
  
• Continued trying to search Symantec's site for the problem

Can anyone figure this out?!

[5614]

Scanned with AVG

this points to what i first said, this may not be a virus.... now you really MUST do a thorough chkdsk /f (in DOS) or explorer>right click HDD>properties>tools>error checking>check now>tick all boxes

then say yes at the pop-up message thing and reboot (i think it is automatic). chkdsk takes a while.

 

"none of the icons appeared"

 

for what? ZA or just on your desktop?

 

again, if it is ZA (zone alarm) then go to windows task manager > processes and see if ZA is running at all. (that is assuming you are sure its properly installed and set to start on start-up, also try opening it from the directory in which you installed it)