So i'm chatting on AIM and all of a sudden Norton pops up with a message: trojan horse : C:\windows\system32\drivers\etc .. in the hosts file. Trying to access the internet shortly after and i find that i can't get any websites to work (mozilla or ie, AIM was working fine .. as was internal update programs). ran hijack this and also scanned through my running processes and saw an ATI process ... but since i've got an nvidia card it caught my eye. End tasked it and bam! my internet came back to life. Not sure what this is or where it came from but the newest versions of norton didn't catch it. Anyone else ever have experience with this? I also googled the process name and came back with nothing .. which is very rare.
Possible New Virus ... ?
- Thread starter steveox
- Start date
mechBgon
Super Moderator<br>Elite Member
- Oct 31, 1999
- 30,699
- 1
- 0
Look in your Norton "Reports" section and the name of the Trojan should be shown. Could you post that info, and also post what you have for these:
- Your version of Windows (2000, XP, whatever)
- What service pack does your Windows have (Start > Run > winver will tell you)
- Besides service packs, have you generally been keeping your system up-to-date with incremental patches, or sort of slacking?
- What version of Norton do you have and is it up-to-date? You can top it off with the Dec. 6 Intelligent Updater from here for the very latest defs.
- Do you have a broadband connection?
- Do you have a router?
- Do you have a software firewall (if so, what)?
mechBgon
Super Moderator<br>Elite Member
- Oct 31, 1999
- 30,699
- 1
- 0
Where'd he go Well steveox, whenever you happen to get back, can I suggest this to start with: run Microsoft Baseline Security Analyzer and see where it nails you to the wall. Pay attention to any weak/blank passwords it gripes about, because a blank password means your computer's administrative shares are wide-open and your computer's Admin powers are available for anything to use. If you need help getting at all of the ones it's griping about, holler for assistance.
Beyond that, if you don't have the latest Service Pack for whatever Windows you've got, then scan your system to ensure it's clean of spyware, adware and viruses, and then get your Service Pack installed at Windows Update. Resources:
Basically, keep going back to Windows Update until your system comes up clean of Critical Updates, then run Microsoft Baseline Security Analyzer again and see if there are some patches you still need.
After that, check for any updated versions of AIM, and look at my Ongoing Prevention suggestions. Don't underestimate the power of the Limited-account suggestion there, it is a powerful deterrent to viruses (known or unknown!) that want to mess with your important Registry values, system processes, HOSTS file, or Windows Firewall. They can't do that stuff from a Limited account.
Well steveox, whenever you happen to get back, can I suggest this to start with: run Microsoft Baseline Security Analyzer and see where it nails you to the wall. Pay attention to any weak/blank passwords it gripes about, because a blank password means your computer's administrative shares are wide-open and your computer's Admin powers are available for anything to use. If you need help getting at all of the ones it's griping about, holler for assistance.Beyond that, if you don't have the latest Service Pack for whatever Windows you've got, then scan your system to ensure it's clean of spyware, adware and viruses, and then get your Service Pack installed at Windows Update. Resources:
- Ad-Aware SE Personal
- Spybot Search & Destroy
- TrendMicro Housecall free online antivirus scan, for a second opinion. Also max out all Norton's detection options and run a scan with the latest defs.
- Windows Update
- Office Update
Basically, keep going back to Windows Update until your system comes up clean of Critical Updates, then run Microsoft Baseline Security Analyzer again and see if there are some patches you still need.
After that, check for any updated versions of AIM, and look at my Ongoing Prevention suggestions. Don't underestimate the power of the Limited-account suggestion there, it is a powerful deterrent to viruses (known or unknown!) that want to mess with your important Registry values, system processes, HOSTS file, or Windows Firewall. They can't do that stuff from a Limited account.
Well I had thought I had it cleaned last night and decided to just go to bed. I ran McAfee Stinger / SpyBot / Registry Cleaner / AVG and the only thing that came back with errors was the registry cleaner. Fixed that and everything seemed to be ok. Even restarted last night and didn't have any problems. Woke up this morning and it seems that the process AtiRage4dPro.exe is back. I'm running XP with SP2 / I HAD the latest norton definitiions (now have the latest AVG ones) and I'm using an old version of aim 5.2.3292 with deadaim 4.1. I'm at college and I'm pretty sure that's where the virus is coming from ...
mechBgon
Super Moderator<br>Elite Member
- Oct 31, 1999
- 30,699
- 1
- 0
First step: ensure that you have a firewall, or more than one. If you don't have it enabled already, enable at least the Windows Firewall or install one such as ZoneAlarm free version, and get yourself a router to filter out worm & hack traffic from all the worm-infected computers on your campus.
Second step: run Microsoft Baseline Security Analyzer and fix any missing patches and fix any password issues it reports. Don't leave the keys in the Porsche with the windows rolled down here! NOTE: this is not to prevent people walking up to the computer and using it, it's to prevent backdoor attacks over the network, or by processes running on the system.
Third step: disable System Restore (how?). No place to run, no place to hide :evil:
Fourth step: download Hijack This to a dedicated folder such as C:\HJT. Extract the hijackthis.exe from the zip file to that folder, run it, and do a scan. Post the text from the logfile here or in Schadenfroh's malware-removal thread in Software, and follow instructions precisely.
Also, ensure that your antivirus software is fully configured. It should be scanning all files, all file types, with heuristics enabled, within compressed files, no exceptions. And set it up to run daily scans too, because as new virus definitions come out, it may begin to recognize stuff that slipped by earlier.
Second step: run Microsoft Baseline Security Analyzer and fix any missing patches and fix any password issues it reports. Don't leave the keys in the Porsche with the windows rolled down here!
NOTE: this is not to prevent people walking up to the computer and using it, it's to prevent backdoor attacks over the network, or by processes running on the system.Third step: disable System Restore (how?). No place to run, no place to hide :evil:
Fourth step: download Hijack This to a dedicated folder such as C:\HJT. Extract the hijackthis.exe from the zip file to that folder, run it, and do a scan. Post the text from the logfile here or in Schadenfroh's malware-removal thread in Software, and follow instructions precisely.
Also, ensure that your antivirus software is fully configured. It should be scanning all files, all file types, with heuristics enabled, within compressed files, no exceptions. And set it up to run daily scans too, because as new virus definitions come out, it may begin to recognize stuff that slipped by earlier.
Ok. I ran the baseline security analyzer and it came back with missing updates for microsoft office. the guest password is disabled (i knew that because i have file sharing set up) and not all file systems are NTFS (i have an older HD installed that i've yet to reformat). also it says the administrator password is weak although it is 14 characters in length and includes numbers .. just doesn't have any caps.
so continuing on. trend micro is running now and AVG released new definitions at some point today while i was at work so i updated those and i'm running it now.
hijack this
hijack this log: notice the AtiRage4dPro.exe file .. which is the virus ... and i have an nvidia card. Everything else looks normal to me ...
so continuing on. trend micro is running now and AVG released new definitions at some point today while i was at work so i updated those and i'm running it now.
hijack this
hijack this log: notice the AtiRage4dPro.exe file .. which is the virus ... and i have an nvidia card. Everything else looks normal to me ...
mechBgon
Super Moderator<br>Elite Member
- Oct 31, 1999
- 30,699
- 1
- 0
Log on in Safe Mode and now you will see the real Administrator account besides your own. In Safe Mode, go into Control Panel > User Accounts and set the password for that normally-hidden Administrator account.
I will check out the HJT log when I get home, but you might want to head over to Software and post it in Schadenfroh's sticky thread where he helps with 'em. I took a very quick peek and I see you have WinAmp, which has a vulnerability that you can fix by getting the latest version, so you might grab that while you're at it.
Where is the AtiRage4dPro.exe file located on your system, by the way?
I will check out the HJT log when I get home, but you might want to head over to Software and post it in Schadenfroh's sticky thread where he helps with 'em. I took a very quick peek and I see you have WinAmp, which has a vulnerability that you can fix by getting the latest version, so you might grab that while you're at it.
Where is the AtiRage4dPro.exe file located on your system, by the way?
well after updating the AVG definitions .. it found the virus agobot.35.v in a file C:\windows\halflife2.exe ... all seems to be cleaned now ...
I got it too.
Yeah, seems to be a virus that eats up all kinds of system resources.
This is the only place it has been mentioned i could find thru inet seach.
(I have a notebook, am on a large network, but don't use firewalls b/c i play a lot of games) I get all kinds of viruses. Norton came with my computer. It's pretty weak, even with latest updates it misses all kinds of bad stuff. It's like a sieve. About the only thing it did consistently was freeze eveything up with its autoprotect... Like it is trying to resolve something that won't resolve... and refuses to save or open new programs. (i lost one of my papers, so that was it for autoprotect) I am lazy, so i just turned autoprotect off and do a weekly round-up of the accumilated, infected files. (Using a lineup of scans/programs-lol) There are always several. Bad, lazy habits i know... but I don't have any critical info on my notebook so i am not overly worried about it. I'll just wipe the drives and start fresh after semester. Anyway, I digress... and concur. My conclusion is that "atirage4dpro.exe" is a virus. I was trying to find more information, in case i was wrong, but this is all there was. That's all.
Yeah, seems to be a virus that eats up all kinds of system resources.
This is the only place it has been mentioned i could find thru inet seach.
(I have a notebook, am on a large network, but don't use firewalls b/c i play a lot of games) I get all kinds of viruses.
Norton came with my computer. It's pretty weak, even with latest updates it misses all kinds of bad stuff. It's like a sieve. About the only thing it did consistently was freeze eveything up with its autoprotect... Like it is trying to resolve something that won't resolve... and refuses to save or open new programs. (i lost one of my papers, so that was it for autoprotect) I am lazy, so i just turned autoprotect off and do a weekly round-up of the accumilated, infected files. (Using a lineup of scans/programs-lol) There are always several. Bad, lazy habits i know... but I don't have any critical info on my notebook so i am not overly worried about it. I'll just wipe the drives and start fresh after semester. Anyway, I digress... and concur. My conclusion is that "atirage4dpro.exe" is a virus. I was trying to find more information, in case i was wrong, but this is all there was. That's all.
mechBgon
Super Moderator<br>Elite Member
- Oct 31, 1999
- 30,699
- 1
- 0
AST, where is the file located on your system? Can you copy it to the desktop and email it to me as an attachment, and I'll run it through McAfee's send-in analysis thingamabob and see what they say about it. Email to this address, except without the underscores in it:
t_m_c_f_a_d_d_e_n@omnicast.net
t_m_c_f_a_d_d_e_n@omnicast.net
mechBgon
Super Moderator<br>Elite Member
- Oct 31, 1999
- 30,699
- 1
- 0
BTW, you're scandalizing me with your sloppy computing habits :evil: I maintain a fleet of about 80 systems and there has not been a successful virus infection in more than two years. The only one that did occur was on a system whose antivirus software had failed, the system needed a Windows patch and the user did something imprudent. And that was a mere JS/Noclose homepage swap.
Almost perfect...
Almost perfect...
Doh'
Unfortunatly i allready got rid of it.
Not positive but i believe it got in the system32 folder.
It was also writing things to a small additional file that i cannot remember the exact name or extension to. (it had "atirage4d" in the name, though...)
Yeah, i don't think of these things.
This one was annoying enough that i got rid of it ASAP. (if you read my commentary, i usually don't clean up untill the weekend)
Anyway, if i get it again ill come back here.
(odd to find oneself kinda wanting to get attacked by a malicious virus)
Unfortunatly i allready got rid of it.
Not positive but i believe it got in the system32 folder.
It was also writing things to a small additional file that i cannot remember the exact name or extension to. (it had "atirage4d" in the name, though...)
Yeah, i don't think of these things.
This one was annoying enough that i got rid of it ASAP. (if you read my commentary, i usually don't clean up untill the weekend)
Anyway, if i get it again ill come back here.
(odd to find oneself kinda wanting to get attacked by a malicious virus)
mechBgon
Super Moderator<br>Elite Member
- Oct 31, 1999
- 30,699
- 1
- 0
Hmm, maybe a keystroke logger. I hope it hasn't picked off your credit-card number and the other info that would go with it.
When you reinstall, can I suggest getting your security tightened up better. My suggested best practices are under the Ongoing Prevention section here. I know the concept of running a Limited account is very alien to computer owners...
~ you mean I would, like, NOT be able to install software without using the Run As... feature?!
But neither would any malware that was trying to use your account for leverage. And that's the linchpin in my ~240 machine-years of virus-free operation... lock down the power to do harm (naturally, the primary backup to that is well-configured antivirus software, followed by up-to-date Windows patching, firewall protection and strong Admin passwords).
When you reinstall, can I suggest getting your security tightened up better. My suggested best practices are under the Ongoing Prevention section here. I know the concept of running a Limited account is very alien to computer owners...
~ you mean I would, like, NOT be able to install software without using the Run As... feature?!But neither would any malware that was trying to use your account for leverage. And that's the linchpin in my ~240 machine-years of virus-free operation... lock down the power to do harm (naturally, the primary backup to that is well-configured antivirus software, followed by up-to-date Windows patching, firewall protection and strong Admin passwords).
Good advice... i might try that next time, save time in the longrun... I'm on a laptop though, no credit card info or i'd be more cautious. Many stored passwords to games, forums, ect... but i doubt anyone would waste their time on those.
My PC is better protected virus-wise, but i have a few lingering problems, including missplaced bootfiles that i have been bypassing for like a year now. (lol) Untill it refuses to start though, i probably won't do anything...
Anyway, that's just me. :|
My PC is better protected virus-wise, but i have a few lingering problems, including missplaced bootfiles that i have been bypassing for like a year now. (lol) Untill it refuses to start though, i probably won't do anything...
Anyway, that's just me. :|
mechBgon
Super Moderator<br>Elite Member
- Oct 31, 1999
- 30,699
- 1
- 0
Many of the new viruses steal your CD keys to your games nowdays too. :Q Fun. At work, my homepage is McAfee's New Threats page, and they get pretty interesting sometimes!
Not the CDkeys!
There are enough "friends" of mine who want to steal my CDkeys.
Except they all play WoW now... but here is not the place for that.
Back on topic:
AtiRage4dPro.exe is a virus that hogs system resources and creates/maintains a 2nd file. (for storing information i guess) I did not notice it affecting inet other than from lack of resources. (steverox said something about inet)
There are enough "friends" of mine who want to steal my CDkeys.
Except they all play WoW now... but here is not the place for that.
Back on topic:
AtiRage4dPro.exe is a virus that hogs system resources and creates/maintains a 2nd file. (for storing information i guess) I did not notice it affecting inet other than from lack of resources. (steverox said something about inet)
mechBgon
Super Moderator<br>Elite Member
- Oct 31, 1999
- 30,699
- 1
- 0
Email me a copy if possible. t_m_c_f_a_d_d_e_n@omnicast.net except take out the underscores. I'll run it by McAfee WebImmune and see what they say about it.
I tried fixing the administrator password ... but I couldn't remember it. I'm getting the disc today to crack it and replace it. I installed zone alarm this morning. I thought I had done everything, but I have two computers and thought I had secured both when I had only done the one. I deleted the files earlier ... and then ran trendmicro to see if it catches anything. AVG still isn't recognizing it as a virus. If it's back when I get back to my room I will forward the files.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 23K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
-
Facebook
Twitter