From: Manish (anonymous_at_discussions.microsoft.com)
Date: Mon, 5 Jul 2004 09:13:39 -0700
I will try this out.
>On Mon, 5 Jul 2004 06:26:49 -0700, "Manish Dewan"
>>My pc is infested with this backdoor.irc.bot.
>>I am unable to get connected to Symatec website.
>>This is for Windows XP home System.
>>The infetested file is WindowsSystem32.*** file. Hence
>>the Sysmaten Anitivirus is denied permission.
>>How can I remove this virus?
>Sounds like you may have multiple infections, including
a browser or dns hijack.
>The hijack apparently interferes with your ability to
access websites. You may
>have to resolve the ip addresses manually to get the
tools to find and remove
>All-NetTools and DNSStuff websites both help you resolve
><http://www.all-nettools.com/toolbox> (Use NSLookup)
><http://www.dnsstuff.com/> (Use Ping)
>Install and run Stinger.
>Search your entire system drive, including hidden and
system folders, for file
>"hosts". There is one legit copy, in C:\WINDOWS\system32
>others are possibly bogus, and part (but just part) of
the problem. Examine the
>contents of each copy found, using Notepad. (HINT:
Scroll to the end of each
>Hosts file, by hitting Ctrl-End, then back up to the
top, page by page, before
>deciding that the file is empty. Look out for blank
lines at the beginning and
>end of the file, after localhost, placed there by an
>Try one or more of these free online virus scans, which
should complement NAV:
>Now check for, and learn to defend against, additional
problems. Have you
>downloaded these programs before? Download them again,
as the latest version
>may be needed to keep up with the current level of
malware being attempted
>constantly - get the absolutely most current version of
each product listed.
>They're all free - and most pretty small, so they
download quickly enough.
>Start by downloading each of the following free tools:
>CoolWWWSearch.SmartSearch (v1/v2) MiniRemoval
>LSP-Fix and WinsockLSPFix
>Spybot S&D <http://www.safer-networking.org/index.php?
>Create a separate folder for HijackThis, such as
C:\HijackThis - copy the
>downloaded file there. Spybot S&D has an install
routine - run it. The other
>downloaded programs can be copied into, and run from,
any convenient folder.
>Start by closing all Internet Explorer and Outlook
windows, and running
>CoolWebSearchSmartKillerMiniRemoval, then CWShredder.
Have the latter fix all.
>Next, run AdAware. First update it ("Check for updates
now"), configure for
>full scan (<http://www.lavahelp.com/howto/fullscan/>),
then scan ("Start" - "Use
>custom scanning options" - "Next"). When scanning
finishes, select everything,
>and hit Next again.
>Next, run Spybot S&D. First update it ("Search for
updates"), then run a scan
>("Check for problems"). Trust Spybot, and delete
everything ("Fix Problems")
>that is displayed in Red.
>Then, run HijackThis ("Scan"). Do NOT make any changes
immediately. Save the
>Finally, have your HJT log interpreted by experts at one
or more of the
>following security forums (and post it, or a link to
your forum posts, here):
>Spyware Info: <http://forums.spywareinfo.com/>
>Spyware Warrior: <http://spywarewarrior.com/index.php>
>Tom Coyote: <http://forums.tomcoyote.org/>
>If removal of any spyware affects your ability to access
the internet (some
>spyware builds itself into the network software, and its
removal may damage your
>network), run LSP-Fix and / or WinsockXPFIx.
>And Manish, please don't contribute to the spread and
success of email address
>mining viruses. Learn to munge your email address
properly, to keep yourself a
>bit safer when posting to open forums. Protect yourself
and the rest of the
>internet - read this article.
>BTW, please read this article about Cross-Posting vs
>Paranoia comes from experience - and is not necessarily
a bad thing.