Re: Bizzarre Virus-- I think it's a virus...

From: Malke (noreply_at_invalid.com)
Date: 03/31/05


Date: Thu, 31 Mar 2005 05:47:15 -0800

Lauren wrote:

> My boss's computer at work uses XP (Home Edition, I believe, it's his
> personal computer as well). We recently have had a spyware problem,
> tons of pop-ups, etc. I thought I fixed it by running Spybot Search +
> Destroy, but then I came back from the weekend only to find that
> NOTHING is working. Something has gotten into the system and keeps
> turning off the automatic Virus Protection (Norton), and it's to the
> point now that we can't even open anything. If I'm lucky I'll be able
> to get a document to open, but nothing off of the start menu, anything
> like that... I can't even get to my Control Panel to do a System
> Restore, which was the only thing I could think of to at least get
> this to a manageable point! I just don't know what to do... whenever I
> try to open anything a program crashes "Dr Watson
> something-or-another," which is clearly a virus... but it always comes
> back and shows up in the task manager...
>
> Any thoughts??
> I would even appreciate it if anyone can just think of how to calm
> this down long enough to get a System Restore done... something...

You need to clean the system. Spybot will not remove viruses, and it
isn't enough to run only one antispyware tool. Here are general malware
removal steps. Because NAV is not working, start your cleaning with
TrendMicro's Sysclean. After the scan with Sysclean, make sure your NAV
definitions are current and then scan with it. It is crucial to do all
scans with updated tools in Safe Mode.

A. Sysclean

TrendMicro's Sysclean is an extensive antivirus tool which has the
advantage of not needing to be installed. It requires two parts - the
scanning engine and the virus pattern files. Delete all Temporary and
Temporary Internet Files before running the program.

1. Create a new folder on your Desktop or the C: drive named something
useful like "Sysclean".
2. Go here and download the two parts of the program to that folder:

http://www.trendmicro.com/download/dcs.asp - Sysclean
http://www.trendmicro.com/download/pattern.asp - virus pattern files

The pattern files will be zipped - extract them with your unzipper (like
WinZip) or if you have XP, you can just open the folder. You need to
put the extracted files in the Sysclean folder you made.

3. Restart your computer in Safe Mode. Get into Safe Mode by repeatedly
tapping the F8 key as the computer is starting up to get to the proper
menu.
4. Go to the Sysclean folder you made and double-click on sysclean.com.
Start the scan. After the scan is finished, look at the log. You may
need to make a note of where any viruses were found if they were not
able to be removed so you can manually delete them.

B. Continue malware removal

1) Scan in Safe Mode with current version (not earlier than 2004)
antivirus using updated definitions.

Before you remove malware, get LSPFix or WinSockFix for XP - see links
below.

2) Remove spyware with Spybot Search & Destroy and Ad-aware. These
programs are free, so use them both since they complement each other.
There is a new version of CWShredder from Intermute. I would not
install the other Intermute programs, however. Alternately, there are
CoolWebSearch malware removal steps at SilentRunners.

Be sure to update these programs before running, and it is a good idea
to do virus/spyware scans in Safe Mode. Make sure you are able to see
all hidden files and extensions (View tab in Folder Options).

If the malware remains even after you used Ad-aware and Spybot, you can
scan with HijackThis. HijackThis is an excellent tool to discover and
disable hijackers, but it requires expert skill. See below for
HijackThis links, including sites where you can post your HJT logs. A
combination of HijackThis and About:Buster works well in removing the
About:Blank homepage hijacker. Again, this is an expert tool and
novices should get help with it.

3) If you are running Windows ME or XP, you should disable/enable System
Restore after the system is clean because malware will be in the
Restore Points. With ME, you must disable System Restore completely.
With XP, you can delete all but the most recent (presumably clean)
System Restore point from the More Options section of Disk Cleanup
(Run>cleanmgr).

4) Make sure you've visited Windows Update and applied all security
patches. Do not install driver updates from Windows Update.

5) Run a firewall.

Links to help with malware:

Software/Methods:
http://www.safer-networking.org - Spybot Search & Destroy
http://www.lavasoftusa.com - Ad-aware
http://www.intermute.com/products/cwshredder.html
http://www.tomcoyote.com/hjt/ - HijackThis
http://www.intermute.com/spysubtract/cwshredder_download.html
http://www.silentrunners.org/sr_cwsremoval.html. - SilentRunners
http://www.cexx.org/lspfix.htm - Repair Winsock 2 settings after
removing spyware
http://www.spychecker.com/program/winsockxpfix.html - WinsockXPFix.exe

HijackThis:
http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Jim
Eshelman
http://aumha.net - forums
http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior HijackThis
forum
http://www.wilderssecurity.com/
http://forums.tomcoyote.org/

General:
http://aumha.net - look under "Security" for various forums
http://rgharper.mvps.org/cleanit.htm
http://mvps.org/winhelp2002/unwanted.htm
http://www.aumha.org/a/parasite.htm - The Parasite Fight
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Malke

-- 
MS MVP - Windows Shell/User
www.elephantboycomputers.com
In Memoriam - MVP Alex Nichol
The world is diminished without him.