Help identify virus? these symptoms....

[jeffc]

I'm having a hard time searching for this one because one of the symptoms is
that whenever I use Google to search for "virus" or something like that in
the keywords, Internet Explorer closes automatically. If I try to go to a
site to download some software, such as www.symantec.com, it says it can't
find the site. If I try to run Stinger, it closes automatically (won't
run). If I try to run regedit, it closes automatically (won't run). On my
Task Manager processes page, it's completely blank. Those are the only
symptoms I'm aware of, other than that the computer seems to be running
fine. I guess I can go to the store and buy Norton anti-virus or something,
but I'm not sure I'd even be able to refresh the virus definitions from
their web site the way this "virus" (if it is one) seems to be operating.
Any tips? thanks!

 

[David H. Lipman]

1) Download the following three items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (personal free version)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download sysclean.com and place it in that directory.
Dowload the signature files (pattern files) by obtaining the ZIP file.
For example; lpt192.zip

Extract the contents of the ZIP file and place the contents in the same directory as
sysclean.com.

2) Update Adware with the latest definitions.
3) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode
5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
6) Restart your PC and perform a "final" Full Scan of your platform using both the
Trend Sysclean utility and Adaware
7) If you are using WinME or WinXP,Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) If you are using WinME or WinXP, create a new Restore point
10) Please report back your results

Dave




| I'm having a hard time searching for this one because one of the symptoms is
| that whenever I use Google to search for "virus" or something like that in
| the keywords, Internet Explorer closes automatically. If I try to go to a
| site to download some software, such as www.symantec.com, it says it can't
| find the site. If I try to run Stinger, it closes automatically (won't
| run). If I try to run regedit, it closes automatically (won't run). On my
| Task Manager processes page, it's completely blank. Those are the only
| symptoms I'm aware of, other than that the computer seems to be running
| fine. I guess I can go to the store and buy Norton anti-virus or something,
| but I'm not sure I'd even be able to refresh the virus definitions from
| their web site the way this "virus" (if it is one) seems to be operating.
| Any tips? thanks!
|
|

 

[jeffc]

I'm having a hard time searching for this one because one of the symptoms is
that whenever I use Google to search for "virus" or something like that in
the keywords, Internet Explorer closes automatically. If I try to go to a
site to download some software, such as www.symantec.com, it says it can't
find the site. If I try to run Stinger, it closes automatically (won't
run). If I try to run regedit, it closes automatically (won't run). On my
Task Manager processes page, it's completely blank. Those are the only
symptoms I'm aware of, other than that the computer seems to be running
fine.

By the way, I had to enter this from another computer. Whenever I try to
bring up a virus newsgroup, Outlook Express crashes too.

 

[jeffc]

1) Download the following three items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

I don't think you understand what I'm saying. I cannot get to any web pages
of any virus software companies.

 

[GSV Three Minds in a Can]

By the way, I had to enter this from another computer. Whenever I try to
bring up a virus newsgroup, Outlook Express crashes too.

Did you try booting to safe mode (and running stinger, regedit, etc.
from there)?

 

[madmax]

I'm having a hard time searching for this one because one of the symptoms is
that whenever I use Google to search for "virus" or something like that in
the keywords, Internet Explorer closes automatically. If I try to go to a
site to download some software, such as www.symantec.com, it says it can't
find the site. If I try to run Stinger, it closes automatically (won't
run). If I try to run regedit, it closes automatically (won't run). On my
Task Manager processes page, it's completely blank. Those are the only
symptoms I'm aware of, other than that the computer seems to be running
fine. I guess I can go to the store and buy Norton anti-virus or something,
but I'm not sure I'd even be able to refresh the virus definitions from
their web site the way this "virus" (if it is one) seems to be operating.
Any tips? thanks!

Check your hosts file C:\WINDOWS\system32\drivers\ect\hosts
Open it with notepad.It should look like this:
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

If there is any thing after this,it is probably your problem.
What did your anti-virus report? You can use the above to replace your
host file. I have a link to a modified host file on my site(along with
info and links to other helpful programs and sites).
-max
--
To help you stay safe see: http://www.geocities.com/maxpro4u/madmax.html
Virus cleaning +fixes see: http://www.geocities.com/maxpro4u/TechPros
Change nomail.afraid.org to neo.rr.com so you can reply by e-mail
(nomail.afraid.org has been set up specifically for
use in Usenet. Feel free to use it yourself.)

 

[JJO]

OK then, if you are accessing the Internet from another system try this.
Browse to the following site I have below. It is the Avast BART program.
With that you can create a bootable CD that you can detect and clean a
system with. The program is free to try until October 15th so you have
enough time.

http://www.avast.com/eng/products/desktop_protection/avast_bart_cd/avast_bart_cd_downlo.html

Regards,
John O.

 

[jeffc]

Check your hosts file C:\WINDOWS\system32\drivers\ect\hosts
Open it with notepad.It should look like this:
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

If there is any thing after this,it is probably your problem.

Yup, that is at least part of the problem. All the anti-virus sites are
listed. The line is
127.0.0.1 localhost dbccop1
I should remove the "dbccop1" ?

 

[jeffc]

Yup, that is at least part of the problem. All the anti-virus sites are
listed. The line is
127.0.0.1 localhost dbccop1
I should remove the "dbccop1" ?

Actually, I think dbccop1 is something left over from an old application I
had. I removed it anyway.

 

[David H. Lipman]

So you can't go to someone else's computer to get this software and check your PC ?

Dave





|
| | > 1) Download the following three items...
| >
| > Trend Sysclean Package
| > http://www.trendmicro.com/download/dcs.asp
|
| I don't think you understand what I'm saying. I cannot get to any web pages
| of any virus software companies.
|
|

 

[jeffc]

OK then, if you are accessing the Internet from another system try this.
Browse to the following site I have below. It is the Avast BART program.
With that you can create a bootable CD that you can detect and clean a
system with.

No way to create a CD from here Will look at the offer later though,
thanks

 

[David H. Lipman]

Delete the whole 'hosts' file and obtain the software I indicated from another computer.
Then scan the platform per my previous instructions.

In addition copy the text in between the "----" (dashes) below and then paste it into a text
editor.
Save the file as FixSwen.inf . After you save ito to a disk. On the affected PC right click
on the file FixSwen.inf and choose "Install".

----
[Version]
Signature="$CHICAGO$"

[DefaultInstall]
AddReg=FixSwen
DelReg=EnableRegTools

[FixSwen]
HKCR, "batfile\shell\open\command",,0,"""%1"" %*"
HKCR, "comfile\shell\open\command",,0,"""%1"" %*"
HKCR, "exefile\shell\open\command",,0,"""%1"" %*"
HKCR, "piffile\shell\open\command",,0,"""%1"" %*"
HKCR, "regfile\shell\open\command",,0,"regedit.exe "%1""
HKCR, "scrfile\shell\open\command",,0,"""%1"" /S"
HKCR, "scrfile\shell\config\command",,0,"%1"

[EnableRegTools]
HKCU, "software\microsoft\windows\currentversion\policies\system","DisableRegistryTools"

----

~ ~ ~
Dave


|
| | >
| > Yup, that is at least part of the problem. All the anti-virus sites are
| > listed. The line is
| > 127.0.0.1 localhost dbccop1
| > I should remove the "dbccop1" ?
|
| Actually, I think dbccop1 is something left over from an old application I
| had. I removed it anyway.
|
|

 

[jeffc]

Did you try booting to safe mode (and running stinger, regedit, etc.
from there)?

Negative on both from safe mode.

 

[xmp]

By the way, I had to enter this from another computer. Whenever I try to
bring up a virus newsgroup, Outlook Express crashes too.

You probably have a nasty trojan (or worm) with process killing. You
got some good suggestions in the thread. Also scanning from Safe Mode
or a DOS boot disk with F-prot or NOD32 might help. The Avast CD might
be the best solution (if it has a free trial).

Basically you need to kill the trojan process or prevent it from
starting at boot. Then scan.

michael

 

[xmp]

Yup, that is at least part of the problem. All the anti-virus sites are
listed. The line is
127.0.0.1 localhost dbccop1
I should remove the "dbccop1" ?

The old trick was renaming the executable to something else. For
instance instead of having "nav.exe" for antivirus, name it "av.exe" or
something.

michael

 

[jeffc]

The old trick was renaming the executable to something else. For
instance instead of having "nav.exe" for antivirus, name it "av.exe" or
something.

Gotcha.

 

[jeffc]

So you can't go to someone else's computer to get this software and check

your PC ?

Of course I can. I just got the impression you misunderstood what I
described.

 

[David H. Lipman]

That's why I didn't suggest online scanners ;-)

Let us know how things turn out. We need feedback to improve the way we can help affected
people.

Dave




|
| | > So you can't go to someone else's computer to get this software and check
| your PC ?
|
| Of course I can. I just got the impression you misunderstood what I
| described.
|
|

 

[jeffc]

That's why I didn't suggest online scanners ;-)

Let us know how things turn out. We need feedback to improve the way we can help affected
people.

OK Sysclean didn't turn up anything interesting. It seems to have found
some Netsky in some internet temporary files, but I don't think that was the
problem. The hosts file had the AV websites listed again, so it is still
active, whatever it is. No joy.

 

[David H. Lipman]

Netsky
http://vil.nai.com/vil/content/v_101027.htm

The MultiDropper-LA Trojan will install the Netsky.
http://vil.nai.com/vil/content/v_127037.htm


What about Adaware. Have you scanned with it yet ?

Dave



|
| | > That's why I didn't suggest online scanners ;-)
| >
| > Let us know how things turn out. We need feedback to improve the way we
| can help affected
| > people.
|
| OK Sysclean didn't turn up anything interesting. It seems to have found
| some Netsky in some internet temporary files, but I don't think that was the
| problem. The hosts file had the AV websites listed again, so it is still
| active, whatever it is. No joy.
|
|