Thread: I got a computer virus...any suggestions?
View Single Post
  #3   Report Post  
Ian Malcolm
 
Posts: n/a
Default
Gunner wrote:
My $#@!! kid turned off the firewall (again) and downloaded something
with a nasty malware called W32/Gaelicum.A

Its infected virtually every .exe file in both my server and my
personal computer. Im posting from my non-networked laptop.

It only effects flles with a .exe extension, but thats thousands of
files on all 4 computers on the network. There is very little info on
the net about it, AVG has only been able to detect it for a week or
so.

It appears to be a trojan of some sort.

Anyone got any suggestions of cleaning the sumbitch, other than a full
hard drive format..which means I have to format at least 14
drives...sigh

The #@$%!!! kid lost all acess to the network..his computer has been
removed from the net, and its not a computer Im going to fix. This was
the last straw.....his box just became a doorstop.

Gunner

Well AVG can detect it but presumably *NOT* 'cure' it yet It *should*
be able to remove it and then you'd just be lacking the .exes.
Personally I'd concentrate on getting the most critical systems cleaned
first and disconnect the data cables to drives I dont need acccess to
yet to prevent any risk of reinfection. While you are wrestling with
the first computer, AVG may well come out with a repair utility you can
use on the rest of them.


A good approach would be take a spare drive, install it as C: (Primary
IDE, Master) (OR SCSI ID:0 if thats your setup :-) ) on a pc with all
the infected drives disconnected. MAKE SURE THE BOOT ORDER DOES *NOT*
INCUDE anything other than the floppy, CD and first hard drive. Make
sure there are *NO* infected machines live on the network. If you are
running XP then download a copy of the full SP2 and burn it to CD on
your known clean laptop. If you dont have a CD burner, but do have an
external drive that can take ~1/3 Gb that will do. Also burn to CD AVG,
its updates, your preferred firewall + updates, Lavasoft AdAware SE
personal edition + updates, and anything else you need in the way of
security software. *** Now disconnect the internet ***. Install the OS
in the normal way booting from ORIGINAL microsoft CD media (or if not
possible, at least making a fresh set of boot floppies from the original
media). When you've got it up, install all the security software and
updates you put on CD, then reconnect the Internet and let it at MS
update till its done and at the updates for all the security software.

Now you have a known clean, up to date well protected PC. If you have
another spare drive and a drive image program, a bootable backup image
copy of it would be a good idea. Put it on the shelf for next time, It
will only need updates to be immediately useable.

Now comes the dicey step: Remove the infected drives ONE AT A TIME and
connect them as second drive in the clean machine you've just set up.
(Primary IDE, Slave) (OR SCSI ID:1). *Dont* get it wrong as if it boots
from the infected drive, all is lost. Now boot up and let AVG at the
infected drive. Let it quarantine all it finds. Repeat with AdAware +
anything else you want to scan with. Double check with another
antivirus (an online one will do). Save the detection logs.
Repeat on the other drives until you've got that machine done.
NOw if you are on the same OS version as the formerly infected machine,
copy all .exes in and below 'Windows' and 'Program Files' to the bootup
drive you cleaned. Now reinstall the drives. With any luck if you
copied the .exes from the clean machine it will boot well enough to get
in and start sorting stuff out. If its XP or a different OS version to
your clean machine you'll have to install windows again OVER the data on
the drives to get it bootable. Reinstall all damaged applications then
*uninstall* any you dont actually want :-)

Its ACTUALLY easier to format everything and start over :-( but this way
you keep every document etc. that wasnt infected except for settings
like internet passwords. A halfway house that may suit you, is to just
lift off the documents you want from each drive after scanning them onto
another drive then formatting them and oding a clean reinstall.

Your next problem will be keeping your son OFF your PCs, It may be
easier to figure out how to give him (limited) internet access on his
box so he doesn't try to use one of your boxes to get on the net :-(
It definately needs to be behind a 'milspec' firewall he cant tamper
with so that he cant run any dodgy per server stuff and possibly loose
you your net access and on a completely different LAN to your machines
that doesnt interoperate. Me, I'd lock him down behind a proxy server,
with a seperate network card feeding his box. Software602 Lansuite is
free for five users and can do the job if you set it up in a paranoid
frame of mind. He wont be happy cause you can set it up so anything
except http: and https: is *dead* *and* blacklist any site you dont
like. If he wants his box cleaned, format it, hand him the Windows CD,
tell him his box is clean, 'now reload your windows and restore from
your backups' *EVIL* VBG.

--
Ian Malcolm. London, ENGLAND. (NEWSGROUP REPLY PREFERRED)
ianm[at]the[dash]malcolms[dot]freeserve[dot]co[dot]uk [at]=@, [dash]=- &
[dot]=.
*Warning* SPAM TRAP set in header, Use email address in sig. if you must.
Reply With QuoteReply With Quote