Bugger of a virus!!

[Neil]

While doing my monthly check on my brother's P.C (if I don't, it ends up
with all kinds of crap!) I found that I couldn't access MSConfig. Since
then, I've been battling against something which so far has got me beat!

As well as MSConfig, RegEdit & Task Manager are also inaccessable, I am
unable to access any Admin services, Norton Anti-virus 2005 has been
disabled and blocked (and can't be re-installed), anti-virus websites are
blocked (apart from one which allowed me to start an online scan, but was
shut down after a while) and all of this even when booted into safe mode! I
have tried an up-to-date Spybot S&D but although it finds and removes DSO
Exlpoits, they return on the next scan. The same with AdAware - finds,
removes, then they return. I've even tried a virus remover file from
McAfee's website called "Stinger", but this is prevented from running.

After 2 nights of trying, I am even at the stage where I know the name of
the virus, as it is so well embedded.

If anyone has any ideas, I would appreciate it as it is now become a battle
of wills and I don't want to give up and re-format.....yet!

TIA

 

[David H. Lipman]

Stinger only targets ~47 infectors. Please try the below Trend Sysclean which targets
~86,000 infectors.
Also below is information on how to run Adaware.

1) Download the following three items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download SYSCLEAN.COM and place it in that directory.
Download the Trend Pattern File by obtaining the ZIP file.
For example; lpt363.zip

Extract the contents of the ZIP file and place the contents in the same directory as
SYSCLEAN.COM.

2) Update Adaware with the latest definitions.
3) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode and shutdown as many applications as possible.
5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using both the
Trend Sysclean utility and Adaware
7) If you are using WinME or WinXP,Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) If you are using WinME or WinXP, create a new Restore point

* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html




| While doing my monthly check on my brother's P.C (if I don't, it ends up
| with all kinds of crap!) I found that I couldn't access MSConfig. Since
| then, I've been battling against something which so far has got me beat!
|
| As well as MSConfig, RegEdit & Task Manager are also inaccessable, I am
| unable to access any Admin services, Norton Anti-virus 2005 has been
| disabled and blocked (and can't be re-installed), anti-virus websites are
| blocked (apart from one which allowed me to start an online scan, but was
| shut down after a while) and all of this even when booted into safe mode! I
| have tried an up-to-date Spybot S&D but although it finds and removes DSO
| Exlpoits, they return on the next scan. The same with AdAware - finds,
| removes, then they return. I've even tried a virus remover file from
| McAfee's website called "Stinger", but this is prevented from running.
|
| After 2 nights of trying, I am even at the stage where I know the name of
| the virus, as it is so well embedded.
|
| If anyone has any ideas, I would appreciate it as it is now become a battle
| of wills and I don't want to give up and re-format.....yet!
|
| TIA
|
|

 

[Ian Kenefick]

While doing my monthly check on my brother's P.C (if I don't, it ends up
with all kinds of crap!)

Sounds like my younger brothers PC.

I found that I couldn't access MSConfig.

This is typical or a virus - to disable msconfig, regedit, access to
c: and/or subdirectories to prevent you manually disinfecting your PC!
For this reason - I keep a third party registry editor and process
manager to hand just incase (not like I would get infected with a
virus - safe hex here )

Since >then, I've been battling against something which so far has got me beat!
As well as MSConfig, RegEdit & Task Manager are also inaccessable, I am
unable to access any Admin services

see above...

Norton Anti-virus 2005 has been
disabled and blocked (and can't be re-installed),

Virus is resident and is terminating common antivirus processes.

anti-virus websites are blocked (apart from one which allowed me to start an online scan, but was
shut down after a while)

Virus modifies HOSTS file, if you delete this you will have temporary
access to these website until the virus writes to the HOSTS file
again.

HOSTS file locations...
Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC
Win 98\ME = C:\WINDOWS

Spybot S&D but although it finds and removes DSO
Exlpoits, they return on the next scan.

This is a well known false positive for SB S&D.

I've even tried a virus remover file from McAfee's website called "Stinger", but this is prevented from running.

Try renaming the Stinger.exe - this worked for me before.

After 2 nights of trying, I am even at the stage where I know the name of
the virus, as it is so well embedded.

What is the name of the virus? Do share

If anyone has any ideas, I would appreciate it as it is now become a battle
of wills and I don't want to give up and re-format.....yet!

When all fails you dont have to reformat. Reinstalling the core
components of the OS is enough to restore enough functionality to
restore the system fully! In Win2k & WinXP this is known as ASR. In
Win98 just write over the existing installation of windows to preserve
existing data.

Dave Lipmans post is known to have saved a few souls along the way. I
would definately check that out! If that fails try installing a trial
copy of Kaspersky Antivirus 5 and scan for viruses. I have a tutorial
on this here! <URL START>
http://ik-cs.com/E-Books/Installing and configuring Kaspersky Antivirus Personal 5.pdf
<URL END>


Regards,
Ian Kenefick
http://www.IK-CS.com

 

[Nel]

After 2 nights of trying, I am even at the stage where I know the name of

What is the name of the virus? Do share

Sorry, missed a "don't" out there!! If I'm not out on the beer tonight,
I'll pop down my brother's again and go for round 3 of the battle!