RE: possible virus
From: Malke (notreally_at_invalid.com)
Date: 05/04/05
- Next message: DJ: "Re: Possible Trojan/Worm"
- Previous message: cquirke (MVP Windows shell/user): "Re: Infected Through Shares?"
- In reply to: deletethis: "RE: possible virus"
- Next in thread: David H. Lipman: "Re: possible virus"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 04 May 2005 05:11:04 -0700
Chibber Palm773(deletethis)@AOL.com wrote:
>
>
> "Chibber Palm773(deletethis)@AOL.com" wrote:
>
>> hi, all of a sudden when i browse web pages they take forever to
>> load...but
>> online gaming works fine, ive contacted my ISP and every technical
>> process they have taken me through has been unsuccessful so
>> far.......after looking through my processes im seeing a few new ones
>> appear which are unfamiliar to me specifically one called "netz.exe"
>> ...if i end this process it appears straight away somewhere else in
>> the process list.....i did a search on the
>> file and it was located in c:\windows\system32 and it seems to be in
>> a permanent state of being accessed as whenever i look at the files
>> properties
>> it displays the current time to the second ..although this could be
>> caused by me looking at the properties....im unsure...i cannot
>> quarentine /delete
>> /move /rename the file as its in use whenever i try ..ive scanned it
>> but to no avail...my virus definitions tho maybe out of date as my
>> norton subs has run out and i cannot afford to pay it...please help
>> :S
>
>
> ive managed to deny this file access to the internet but im still
> unable to quaruntine it.....i cannot log into safe mode and try to get
> at it from there as some genius has invented keyboards that only work
> in windows and decided to sell them without informing the masses
> :/....
You have malware on your system. Please go through the following malware
removal steps, doing everything with updated tools in Safe Mode. You
may need to get the tools/updates from a different, known-clean machine
with an Internet connection and a cd burner.
You will see that Step 1 requires you to scan with a current version
antivirus, one that uses updated virus definitions. Since you have let
your antivirus subscription lapse, you will need to start by running
TrendMicro's Sysclean. After you have run Sysclean, get and install a
full-featured av, update it, and do a thorough scan in Safe Mode. AVG
and Avast both make free antivirus programs. Do not connect your
computer to the Internet until it is 100% malware-free.
A. Sysclean - TrendMicro's Sysclean is an extensive antivirus tool which
has the advantage of not needing to be installed. It requires two parts
- the scanning engine and the virus pattern files. Delete all Temporary
and Temporary Internet Files before running the program.
1. Create a new folder on your Desktop or the C: drive named something
useful like "Sysclean".
2. Go here and download the two parts of the program to that folder:
http://www.trendmicro.com/download/dcs.asp - Sysclean
http://www.trendmicro.com/download/pattern.asp - virus pattern files
The pattern files will be zipped - extract them with your unzipper (like
WinZip) or if you have XP, you can just open the folder. You need to
put the extracted files in the Sysclean folder you made. For a more
automated way to get Sysclean, use Dave Lipman's Sysclean_FE from
http://www.ik-cs.com/got-a-virus.htm .
3. Restart your computer in Safe Mode. Get into Safe Mode by repeatedly
tapping the F8 key as the computer is starting up to get to the proper
menu.
4. Go to the Sysclean folder you made and double-click on sysclean.com.
Start the scan. After the scan is finished, look at the log. You may
need to make a note of where any viruses were found if they were not
able to be removed so you can manually delete them.
B. General malware removal - First delete all Temporary and Temporary
Internet Files. For IE's Temporary Files, go to Control Panel>Internet
Options>General tab. You'll see where you can delete cookies and files.
For Firefox, clear its cache by going to Tools>Options>Privacy>Cache>
Clear. For Windows Temporary files, Start>Run cleanmgr [enter] and
then:
1) Scan in Safe Mode with current version (not earlier than 2004)
antivirus using updated definitions.
Before you remove malware, get LSPFix or WinSockFix for XP - see links
below.
2) Remove spyware with Spybot Search & Destroy and Ad-aware. These
programs are free, so use them both since they complement each other.
There is a new version of CWShredder from Intermute. I would not
install the other Intermute programs, however. Alternately, there are
CoolWebSearch malware removal steps at SilentRunners.
Be sure to update these programs before running, and it is a good idea
to do virus/spyware scans in Safe Mode. Make sure you are able to see
all hidden files and extensions (View tab in Folder Options).
If the malware remains even after you used Ad-aware and Spybot, you can
scan with HijackThis. HijackThis is an excellent tool to discover and
disable hijackers, but it requires expert skill. See below for
HijackThis links, including sites where you can post your HJT logs. A
combination of HijackThis and About:Buster works well in removing the
About:Blank homepage hijacker. Again, this is an expert tool and
novices should get help with it.
3) If you are running Windows ME or XP, you should disable/enable System
Restore after the system is clean because malware will be in the
Restore Points. With ME, you must disable System Restore completely.
With XP, you can delete all but the most recent (presumably clean)
System Restore point from the More Options section of Disk Cleanup
(Run>cleanmgr).
4) Make sure you've visited Windows Update and applied all security
patches. Do not install driver updates from Windows Update.
5) Run a firewall.
Links to help with malware:
Software/Methods:
http://www.safer-networking.org - Spybot Search & Destroy
http://www.lavasoftusa.com - Ad-aware
http://www.intermute.com/products/cwshredder.html
http://www.tomcoyote.com/hjt/ - HijackThis
http://www.intermute.com/spysubtract/cwshredder_download.html
http://www.silentrunners.org/sr_cwsremoval.html. - SilentRunners
http://www.cexx.org/lspfix.htm - Repair Winsock 2 settings after
removing spyware
http://www.spychecker.com/program/winsockxpfix.html - WinsockXPFix.exe
HijackThis:
http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Jim
Eshelman
http://aumha.net - forums
http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior HijackThis
forum
http://www.wilderssecurity.com/
http://forums.tomcoyote.org/
General:
http://aumha.net - look under "Security" for various forums
http://rgharper.mvps.org/cleanit.htm
http://mvps.org/winhelp2002/unwanted.htm
http://www.aumha.org/a/parasite.htm - The Parasite Fight
http://www.spywarewarrior.com/rogue_anti-spyware.htm
Malke
-- Elephant Boy Computers www.elephantboycomputers.com "Don't Panic!" MS-MVP Windows - Shell/User
- Next message: DJ: "Re: Possible Trojan/Worm"
- Previous message: cquirke (MVP Windows shell/user): "Re: Infected Through Shares?"
- In reply to: deletethis: "RE: possible virus"
- Next in thread: David H. Lipman: "Re: possible virus"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
