Unknown Virus, please help identify

S

Simon Howson

My friend has a virus on his computer that has done the following things.

It has disabled Norton AntiVirus from loading, and stopped liveupdate
from succesfully installing new virus definitions.

It has stopped the Windows XP Firewall control panel applet from being
loaded

It has stopped access to webpages of the most popular antivirus
programmes. Such as Symantec (Norton), Mcaffee and even Grisoft (AVG)

The virus has generally slowed down the speed of his ADSL internet access

He tried to subscribe to various anvivirus newsgroup, but this caused
Outlook Express to crash!

I am wondering if these symptoms are familiar, so that we can identify
exactly which virus this is, so that we can find a removal tool for it.

At the moment we are finding it very difficult to remedy the situation
with generic virus scanners because the virus seems to be stopping us
from running any virus scanners that we install.

Also we tried to use some of the internet based web virus scanners, but
the virus blocks access to those particular webpages!

Any help regarding the nature of this virus will be appreciated!

Feem free to email me (e-mail address removed)
 
D

David H. Lipman

1) Download the following four items...

McAfee Stinger
http://vil.nai.com/vil/stinger/

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend Pattern File.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download Sysclean.com and place it in that directory.
Dowload the Trend Pattern File by obtaining the ZIP file.
For example; lpt345.zip

Extract the contents of the ZIP file and place the contents in the same directory as
sysclean.com.

2) Update Adaware with the latest definitions.
3) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode
5) Using Trend Sysclean, Stinger and Adaware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using the three
utilities; Trend Sysclean, Stinger and Adaware
7) If you are using WinME or WinXP, Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) If you are using WinME or WinXP, create a new Restore point


* * * Please report your results ! * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html




| My friend has a virus on his computer that has done the following things.
|
| It has disabled Norton AntiVirus from loading, and stopped liveupdate
| from succesfully installing new virus definitions.
|
| It has stopped the Windows XP Firewall control panel applet from being
| loaded
|
| It has stopped access to webpages of the most popular antivirus
| programmes. Such as Symantec (Norton), Mcaffee and even Grisoft (AVG)
|
| The virus has generally slowed down the speed of his ADSL internet access
|
| He tried to subscribe to various anvivirus newsgroup, but this caused
| Outlook Express to crash!
|
| I am wondering if these symptoms are familiar, so that we can identify
| exactly which virus this is, so that we can find a removal tool for it.
|
| At the moment we are finding it very difficult to remedy the situation
| with generic virus scanners because the virus seems to be stopping us
| from running any virus scanners that we install.
|
| Also we tried to use some of the internet based web virus scanners, but
| the virus blocks access to those particular webpages!
|
| Any help regarding the nature of this virus will be appreciated!
|
| Feem free to email me (e-mail address removed)
 
S

Simon Howson

David said:
1) Download the following four items...

McAfee Stinger
http://vil.nai.com/vil/stinger/

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend Pattern File.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download Sysclean.com and place it in that directory.
Dowload the Trend Pattern File by obtaining the ZIP file.
For example; lpt345.zip

Extract the contents of the ZIP file and place the contents in the same directory as
sysclean.com.

2) Update Adaware with the latest definitions.
3) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode
5) Using Trend Sysclean, Stinger and Adaware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using the three
utilities; Trend Sysclean, Stinger and Adaware
7) If you are using WinME or WinXP, Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) If you are using WinME or WinXP, create a new Restore point


* * * Please report your results ! * * *
Click to expand...


Thank you for your reply, I have a feeling that the virus he has is
Backdoor.Abebot.

My reasoning is that infection occurred today or yesterday, however
there has not been a liveupdate containing defitions for that file yet.
I don't know if it is worth me manually sending him the individual
updates because he can't get Norton AntiVirus to load

I have found infomration for it here
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.abebot.html

UNFORTUNATELY, the virus is not letting him use regedit to delete
registry entries that are loading the virus (which in turn would enable
us to determine what the virus has randomly named intself in the
system32 folder


Is there anyway to edit the registry without running regedit?

Do you know if any of those tools scan for backdoor.abebot?

Simon Howson
 
D

David H. Lipman

I don't know if that is what is infecting your friend's PC or not. I have not herad of that
Trojan nor does that page identify the name(s) of other AV vendors name.

I suggest following my directions and see if the software tools I indicated will help. We
can go on from there.

--
Dave




| David H. Lipman wrote:
| > 1) Download the following four items...
| >
| > McAfee Stinger
| > http://vil.nai.com/vil/stinger/
| >
| > Trend Sysclean Package
| > http://www.trendmicro.com/download/dcs.asp
| >
| > Latest Trend Pattern File.
| > http://www.trendmicro.com/download/pattern.asp
| >
| > Adaware SE (free personal version v1.05)
| > http://www.lavasoftusa.com/
| >
| > Create a directory.
| > On drive "C:\"
| > (e.g., "c:\New Folder")
| > or the desktop
| > (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")
| >
| > Download Sysclean.com and place it in that directory.
| > Dowload the Trend Pattern File by obtaining the ZIP file.
| > For example; lpt345.zip
| >
| > Extract the contents of the ZIP file and place the contents in the same directory as
| > sysclean.com.
| >
| > 2) Update Adaware with the latest definitions.
| > 3) If you are using WinME or WinXP, disable System Restore
| > http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
| > 4) Reboot your PC into Safe Mode
| > 5) Using Trend Sysclean, Stinger and Adaware, perform a Full Scan of your
| > platform and clean/delete any infectors/parasites found.
| > (a few cycles may be needed)
| > 6) Restart your PC and perform a "final" Full Scan of your platform using the three
| > utilities; Trend Sysclean, Stinger and Adaware
| > 7) If you are using WinME or WinXP, Re-enable System Restore and re-apply any
| > System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
| > 8) Reboot your PC.
| > 9) If you are using WinME or WinXP, create a new Restore point
| >
| >
| > * * * Please report your results ! * * *
| >
| >
|
|
| Thank you for your reply, I have a feeling that the virus he has is
| Backdoor.Abebot.
|
| My reasoning is that infection occurred today or yesterday, however
| there has not been a liveupdate containing defitions for that file yet.
| I don't know if it is worth me manually sending him the individual
| updates because he can't get Norton AntiVirus to load
|
| I have found infomration for it here
| http://securityresponse.symantec.com/avcenter/venc/data/backdoor.abebot.html
|
| UNFORTUNATELY, the virus is not letting him use regedit to delete
| registry entries that are loading the virus (which in turn would enable
| us to determine what the virus has randomly named intself in the
| system32 folder
|
|
| Is there anyway to edit the registry without running regedit?
|
| Do you know if any of those tools scan for backdoor.abebot?
|
| Simon Howson
 
M

midicad2001

Interesting, starting the 12th of January my XP Pro System started to
act bizarre, required reauthentication, then internet connection didn't
work. After many reboots I could not get to the desktop unless I got
into task manager and killed a process called something like lmass1.exe
- if I didn't do this it would just stall with only the wallpaper
displayed.

I am on DSL going through a Netgear RT314 and don't typically run
Internet Connection Firewall. Maybe I should?

Ran McAfee version 8, latest updates, and it found about a dozen things
including something called Downloader-RK that keeps reappearing. Then
Lavasoft Adaware SE latest version scanned through and found 571
objects. I quarantined these however Adaware froze the system after
the deleted progress bar went all the way over. After hard reset it
appeared (rerunning Adaware) that it had successfully quarantined the
stuff which I then deleted. Run Adaware again and it starts finding
more stuff, but then mysteriously this system shutdown timer window
appears that you CANNOT stop via Task Manager, and it will force system
shutdown before Adaware can complete. So it looks like it was
specifically designed to known Adaware out.

Does this bear any resemblance to what you are talking about?
Thanks,

Gary
 
M

midicad2001

Interesting, starting the 12th of January my XP Pro System started to
act bizarre, required reauthentication, then internet connection didn't
work. After many reboots I could not get to the desktop unless I got
into task manager and killed a process called something like lmass1.exe
- if I didn't do this it would just stall with only the wallpaper
displayed.

I am on DSL going through a Netgear RT314 and don't typically run
Internet Connection Firewall. Maybe I should?

Ran McAfee version 8, latest updates, and it found about a dozen things
including something called Downloader-RK that keeps reappearing. Then
Lavasoft Adaware SE latest version scanned through and found 571
objects. I quarantined these however Adaware froze the system after
the deleted progress bar went all the way over. After hard reset it
appeared (rerunning Adaware) that it had successfully quarantined the
stuff which I then deleted. Run Adaware again and it starts finding
more stuff, but then mysteriously this system shutdown timer window
appears that you CANNOT stop via Task Manager, and it will force system
shutdown before Adaware can complete. So it looks like it was
specifically designed to known Adaware out.

Does this bear any resemblance to what you are talking about?
Thanks,

Gary
 
L

Lil' Abner

My friend has a virus on his computer that has done the following things.

It has disabled Norton AntiVirus from loading, and stopped liveupdate
from succesfully installing new virus definitions.

It has stopped the Windows XP Firewall control panel applet from being
loaded

It has stopped access to webpages of the most popular antivirus
programmes. Such as Symantec (Norton), Mcaffee and even Grisoft (AVG)
Click to expand...

Your hosts file has been altered. In its original state there should be
only one uncommented entry.... 127.0.0.1 localhost
It may still appear that way, but if you scroll way down you'll find
several entries for the various antivirus companies. Delete everything
below the localhost entry or delete the hosts file altogether.
It will be found in c:\windows\system32\drivers\etc (assuming windows is
installed on drive c)
You should then be able to update your virus definitions or connect to
the free online virus scanning sites.
Once you get your definitions updated, then run your virus scan in Safe
Mode. It's also a good idea to turn System Restore off when you do it.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Pls help - unknown virus problem 4
Virus removal 12
Anti-virus wars start up again (Its time to party like its the 1999) 30
Help to identify this virus 3
Protecting your anti-virus scanner 2
please help me with unknown virus/spyware problem! 4
Top 5 Free Single File Online Virus Scan Services 1
Virus - backdoor.prorat|? 12

Top