Posted on 08/26/2004 9:02:32 AM PDT by mtbopfuyn
Could someone please explain how to get rid of the computer virus, W32.Boxbax.C? I'm running Windows XP. Nortons apparently can't fix it. I can't get Microsoft download to work - I keep getting errors or pop ups saying it can't install after babying downloads for hours. I connect at 24,000 so it's taken me the last 5 hours and still can't seem to get anywhere at Microsoft.com.
Well my opinion is this. I work online with banking codes, trading codes , etc etc. Some of these viruses will leave behind keystroke loggers and various malicious files even after the main .exe file is cleaned. Sorry, not something I want to chance. 1.5hrs to reformat or 8months to clean up your screwed credit. Its happened too often to ignore.
I don't know what commercial systems you are working on or what your IT section advises, but most PCs can be safely restored without reformatted, and the processes involved give the inexperienced user an excellent education of the processes involved and in preventing and avoiding future difficulties. Keystroke loggers, like any other trojan, can be detected and removed. It is extremely important to learn how to prevent reinfection, and to keep security software current.
What does this virus do to your system?
I know that there is a W32.Bobax.C but I couldn't find Bobax.C. Not sure if it's the same thing.
What you say is true about excellent education in trying to fix it yourself. And the novice person, such as this one, may have fixed it, or may not have. They don't know. I can tell you this, when you reformat, the problem IS FIXED, 100% sure. I don't gamble with important online codes for "a good educational experience". Their fist reformat should be an excellent experience in itself and a good deterent from being careless with their computer's security.
bump for later
However, there are quality inexpensive registry repair programs available,(Registry Mechanic runs about $20) and some anti virus software companies include them with their program suites. Also, the System File Checker is a very useful and easy to use tool that repairs a number of persistant problems. Realistically, no registry will ever be perfect.
My point is that there are good tools available that will help an inexperienced user to become quite proficient and knowledgable, and constant reformatting is usually unnecessary and often may not solve the ultimate problem.
Ping.
To remove W32.Bobax.C use the following sections.
Before you begin: If you are running Windows 2000 or XP, and have not yet done so, you must patch for the vulnerability described in Microsoft Security Bulletin MS04-011. If you do not, it is likely that your computer will continue to be reinfected.
What to do if the computer shuts down before you can patch
This threat can cause Windows to keep shutting down and restarting. This can prevent you from installing the Microsoft patch.
Notes:
You may have to try this several times, as you only have about 20 seconds to do steps 3 to 6.
This will not work on Windows 2000.
To prevent the shut down, do the following:
Disconnect the computer from the network/Internet connection. (Disconnect the cable if necessary.)
Restart the computer.
As soon as Windows opens and you see the Windows desktop, click Start > Run.
Type:
cmd
and press Enter.
Type:
shutdown -i
and press Enter.
In the Remote Shutdown Dialog that opens, do the following:
Click Add, type your computer name into the Add Computers dialog box, and then click OK.
In the "Display warning for" field, type 9999.
Type the following text in the Comment box:
Delay Lsass.exe shutdown.
Click OK.
Reconnect the network/Internet connection.
Connect to the Internet, and get the patch. Then continue with the steps described below.
When you have patched your computer and removed the threat, you can re-enable the 20 second default warning if you wish.
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
Disable System Restore (Windows XP).
Update the virus definitions.
Restart the computer in Safe mode or VGA mode.
Run a full system scan and delete all the files detected as W32.Bobax.C.
Delete the value that was added to the registry.
For specific details on each of these steps, read the following instructions.
1. To disable System Restore (Windows XP)
If you are running Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.
Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.
Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.
For instructions on how to turn off System Restore, read your Windows documentation, or one the following article:
"How to turn off or turn on Windows XP System Restore"
Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, re-enable System Restore by following the instructions in the aforementioned documents.
2. To update the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
Running LiveUpdate, which is the easiest way to obtain virus definitions
These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
Downloading the definitions using the Intelligent Updater
The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).
The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.
3. To restart the computer in Safe mode or VGA mode
Shut down the computer and turn off the power. Wait for at least 30 seconds, and then restart the computer in Safe mode or VGA mode.
In Windows 95, 98, Me, 2000, or XP, restart the computer in Safe mode. For instructions, read the document, "How to start the computer in Safe Mode."
In Windows NT 4, restart the computer in VGA mode.
4. To scan for and delete the infected files
Start your Symantec antivirus program, and make sure that it is configured to scan all files.
For Norton AntiVirus consumer products
Read the document, "How to configure Norton AntiVirus to scan all files."
For Symantec AntiVirus Enterprise products
Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan all files."
Run a full system scan.
If any files are detected as infected with W32.Bobax.C, click Delete.
5. To delete the value from the registry
WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.
Click Start, and then click Run. (The Run dialog box appears.)
Type regedit
Then click OK. (The Registry Editor opens.)
Navigate to the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete the following value:
"random_characters" = "%System%\< random_characters >.exe"
Exit the Registry Editor.
Write-up by: John Canavan
Source:
Symantec
I'm having the same problem, only different, with a blank desktop on my 2000 machine. I can get to the task manager so I can use the "run" function but browsing for files is quite slowwww.
Spybot ran and completed but Adaware freezes up on the registry or in the /system32 file, can't get my virus scanner to start up.
I'm still searching and seeing what actually is available on 2000 vs. XP. I guess I can steal files from my XP machine to the 2000 like I did with msconfig.
I do not want to re-install. No way, but I think I may have to.
Thanks everyone. Yes, sorry about the typo, it is W32.Bobax.C. Mr. M has been trying to get it going with no luck and is ready to throw the thing out the window. He talked with our ISP but, being a man, wouldn't ask about the virus - hello, isn't that the reason he called? I've tried getting on Symantec but it was no help. Tried downloading Microsoft patch, no luck either. Will go through all your suggestions and if all else fails ----- ugh, will have to reformat I just hate losing everything because it takes forever to get it back and then some never gets back.
Thanks again. Off to work down the list of your suggestions.
Boxerblues offered EXCELLENT advice in post # 20. I have suspected my Norton at work had been 'disabled' for a few days. I had those classic emails from 'Microsoft' saying 'download this patch immediately', which always before had been flagged as a virus, but all the sudden Norton didn't show anything at all. Nor did I open them. When I tried the site mentioned in post # 20 the scan revealed I had a 'Netsky'. Norton did not catch it, nor had AdAware, nor had Spybot. Then at home this evening I tried the same scan, (which by the way is free). It found 4 trojans, all by the same name.
Previously today I could not receive any emails at home, although I knew they were there because I had sent at least one from work. (Could not get a connection to Outlook although I could get on the internet itself). Once the 4 trojans were deleted (as they could not be 'cleaned'), the emails came streaming through as usual.
It does take FOREVER to download and to scan, but it is worth the inconvenience to know how well the scan does work!
(Thanks, Boxer!!!!!!!!!!!)
Your welcome. It wont catch all of them but it will do in a pinch, usually enough to get to you up an running so you can get your regular anti virus up to date and the patches installed..
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.