New virus

[Bruno]

I have a virus, It seems nobody heard about this one. It creates à entry in the
register : video process that launches an application called sysconf.exe. It
the classic smtp engine stuff. I lost access to all antivirus websites unless I
delete the entries made in the hosts file.

127.0.0.1 www.trendmicro.com
127.0.0.1 trendmicro.com
127.0.0.1 rads.mcafee.com
127.0.0.1 customer.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 updates.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 www.nai.com
127.0.0.1 nai.com
127.0.0.1 secure.nai.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
etc.

But my problem is that even if I delete all of the above it keeps coming back.
Anyone heard of tthat worm ?

 

[Danny Mingledorff]

Lots of hits in a Google search for this.

Might want to try Spybot or Ad-aware first.

Good luck.

I have a virus, It seems nobody heard about this one. It creates à entry in
the
register : video process that launches an application called sysconf.exe. It
the classic smtp engine stuff. I lost access to all antivirus websites
unless I
delete the entries made in the hosts file.

127.0.0.1 www.trendmicro.com
127.0.0.1 trendmicro.com
127.0.0.1 rads.mcafee.com
127.0.0.1 customer.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 updates.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 www.nai.com
127.0.0.1 nai.com
127.0.0.1 secure.nai.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
etc.

But my problem is that even if I delete all of the above it keeps coming
back.
Anyone heard of tthat worm ?

 

[Bob I]

Dunno where you looked or who you asked but www.google.com is helpfull

http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=sysconf.exe

http://www.windowsstartup.com/wso/browse.php?l=19&start=50&end=75

sysconf.exe Microsoft Conf Ldr 1 Added as a result of a variant of the
SDBOT VIRUS! Google

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.sdbot.html

 

[Guest]

Not the same virus. I don't have these entries in my register.

 

[Head Hunter]

Sounds like a virus to me, not spy-ware. Look at what it is doing. It is
making it so he can't go to any of the anti-virus vendors web sites for
updates or information.

Try the new Zone Alarm. It has an advanced option to lock the Hosts file
(Firewall, Main tab, Advanced button). Install it, clean up the Hosts file,
then tell Zone Alarm to lock the file.

Then, update your antivirus.

 

[Steve Nielsen]

There is a page hijacking trojan that surfaced a few months back, none
of the a/v vendors I know of list it. I don't even know if there's an
official name for it. A co-worker got hit by it from a vistit to a
supposedly techie site he found on a google search. I know he had a hell
of a time getting rid of it. I asked him about it last week and he
doesn't remember what he had to do, but there were a few registry edits
involved in addition to the host file edit. OP might do better askig in
a virus newsgroup such as alt.comp.virus

Might also try flagging hosts as read-only.

Steve