Planetarion Forums - [Viruses/Trojans] Help me find out some stuff

Sunday8pm · 21 Aug 2004, 23:06

Ok I've trawled google a bit (perhaps my search terms are poor) and I've trawled the horridly unavigatible Norton site...

However I've been unable to uncover any further info on a trojan called Download.swizzor

Now I ask here cause it turns out one of my gf's friends has got this virus on her pc, I headed over last night spent all night UPDATING The system... (she hadn't got ONE xp patch since XP came out..) Applying AVG and SS&D and managed to heal all 4 infected files found.... I just want to make certain that it's gone for good or if it's buried somewhere in the boot that will shove it back on the system with every reboot etc...

Feel free to ask questions and give advice...

Leshy · 21 Aug 2004, 23:36

Reboot the system and scan again.

If it's not there, it's gone.

Genius++;

Nadval · 21 Aug 2004, 23:38

Leshy with his infinate logic speaking there...

Leshy · 21 Aug 2004, 23:56

My logic is only surpassed by my penis size!

Superpig #1 · 22 Aug 2004, 00:25

Then your logic is crap.

Demon Dave · 22 Aug 2004, 00:27

i had that virus, nasty little bugger it was too. i know i've asked this before, but no-one has ever given me an answer: does anyone here know anything about a virus called Java/Byte.Verifyer (or something similar) that ONLY ever appears when an Ad-Aware scan is run and NEVER comes up on an AVG scan?

JetLinus · 22 Aug 2004, 03:03

Quote:

Originally Posted by Demon Dave

i had that virus, nasty little bugger it was too. i know i've asked this before, but no-one has ever given me an answer: does anyone here know anything about a virus called Java/Byte.Verifyer (or something similar) that ONLY ever appears when an Ad-Aware scan is run and NEVER comes up on an AVG scan?

I've come across it. My anti-vir realtime guard actually warned me, when it was accessed in my temporary internet files folder.
It didn't spread from there, and apparently it's not that dangerous I'd say. Seems like a web-only thingy, that could harm you if you didn't have Windows / IE patches, a virus scanner and a firewall.
WHY it didn't come up with your antivirus? Well, maybe it's crap or has different signature files, that don't even classify this thing as virus....

I also know that sometimes it's "illegal" for some kind of virus scanners to ban dialers or ad-ware, as they're "commercial programs".

@sunday:
Have you disabled the automatic Windows system restore? [alt] + [pause], system restore, disable for all drives. Then reboot. Scan. Reboot to safe mode to be really sure. Scan.
Reboot. Turn system restore back on.

Also, load a specific removal tool for this virus.

If you got the exact virus name, google should do the trick.

And: wrong forum.

Sunday8pm · 22 Aug 2004, 12:36

Thanks Jetlinus, no thanks to the others.

Leshy · 22 Aug 2004, 12:41

Goddamnit, JetLinus said practically the same thing as I did

JetLinus · 22 Aug 2004, 14:45

Quote:

Originally Posted by Leshy

Goddamnit, JetLinus said practically the same thing as I did

You forget a tiny but important detail: Automatic Windows System Restore would restore (hence the name) the virus after reboot. This is one drawback of a great invention actually, that can't be neglected...

Also 2 reboots (one in safe mode, one to normal) are better than one.

Sunday8pm · 22 Aug 2004, 14:49

Yah I forgot about the system restore, which is extremely handy advice.

Leshy · 22 Aug 2004, 16:30

Quote:

Originally Posted by JetLinus

You forget a tiny but important detail: Automatic Windows System Restore would restore (hence the name) the virus after reboot.

System Restore doesn't automatically trigger on a reboot. Unless you've ****ed some critical Operating System files, which Windows generally doesn't even let you delete to begin with.

Aditionally, everything that's loaded during a safe boot is also loaded during a regular boot. So there's little need to do a seperate boot into Safe Mode if you want to check whether a virus is still active or not.

JetLinus · 22 Aug 2004, 16:47

Quote:

Originally Posted by Leshy

System Restore doesn't automatically trigger on a reboot. Unless you've ****ed some critical Operating System files, which Windows generally doesn't even let you delete to begin with.

Some viruses get restored by Windows. Even if it was just ONE single virus, it would still be sufficient to let me disable system restore once.
(One example being Blaster btw).

I mean, it even makes sense, "corrupted system files" (corrupted by the virus even in the repair folder) get restored.

Quote:

Originally Posted by Leshy

Aditionally, everything that's loaded during a safe boot is also loaded during a regular boot. So there's little need to do a seperate boot into Safe Mode if you want to check whether a virus is still active or not.

Nope. Why do you think there's a safe mode?

I mean, same really bad trojans / viruses replace system files, or register as services or whatever themselves.
Or you could load a virus as driver.

Compare running processes in normal and safe mode, there are less in the latter (could be because of reduced autostart).

Anyway, this was about points to be 100% sure (or at least as sure as possible).

Sunday8pm · 22 Aug 2004, 17:00

Jetlinus is right here cause this is how I had to go about removing one certain trojan before, it's just been over a year since I did it and I was following instructions on the norton site.

Hence I needed some affirmation about the processes.

Leshy · 22 Aug 2004, 18:59

Quote:

Originally Posted by JetLinus

Some viruses get restored by Windows.

That would require for Windows to somehow ignore the modification of the critical file by the virus, make a system restore point of the file including virus, then see the file as corrupted after the virus scanner fixes it, and restoring it.

I didn't know the Windows Restore function actually triggered on it's own, though, other than with the exception of replacing damaged and/or missing critical files belonging to the Operating System with their original versions. Which, in fact, should prevent a virus from actually damaging these files, considering Windows Restore should automatically swap the infected files for clean ones.

Granted, this is Microsoft we're talking about.

Quote:

Compare running processes in normal and safe mode, there are less in the latter (could be because of reduced autostart).

That's what I said, isn't it. Viruses loading as a driver or service might not do so in Safe Mode - hence booting in Safe Mode would indicate a healthy PC, whereas booting in Normal Mode would trigger the virus again when the additional drivers are loaded.

It's only useful if you have a resident virus that your virus scanner somehow can't remove. If you boot the PC in normal mode and there is no infection, booting it in Safe Mode and scanning again won't do anything other than waste time.

Dace · 22 Aug 2004, 19:00

"Switch the computer on and off at the wall to fix it"

Kumnaa · 22 Aug 2004, 19:06

computers can get a virus ?

JetLinus · 22 Aug 2004, 20:03

Quote:

Originally Posted by Leshy

That would require for Windows to somehow ignore the modification of the critical file by the virus, make a system restore point of the file including virus, then see the file as corrupted after the virus scanner fixes it, and restoring it.

I didn't know the Windows Restore function actually triggered on it's own, though, other than with the exception of replacing damaged and/or missing critical files belonging to the Operating System with their original versions. Which, in fact, should prevent a virus from actually damaging these files, considering Windows Restore should automatically swap the infected files for clean ones.

K, admittedly, I have no exact idea of how windows restore works.
I mean the "automatic" restore now, not that about restore points.
But apparently for every working configuration, your system files get backed up.
So at one point, the infected virus file gets backed up. Yes, apparently it isn't checked properly enough or whatever.
Anyhow, if you reboot, Windows detects the modification, and gets the (infected) backup file.

Hmmm, so, it seems we've discovered that the automatic windows system restore is shit. As it should've detected the virus infection in the first place, and then the original file would've replaced the virus. But it didn't.

Quote:

It's only useful if you have a resident virus that your virus scanner somehow can't remove. If you boot the PC in normal mode and there is no infection, booting it in Safe Mode and scanning again won't do anything other than waste time.

Yep, that's what I actually ment. I was talking about removing, while you were talking about finding. So you were right actually.

Although, having virusses fight virus-scanners sometimes, it can only be of advantage if the scanner runs and the virus DOESN'T.