I am battling this virus lovegate. I downloaded file "F Prot" from Cnet but does not completely clear. I am using Win2k/NT vers 4.0. The virus has placed a hidden directory on two of my drives called "Recycler". When I delete certain of it's files it automatically rewrites them back from the recycle bin. The files in the "Recycler" folder are also in the registry and I cannot delet them there either.
Ultimately the virus reads Emails and sends copies of it's self to those addresses by placing them in outbox. Seems to require Microsoft Outlook. It also infects system files. Does anyone have any suggestions on clearing this nasty virus?
Posted on 2003-04-28 22:26:27 by mrgone
Last summer I spent a good 3 or 4 days chasing a virus that made it through my home network while I was upgrading some things. I have four computers on our home 'net and this thing ran from one computer to the other. I was upgrading a motherboard at the time and couldn't get it to even boot up! I shipped the board back to the company I bought it from only to have them let me know there was nothing wrong with it.

Then the other computers started dropping like flies. I finally had to disconnect all of them and use Norton's AV one at a time which took a long time owing to the multiple, reproducing virii on each one. The virii wiped out some important files I was saving.

I'm not overly cautious where I go in the pursuit of information so sometimes I stumble into some of "those" sites just loaded with stuff. Norton has saved me numerous times.
Posted on 2003-04-28 23:27:06 by drhowarddrfine
I agree with Donkey here, get a decent firewall for your machine if its the front line one you use for the internet. I use an old conseal PC firewall on this win98se box because its primitive enough to set what you allow in and nothing else gets in.

Its a pain in that I cannot access any other box while its running but it does the job. I made the mistake of dropping it to get something from another box and the machine ended up infected with the OPASERV worm. With the firewall up again, it could not spread but I had to track it down through a variety of files to stop it from setting itself up again.

When I had it working with no hassles, I then overwrote the entire boot drive with a ghost image so there was no risk.

The other thing is to perhaps use another email client as Outlook seems to be an endless source of holes that Microsoft only fix AFTER the damage is done. I still use old Netscape for my email as it is too primitive to run anything automatically.

If you don't have a feel for netscape, there are others out there that many use and it may save you some grief next time.

Regards,

hutch@movsd.com
Posted on 2003-04-28 23:46:13 by hutch--
Thanks, you guys are terrific and I want to apologize for placing this help request in wrong section. I'll remember next time.
Posted on 2003-04-29 11:37:01 by mrgone

I am battling this virus lovegate. I downloaded file "F Prot" from Cnet but does not completely clear. I am using Win2k/NT vers 4.0. The virus has placed a hidden directory on two of my drives called "Recycler". When I delete certain of it's files it automatically rewrites them back from the recycle bin. The files in the "Recycler" folder are also in the registry and I cannot delet them there either.
Ultimately the virus reads Emails and sends copies of it's self to those addresses by placing them in outbox. Seems to require Microsoft Outlook. It also infects system files. Does anyone have any suggestions on clearing this nasty virus?


don't forget you still have dos mode and delete means delete in dos
not just move it to some place else if the virus can still run in dos mode there are
linux bootroot kits around for free and no virus that can run under any M$ system
can run linux
Posted on 2003-04-29 12:00:59 by rob.rice
I'm pretty sceptic wrt/norton and mcafee antiviral stuff. Kaspersky (AVP) and f-prot are usually decent - don't expect to be able to clean/heal your files all the time though. You shouldn't use an AV soft like that; use it to identify+delete files, and reinstall box from scratch (for massive infections anyway; simple trojans are another matter).

As others have said, indeed install a firewall application. I personally like Kerio Personal Firewall as it's rather flexible, doesn't come with a lot of insecure preset rules, and works well once you have trained it.

As for removing the virus... assuming the worst, that is a exe/pe infector, there's only one proper way to deal with it - reinstall: if you're on a network, first thing to do is unplug the cable. Next up, you back up your data files (you might want to do that before unplugging the cable, if you don't have a cd Writer nor a spare partition). Install files (.exe) != data files - if you have infected downloads, you'll have to bite the bitter apple and toast them. Some AV produts can remove some exe infections, but you'll be running a wounded system then.

If the "virus" infection is actually "lovgate.f", as in http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.lovgate.f@mm.html, then it shouldn't be much bother to remove. There's even a removal tool on the URL I posted.

rob.rice, he's on NT - no dos. If he's done the nice thing and is running NTFS instead of fat32, he won't be able to access the partitions from a dos floppy. Having ERD Commander from winternals == nice :)
Posted on 2003-04-29 12:37:26 by f0dder
Yeah Fodder the limited DOS in NTFS is really a joke. The virtual DOS works in conjuction with Windows and the manual mode is pathetic. We have no real mode to boot into. Seems like this NT stuff has alot of holes in it. I saved website to favorites. Thanks
Posted on 2003-04-29 16:37:46 by mrgone
There's no DOS in NT. There's a emulation layer handling a bunch of dos apps, and that's about it - and really, there's no need for more. cmd.exe shell doesn't have anything to do with dos, and it works pretty well too (unix afficionados might disagree, but on NT you don't _need_ the shell as much as on *u*x).

As for holes... there's a bunch, yes. Most problems with NT is incorrect setup from the user, though. Of course with the whole way windows runs, it's very tempting to run as administrator always... and a lot of stuff is enabled by default which shouldn't be. You can get stuff pretty tight if you run a limited user account most of the time, run NTFS (so you have decent ACLs protecting the system folders - as long as you run from a limited account), set up a decent firewall, and run some decent AV software.

With a *u*x system, the only part missing from that equation would be the AV software, since there aren't really a whole lot of *u*x virii around - you'd still run from a limited user account, have reasonble security settings for files (too bad ACLs are still not heavily adopted by *u*x world), and stay behind a firewall.
Posted on 2003-04-29 16:45:17 by f0dder
In what ways are people getting virus from btw, because for two years of internet use, I have never got any infection.
I use norton antivirus though just in case, and I think it found a worm once in a file in all this time.
Still I use fileshare programs and download stuff form the net pretty much every day.

Once I had installed a firewall, but it reported like 20-30 'attacks' a day, it made me paranoid like I thought my computer was under constant attack. But then I thought, no way, that's ridiculous why would anyone wanna hack my home computer. It showed it was people trying to make contact on the fileshare program while it was offline, showing up as 'attacks' on the firewall. That's silly.
Then I heard on the radio this swedish Norton AV-guy saying something like 25% of all people's got hackers attacking their computers, in some survey in sweden, I thought that's just ridiculous when I kinda thought about how many hackers there gotta be active for that.
Well I can assume that if firewalls in general reports 20-30 attacks but they're really valid connection attempts, no wonder people think they're under attack. At that point I was thinking this was some kind of scam, wanna make people paranoid, and always update their software paying cash every year or something.
So I simply removed the firewall, because why the HELL would somebody have interest in breaking into my computer, I don't even have a server running.
Actually, what's the reason having a firewall for a private person? I see the use of an antivirus program, but not of firewall.

Well, that's just my thought.

edit: sorry it's a little out of topic, just came to mind.
Posted on 2003-04-29 20:49:37 by david
David, if you're on broad-band, that's enough reason to attack you. Hackers (well, more like scriptkiddies) tend to sweep through large IP ranges with automated exploit tools. Every little ADSL line helps when you're building a DDoS attack network - if you can infect 1000 ADSL users with 64kbit upstream... well, do the maths yourself. Most ADSL lines have faster upstream anyway, and especially in sweden with your BredB?ndsBolaget.

Try setting up an apache server and look at the logs... there's probably still nimda and whatever attempts going on.
Posted on 2003-04-30 02:22:15 by f0dder

There's no DOS in NT. There's a emulation layer handling a bunch of dos apps, and that's about it - and really, there's no need for more. cmd.exe shell doesn't have anything to do with dos, and it works pretty well too (unix afficionados might disagree, but on NT you don't _need_ the shell as much as on *u*x).

As for holes... there's a bunch, yes. Most problems with NT is incorrect setup from the user, though. Of course with the whole way windows runs, it's very tempting to run as administrator always... and a lot of stuff is enabled by default which shouldn't be. You can get stuff pretty tight if you run a limited user account most of the time, run NTFS (so you have decent ACLs protecting the system folders - as long as you run from a limited account), set up a decent firewall, and run some decent AV software.

With a *u*x system, the only part missing from that equation would be the AV software, since there aren't really a whole lot of *u*x virii around - you'd still run from a limited user account, have reasonble security settings for files (too bad ACLs are still not heavily adopted by *u*x world), and stay behind a firewall.


I have wiped out windows xp systems by clicking on run then typeing "command"
the dos window I got let me deleat all the files on the computer and I checked by booting tomsrtbt and trying to find any files on the hard drive
(some fool in the computer store tould me I coulden't delete all the files on a windows system so I bet hem and did it )may be that comuter wasen't set up right or something
Posted on 2003-04-30 19:02:40 by rob.rice
Its fairley new and I see the advantages but It should not have been released yet. I think when done everyone will want it but not a user setup problem because to few choices in setup. Supposedly NTFS the best but needs bugs worked out
Posted on 2003-05-01 01:18:06 by mrgone
rice, if the computer was running and admin account, you'd be able to wipe most files (not all files though - that isn't possible because of file locking etc). But it's the same with a *u*x box, except you can remove _everything_ there. No point bitching about windows security when it's admin stupidity you should be bitching about.

mrgone, which bugs in ntfs? I've been running ntfs for, hrm, probably some years now, and haven't had a problem with it ever. I'd be sceptical about running a FS like ext3, since that _is_ new (NTFS has been around since at least NT4...) - and reading the linux kernel changelogs, seems like ext3 needs some work yet.
Posted on 2003-05-01 02:20:51 by f0dder
the command I used was "del /f /q /s *.*" ALL THE FILES .
the salseman even got a dos boot disk for windows xp
there was nothing on the disk don't tack my word for it
go into a computer store and try it yourself
seeing is beleaving

I think file locking works by setting the system attrubte on the file
and the /f switch make del delete even sysrem ,hidden and read olny files

when it got done the computer started bitching about command.com missing
and went into what looked like an end less loop bitching about all the missing
files

riser fs is much better than ext3 faster and makes much better use of space
I think the web page for the riser file system is namesys.com
Posted on 2003-05-01 07:56:58 by rob.rice
*) dos boot disk? running fat32 then. less security.
*) "del /f /q /s *.*" from a cmd.exe under NT will not delete all files. It will skip files without an extension, iirc it will not touch hidden files, and it is unable to delete files that are locked (ie, running programs). Furthermore, on NTFS, it can only delete files you have permission to delete - even as administrator, there's a few files you don't (by default) have access to delete.

I don't have to go into a computer store to do this. I'll have a go at it with vmware when I get home, both as adminstrator and regular user, and post the details here.
Posted on 2003-05-01 08:01:12 by f0dder
RIGHT try it

I typed command.com at the run prompt
Posted on 2003-05-01 08:14:01 by rob.rice
I will, and I will admit if I'm wrong - inside vmware, nothing matters very much, it's a matter of a couple of mouseclicks to get the HD contents back :). Hm, command.com... the NT shell is cmd.exe. I think there might be a command.com included on XP though. Still shouldn't matter security wise, I can't believe there'd be a security hole THAT blatant. I'll be home in a couple of hours.
Posted on 2003-05-01 08:26:35 by f0dder
try it
Posted on 2003-05-01 08:57:22 by rob.rice
Limit user account, cmd.exe:

C:\Documents and Settings\LimitedUser>del /f /s /a C:\*
C:\*, Are you sure (Y/N)? y
C:\AUTOEXEC.BAT
Access is denied.
C:\boot.ini
Access is denied.
C:\CONFIG.SYS
Access is denied.
Access is denied.


-------------------------------------------------------
Administrator account, cmd.exe:

C:\Documents and Settings\MainUser>del /f /s /a /q c:\* > c:\results.txt

I got numerous lines of
"The process cannot access the file because it is being used by another process."
and
"Access is denied."

a dialog box popped up prompting me to insert my windows XP professional CD-ROM. Ok, some system files deleted - fair enough, this is and administrator account.

What's next? Complaining that there is NOT a unix "rm -fr /" equivalent? ;). As admin, you can give yourself some more power with some tool there's included in windows, such as being able to peek inside "System Volume Information", and probably also access to delete more files where you'd get "Access is denied." - I don't think there's a way to delete files that are locked, though. I think the name of the util is cacls.exe.

The resulting file was 389kb, so quite a lot _Was_ deleted. But again, after all this is an administrator account. It seems to have info for both deleted and not deleted items, might be worth taking a look.

I'm probably going to do a test with command.com after dinner. Don't think it will change much, though. Oh, and there isn't much point arguing that "you are using NTFS, I tested on fat32" or "you didn't use a dos boot floppy". Giving somebody access to boot your machine from a floppy is about as bad as giving them your root password. Using fat32 instead of NTFS removes a lot of security features from windows.


PS: Could some moderator split this thread off at a sensible point? Main thread has been poisoned a bit.
Posted on 2003-05-01 12:12:21 by f0dder
-------------------------------------------------------
Administrator account, command.com.exe:
-------------------------------------------------------

Again, lots of "can't access" lines, and also the "insert your XP CD" dialog.
The difference in deleted files were minimal - there were however
a few files that couldn't be deleted with command.com that could
be deleted with cmd.exe, namely vtvdm* files - those responsible
for managing the 16bit emulation.


...
so, got any more false accusations about windows? ^_^
Perhaps it's possible to delete some more files on a fat32 install, since fat32 doesn't have ACLs. Still shouldn't be able to delete locked files. And if you want to compare to unix, this would be the same as having all files owned by nobody.nogroup with "777" file permissions - no administrator in his right mind would make a setup like that.
Posted on 2003-05-01 12:48:24 by f0dder