Help identify virus? these symptoms....

[Buffalo]

You only got yourself.

Gotcha.

 

[jeffc]

Netsky
http://vil.nai.com/vil/content/v_101027.htm

The MultiDropper-LA Trojan will install the Netsky.
http://vil.nai.com/vil/content/v_127037.htm


What about Adaware. Have you scanned with it yet ?

I was able to download AdAware. Unfortunately I went to www.adaware.com
which is a totally different thing - it installed Spy Assassin or some such
nonsense that I assumed was the right thing. I uninstalled it but it left
some remnants, like a IE task bar. Anyway, AdAware found a couple things,
but it is not related to me problem.

 

[jeffc]

Delete the whole 'hosts' file and obtain the software I indicated from another computer.
Then scan the platform per my previous instructions.

In addition copy the text in between the "----" (dashes) below and then paste it into a text
editor.
Save the file as FixSwen.inf . After you save ito to a disk. On the affected PC right click
on the file FixSwen.inf and choose "Install".

----
[Version]
Signature="$CHICAGO$"

[DefaultInstall]
AddReg=FixSwen
DelReg=EnableRegTools

[FixSwen]
HKCR, "batfile\shell\open\command",,0,"""%1"" %*"
HKCR, "comfile\shell\open\command",,0,"""%1"" %*"
HKCR, "exefile\shell\open\command",,0,"""%1"" %*"
HKCR, "piffile\shell\open\command",,0,"""%1"" %*"
HKCR, "regfile\shell\open\command",,0,"regedit.exe "%1""
HKCR, "scrfile\shell\open\command",,0,"""%1"" /S"
HKCR, "scrfile\shell\config\command",,0,"%1"

[EnableRegTools]
HKCU,

"software\microsoft\windows\currentversion\policies\system","DisableRegistry
Tools"

I'm a little leery of what the does exactly. I'd really rather identify
exactly what virus I have first.

 

[jeffc]

127.0.0.1 localhost

If there is any thing after this,it is probably your problem.
What did your anti-virus report?

The virus (or whatever) kept replacing the hosts file. I made it read only
and I haven't seen it change in awhile - could be just a coincidence. I was
able to get to symantec and download a trial version of their AV software.
Unfortunately I can't run the install - just quits (just like regedit, etc.)
I tried renaming the exe, but no luck. (I was able to rename the
stinger.exe and got that to run, but it didn't find the problem .... I don't
think...)

 

[jeffc]

OK then, if you are accessing the Internet from another system try this.
Browse to the following site I have below. It is the Avast BART program.
With that you can create a bootable CD that you can detect and clean a
system with. The program is free to try until October 15th so you have
enough time.

http://www.avast.com/eng/products/desktop_protection/avast_bart_cd/avast_bart_cd_downlo.html

Apparently the virus is not allowing me to get to this site, even though my
hosts file appears to be clear.

 

[David H. Lipman]

It is a McAfee INF file { http://vil.nai.com/vil/averttools.asp }
To make sure executable file types are indeed executable.

Dave




|
| I'm a little leery of what the does exactly. I'd really rather identify
| exactly what virus I have first.
|
|

 

[jeffc]

It is a McAfee INF file { http://vil.nai.com/vil/averttools.asp }
To make sure executable file types are indeed executable.

Does not seem to make any difference. As of now, I'm not able to run a
virus scanner such as Stinger (which I had to rename) because it gets into
an apparent endless loop searching my Temporary Internet files directory,
even though I've removed all files from that directory.

 

[Guy]

I'm having a hard time searching for this one because one of the
symptoms is that whenever I use Google to search for "virus" or
something like that in the keywords, Internet Explorer closes
automatically. If I try to go to a site to download some
software, such as www.symantec.com, it says it can't find the
site. If I try to run Stinger, it closes automatically (won't
run). If I try to run regedit, it closes automatically (won't
run). On my Task Manager processes page, it's completely blank.
Those are the only symptoms I'm aware of, other than that the
computer seems to be running fine. I guess I can go to the store
and buy Norton anti-virus or something, but I'm not sure I'd even
be able to refresh the virus definitions from their web site the
way this "virus" (if it is one) seems to be operating. Any tips?
thanks!

Hi, sorry I'm not much of a "handholder" so you will need to work most
of this out yourself. Seems as if you have a version of Agobot.
Rename regedit.exe to regedit.com
Run regedit, backup the registry then poke through the registry keys
HKLM\Software\Microsoft\Windows\CurrentVersion\Run*
(probably best to go through all the HKCU "Run*" keys too)
and remove ALL the entries that seem strange.
(I hope you know your system, or at least what is normal)
Clear out that Hosts file and reboot.
Go to a AV site and get a scanner and update the defs.
Run it and clean your system.

 

[Zvi Netiv]

I was able to download AdAware. Unfortunately I went to www.adaware.com
which is a totally different thing - it installed Spy Assassin or some such
nonsense that I assumed was the right thing. I uninstalled it but it left
some remnants, like a IE task bar. Anyway, AdAware found a couple things,
but it is not related to me problem.

Your problems sounds familiar and the symptoms resemble those I found on a
friend's PC, a couple of months ago.

What caused the mess was a variant of what's known as HacDef. The trouble was
that nothing of the methods provided on the AV producer pages seemed to work,
they didn't even seem to detect anything suspicious on the affected system.

Moreover, essential utilities and applications such as Regedit, Msconfig,
HijackThis, Spybot, Stinger and others couldn't be used as they strangely
"disappeared" on the affected drive, or aborted soon after launching, just as
you described.

The reason to all that mess, after we resolved it, was found in the following
section of an apparently innocent INI file:

--- found in Winunins.ini ---
[Hidden Table]
inatjoy.dll
motkrtin.dll
witadr.dll
winunins.exe
winunins.ini
svhost.exe
CWShredder*
HijackThis*
ProceXP*
Spybot*
msconfig*

[Root Processes]
svhost.exe
trj4j6js.exe
winunins.exe

[Hidden Services]
HackerDefender*

[Hidden RegKeys]
HackerDefender100
LEGACY_HACKERDEFENDER100
HackerDefenderDrv100
LEGACY_HACKERDEFENDERDRV100

[Hidden RegValues]

[Startup Run]
C:\WINNT\svhost.exe -sr -0

[Free Space]

[Hidden Ports]

[Settings]
Password=qweqwe
BackdoorShell=ddd.exe
FileMappingName=_.-=[PokuS]=-._
ServiceName=HackerDefender100
ServiceDisplayName=Windows System Uninstaller
ServiceDescription=Microsoft System Service
DriverName=HackerDefenderDrv100
DriverFileName=hxdefdrv.sys
--- /end quote from winunins.ini ----

From the above you can learn how this trojan works, and more important, how to
defeat it.

Eventually, the solution was to rename the Trojan's driver and INI file from a
network connected PC. You can't do it from the affected PC because all bogus
files, processes, service, and even registry entries, are all hidden when the
Trojan was active, even in Safe Mode! Rebooting after having renamed the driver
let us clear manually all the remains of the Trojan, from registry, HOSTS, and
delete the offending files. Check the AV producer pages to read what they are.

The first clue where to look for the driver name was obtained by running a
renamed copy of Regedit.exe (don't use "Regedit.com" for name since "regedit" is
in the hide list), and browsing the content of
LMHK/Software/Microsoft/Windows/CurrentVersion/Run. In our case the bogus pair
was Winunins.exe and Winunins.ini.

If your PC isn't networked and runs on NTFS, then you can boot from a CD
prepared with Bart's PE to rename the Trojan driver.

Regards, Zvi

 

[xmp]

What caused the mess was a variant of what's known as HacDef. The trouble was
that nothing of the methods provided on the AV producer pages seemed to work,
they didn't even seem to detect anything suspicious on the affected system.

Hacker Defender is a rootkit and may used in conjuction with other
backdoors and/or hack tools. It's a kernel-mode kit, so quite stealthy.
"once in Ring Zero, forever Ring Zero" as they say.

Word is that Kaspersky has the best chance of detecting it (outside of
dedicated tools).

michael

 

[xmp]

Moreover, essential utilities and applications such as Regedit, Msconfig,
HijackThis, Spybot, Stinger and others couldn't be used as they strangely
"disappeared" on the affected drive, or aborted soon after launching, just as
you described.

Things that might come in handy are VICE, Klister, Patchfinder2, RK
Detector, RegDatXP, Task Info, Kaspersky, etc.

michael

 

[Zvi Netiv]

Things that might come in handy are VICE, Klister, Patchfinder2, RK
Detector, RegDatXP, Task Info, Kaspersky, etc.

Common sense is handier, faster and more dependable.

Regards, Zvi

 

[jeffc]

Hi, sorry I'm not much of a "handholder" so you will need to work most
of this out yourself. Seems as if you have a version of Agobot.
Rename regedit.exe to regedit.com

HacDef and Agobot sound like 2 good leads. Thanks for the help. Was able
to connect to Symantec site after clearing hosts file, but ws not able to
run the dowloaded install program. Was not able to connect to Avast even
after clearing my hosts file. Will try some of other sites mentioned. Will
rename regedit.exe to something other than regedit.com as another poster
mentioned. Thanks for the clues guys...

 

[jeffc]

What caused the mess was a variant of what's known as HacDef.

I'm not on a network, but will get to work on these clues, thanks....

 

[jeffc]

of this out yourself. Seems as if you have a version of Agobot.
Rename regedit.exe to regedit.com
Run regedit

No can do. After renaming it it says registry editing has been disabled by
your administrator (even if logged on as administrator in safe mode). This
is getting silly.

 

[Larry Sabo]

No can do. After renaming it it says registry editing has been disabled by
your administrator (even if logged on as administrator in safe mode). This
is getting silly.

Reminds me of W32/Torvil-A...

http://www.sophos.com/virusinfo/analyses/w32torvila.html

Google for a removal tool for Torvil (I think I used one from
Kaspersky, but could be wrong).

Larry

 

[David H. Lipman]

Who has to Google I already posted a tool that will find and remove the Torvil worm.

Trend Sysclean
http://www.trendmicro.com/download/dcs.asp

In fact I was the first to reply to him and I suggested Sysclean ;-)

Dave




|
| >
| >| >> of this out yourself. Seems as if you have a version of Agobot.
| >> Rename regedit.exe to regedit.com
| >> Run regedit
| >
| >No can do. After renaming it it says registry editing has been disabled by
| >your administrator (even if logged on as administrator in safe mode). This
| >is getting silly.
|
| Reminds me of W32/Torvil-A...
|
| http://www.sophos.com/virusinfo/analyses/w32torvila.html
|
| Google for a removal tool for Torvil (I think I used one from
| Kaspersky, but could be wrong).
|
| Larry
| ---
| larry sabo (as one word) at istop dot com
|
|
|
|
|

 

[Zvi Netiv]

No can do. After renaming it it says registry editing has been disabled by
your administrator (even if logged on as administrator in safe mode). This
is getting silly.

Is this after you renamed the application to Regedit.com? What happens if you
rename it to abcde.exe?

Regards

 

[Zvi Netiv]

Who has to Google I already posted a tool that will find and remove the Torvil worm.

Trend Sysclean
http://www.trendmicro.com/download/dcs.asp

In fact I was the first to reply to him and I suggested Sysclean ;-)

You deserve a medal, then! ;-)

Cheers

 

[jeffc]

Who has to Google I already posted a tool that will find and remove the Torvil worm.

Trend Sysclean
http://www.trendmicro.com/download/dcs.asp

In fact I was the first to reply to him and I suggested Sysclean ;-)

Sysclean won't run because it gets in an infinite loop (apparently) checking
through the internet Temporary Files folder (which is supposed to be empty.)