Help: Unable to find or stop virus

[Roy]

Hi all,
I am running XP Home (service Pack 2 installed) with Norton AV 2005 /
Ad-Aware / Spybot Search & Destroy / & Spyware Blaster. I also have Sygate
personal Firewall and a broadband connection.

I am constantly getting infected with the W32.HLLW.Rirc and Backdoor.IRC.BOT
worms. Norton however removes them. Also Norton AV's Auto-protect is
constantly shutting itself down when I re-boot the computer. I have
downloaded from their site a small file called sevint.exe which after
running allows me to turn auto-protect back on. This however only lasts
until I re-boot again.
The two worms were found by Norton in: documents & settings / all users /
shared document folder. When I looked in this folder I found 3 files.
Install.exe / setup32.exe & update32.exe If I clicked on the install
file or the setup32 file Norton's auto-protect would shut down. As I type
this message Norton's auto-protect has shut down & I'm being asked to
activate Norton, even though I have activated this copy about 3 weeks ago.

The second thing that has happened today is boxes from Norton warning me
that my e-mails could not be sent. As I closed that box more opened each
giving an e-mail address that I did not recognise. I had to shut down the
computer to stop it. I then scanned the computer & found nothing.


Any help or suggestions would be appreciated. Oh & Norton will not connect
to it's server to activate itself again!.

 

[Roy]

Hi again,
To add to the other problems I am now unable to connect to any web site.
This means that I am unable to re-register Norton AV. The problems seem to
be mounting. I can however send e-mails. I am desparately awaiting some
kind person to respond.

Regards,
Roy.

 

[Gabriele Neukam]

On that special day, Roy, ([email protected]) said...

I am constantly getting infected with the W32.HLLW.Rirc and Backdoor.IRC.BOT
worms.

Are these names given by Norton?

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.bot.html

This is a very generic name, and a very generic description. With this,
we have no information about how it came in, and where or how it settled
down.

http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.rirc.html

This might be the specific name of the intruder. Or do you get two
different messages, and the second beast cannot even be identified by
name?

Maybe you have more than one unwanted inhabitant on your hard disk, or
the unknown one dropped the known one, or the other way round. Note:
some trojans bring "friends" in, because they want company - if the
known one is removed, the unknown can still do damage. For that reason,
you can never be sure whether your machine is really cleaned, if you
have removed *one* trojan.

They tend to proliferate like bunnies.

Are you using an IRC program? Maybe you should change it for another
one, that hopefully doesn't have vulnerabilities that could be
exploited. There are free alternatives like Gaim

http://sourceforge.net/projects/gaim/

I have the feeling your machine is basically trojanized. You will need
more than just Norton to defeat that infestation. Follow David Lipmans
procedure, to find out what exactly has laid its hands on your system:

<quote>
1) Download the following two items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download SYSCLEAN.COM and place it in that directory.
Download the signature files (pattern files) by obtaining the ZIP file.
For example; lpt285.zip

Extract the contents of the ZIP file and place the contents in the same
directory as
SYSCLEAN.COM.

2) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
3) Reboot your PC into Safe Mode
4) Using the Trend Sysclean utility, perform a Full Scan of your
platform and
clean/delete any infectors found
5) Restart your PC and perform a "final" Full Scan of your platform
6) If you are using WinME or WinXP, Re-enable System Restore and re-
apply any
System Restore preferences, (e.g. HD space to use suggested 400
~ 600MB),
7) Reboot your PC.
8) If you are using WinXP, create a new Restore point
9) Please report back your results
<end of quote>

And then check the weaknesses of your file sharing, and your IRC
program, or disallow the automatic download of files.


Gabriele Neukam

(e-mail address removed)

 

[Why so many stars for so few four-leaf clovers?]

Gabriele,

He says that is unable to connect to any web site...

 

[Roy]

Thanks for taking the time to reply Gabriele. I don't use IRC and they are
the two items named by Norton. I don't have any idea how they arrived on my
computer.

I will try the Trend package that you suggest. I did find out however that
Norton AV 2005 has a problem which requires a downloadable fix. This
corrects it asking me to register the software again. At least I am now
partly covered by Norton.
Thanks again.

Roy.

Untitled Document IMPORTANT PLEASE READ Please do not add my address to any
on-line address book. Or send me, e- greetings cards and web page links via
their site to this address. I'm trying to cut down on junk mailers getting
my address. Thanks. www.btinternet.com/~godalming
"Why so many stars for so few four-leaf clovers?" <[email protected]>
wrote in message Gabriele,

He says that is unable to connect to any web site...

 

[Max M.Wachtel III]

Thanks for taking the time to reply Gabriele. I don't use IRC and they are
the two items named by Norton. I don't have any idea how they arrived on my
computer.

I will try the Trend package that you suggest. I did find out however that
Norton AV 2005 has a problem which requires a downloadable fix. This
corrects it asking me to register the software again. At least I am now
partly covered by Norton.
Thanks again.

Roy.

Untitled Document IMPORTANT PLEASE READ Please do not add my address to any
on-line address book. Or send me, e- greetings cards and web page links via
their site to this address. I'm trying to cut down on junk mailers getting
my address. Thanks. www.btinternet.com/~godalming
"Why so many stars for so few four-leaf clovers?" <[email protected]>
wrote in message Gabriele,

He says that is unable to connect to any web site...

Are you using spybot's "Resident"?
Here are some other programs to try.

Beginning of standard canned reply...

Update Windows. Use a firewall.
Use an Anti-Virus of your choice and keep it updated.
In Windows Explorer, set Folder Options to “show all files”.
Clean out all temp, cache, ect. files.
Download BeClean here:
http://boozet.xepher.net/beclean/

If you lose your Internet connection after running AdAware download
Winsock Fix here:
http://www.tacktech.com/display.cfm?ttid=257

Run a couple of online scanners (pick a different one than your main AV):

BitDefender:
http://www.bitdefender.com/scan/licence.php

Panda:
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

eTrust:
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

House Call:
http://housecall.trendmicro.com/housecall/start_corp.asp

If the previous do not solve your problems:
Download Bazooka here:
http://www.kephyr.com/spywarescanner/

Download SwatIt here:
http://swatit.org/

Download KL-Detector here
http://dewasoft.com/privacy/kldetector.htm

Download CWShredder here
http://www.intermute.com/spysubtract/cwshredder_download.html

Download HijackThis here:
http://www.majorgeeks.com/download3155.html
Install, run and save the log that is created. Don’t let it fix anything
yet!
You can find forums to post the log to have it analyzed here:
http://tomcoyote.org/hjt/

Download eScan here:
http://www.mwti.net/antivirus/free_utilities.asp
Rename the downloaded file escan.zip and extract (with a zip program) to
C:\Downloads, which you will have to create. Run the updater
(kavupd.exe) and then run eScan (mwavscan.exe).


.... End of standard canned reply.

Check out your hosts file to see if it has been altered.

Hope you get it sorted out.
-max


--
Keeping Windows Clean: http://www.geocities.com/maxpro4u/madmax.html
Virus Cleaning+Fixes: http://www.geocities.com/maxpro4u/TechPros
Change nomail.afraid.org to neo.rr.com so you can reply by e-mail
(nomail.afraid.org has been set up specifically for
use in Usenet. Feel free to use it yourself.)

 

[Roy]

Thanks Max,
I think it's now sorted. two of my problems were with Norton AV.
Downloaded two patches for it & so far it's behaving. As for the mail
problem, I have no idea!.

Thanks for the help anyway.
Regards,
Roy.

Untitled Document IMPORTANT PLEASE READ Please do not add my address to any
on-line address book. Or send me, e- greetings cards and web page links via
their site to this address. I'm trying to cut down on junk mailers getting
my address. Thanks. www.btinternet.com/~godalming

Thanks for taking the time to reply Gabriele. I don't use IRC and they
are
the two items named by Norton. I don't have any idea how they arrived on
my
computer.

I will try the Trend package that you suggest. I did find out however
that
Norton AV 2005 has a problem which requires a downloadable fix. This
corrects it asking me to register the software again. At least I am now
partly covered by Norton.
Thanks again.

Roy.

Untitled Document IMPORTANT PLEASE READ Please do not add my address to
any
on-line address book. Or send me, e- greetings cards and web page links
via
their site to this address. I'm trying to cut down on junk mailers getting
my address. Thanks. www.btinternet.com/~godalming
"Why so many stars for so few four-leaf clovers?" <[email protected]>
wrote in message
Gabriele,

He says that is unable to connect to any web site...

Are you using spybot's "Resident"?
Here are some other programs to try.

Beginning of standard canned reply...

Update Windows. Use a firewall.
Use an Anti-Virus of your choice and keep it updated.
In Windows Explorer, set Folder Options to “show all files”.
Clean out all temp, cache, ect. files.
Download BeClean here:
http://boozet.xepher.net/beclean/

If you lose your Internet connection after running AdAware download
Winsock Fix here:
http://www.tacktech.com/display.cfm?ttid=257

Run a couple of online scanners (pick a different one than your main AV):

BitDefender:
http://www.bitdefender.com/scan/licence.php

Panda:
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

eTrust:
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

House Call:
http://housecall.trendmicro.com/housecall/start_corp.asp

If the previous do not solve your problems:
Download Bazooka here:
http://www.kephyr.com/spywarescanner/

Download SwatIt here:
http://swatit.org/

Download KL-Detector here
http://dewasoft.com/privacy/kldetector.htm

Download CWShredder here
http://www.intermute.com/spysubtract/cwshredder_download.html

Download HijackThis here:
http://www.majorgeeks.com/download3155.html
Install, run and save the log that is created. Don’t let it fix anything
yet!
You can find forums to post the log to have it analyzed here:
http://tomcoyote.org/hjt/

Download eScan here:
http://www.mwti.net/antivirus/free_utilities.asp
Rename the downloaded file escan.zip and extract (with a zip program) to
C:\Downloads, which you will have to create. Run the updater
(kavupd.exe) and then run eScan (mwavscan.exe).


.... End of standard canned reply.

Check out your hosts file to see if it has been altered.

Hope you get it sorted out.
-max


--
Keeping Windows Clean: http://www.geocities.com/maxpro4u/madmax.html
Virus Cleaning+Fixes: http://www.geocities.com/maxpro4u/TechPros
Change nomail.afraid.org to neo.rr.com so you can reply by e-mail
(nomail.afraid.org has been set up specifically for
use in Usenet. Feel free to use it yourself.)