1. [OT] I think I have a virus
- Notepad closes randomly (actually I think its after a specific interval)
- Internet Explorer takes forever to start
- my start page has been set to some "Home Search" crap
- my memory almost maxes out right after windows starts (i use MaxMem by
AnalogX)
I ran Ad-aware, Anti-Vir, and Bazooka Spyware scanner, and stripped down my
boot with msconfig. I'm pretty sure its a virus or a worm or something.
Anyone have any ideas or suggestions?
~Greg
2. Re: [OT] I think I have a virus
It seems more a Spyware than a virus, try running Spybot - Search & Destroy,
i've been using some months so far and it has detected all ugly stuff at work.
On Thu, 12 Aug 2004 23:39:48 -0400
Greg Haberek <ghaberek at wowway.com> wrote:
>
>
> - Notepad closes randomly (actually I think its after a specific interval)
> - Internet Explorer takes forever to start
> - my start page has been set to some "Home Search" crap
> - my memory almost maxes out right after windows starts (i use MaxMem by
> AnalogX)
>
> I ran Ad-aware, Anti-Vir, and Bazooka Spyware scanner, and stripped down my
> boot with msconfig. I'm pretty sure its a virus or a worm or something.
> Anyone have any ideas or suggestions?
>
> ~Greg
3. Re: [OT] I think I have a virus
http://www.lavasoft.de/ - Ad-aware - But you said that one.
http://www.safer-networking.org/ - Spybot Search & Destroy
http://www.siena.edu/antivirus/Spyware/hijackthis.htm - Hi-jack This
http://www.nod32.com/ - NOD32
unkmar
----- Original Message -----
From: "Greg Haberek"
Sent: Thursday, August 12, 2004 11:39 PM
Subject: [OT] I think I have a virus
>
> - Notepad closes randomly (actually I think its after a specific interval)
> - Internet Explorer takes forever to start
> - my start page has been set to some "Home Search" crap
> - my memory almost maxes out right after windows starts (i use MaxMem by
> AnalogX)
>
> I ran Ad-aware, Anti-Vir, and Bazooka Spyware scanner, and stripped down
my
> boot with msconfig. I'm pretty sure its a virus or a worm or something.
> Anyone have any ideas or suggestions?
>
> ~Greg
4. Re: [OT] I think I have a virus
Unkmar wrote:
>
> <a href="http://www.lavasoft.de/">http://www.lavasoft.de/</a> - Ad-aware -
> But you said that one.
> <a
> href="http://www.safer-networking.org/">http://www.safer-networking.org/</a> -
> Spybot Search & Destroy
> <a
> href="http://www.siena.edu/antivirus/Spyware/hijackthis.htm">http://www.siena.edu/antivirus/Spyware/hijackthis.htm</a>
> - Hi-jack This
>
> <a href="http://www.nod32.com/">http://www.nod32.com/</a> - NOD32
Another effective solution:
1. format C:
2. Reload Windows
3. install a real firewall.
4. Connect to internet.
5. Get all Windows updates.
Or, better yet,
1. Insert Mandrake Linux setup disk.
2. Hit reset.
3. Follow instructions :)
Irv
5. Re: [OT] I think I have a virus
One of my friends computer did this. He (I guess) like some internet site.
Oh you know which ones! And the adware/ spyware was so bad he could no
longer even browze the internet. Each page took an average of something
like 5-10 minutes to load.
After fighting with the browzer for an hour or so, I finally got all the
spyware removed (as recommended above). Rebooted twice and didnt help.
After much hair pulling, turned out to be a trojan worm virus which would
(upon connecting to the internet) use 100% processor resources.
I would suggest this:
http://housecall.trendmicro.com/
Its a free online virus scanner and it can fix most things right off the
web. Good luck.
Don Phillips - aka Graebel
National Instruments
mailto: eunexus @ yahoo.com
7. Re: [OT] I think I have a virus
--- Greg Haberek <ghaberek at wowway.com> wrote:
- Notepad closes randomly (actually I think its
after a specific interval)
- Internet Explorer takes forever to start
- my start page has been set to some "Home Search"
crap
What page in particular?
- my memory almost maxes out right after windows
starts (i use MaxMem by
AnalogX)
I ran Ad-aware, Anti-Vir, and Bazooka Spyware
scanner, and stripped down my
boot with msconfig.
Did anything put its self back in the startup?
I'm pretty sure its a virus or a
worm or something.
Anyone have any ideas or suggestions?
~Greg
Download HijackThis if you haven't already. Run it
and send the log to me, I can look at it and help you
remove any virus/spyware you may have. Also, if you
want to disable stuff running at startup, try AutoRuns
from Sysinternals (www.sysinternals.com). It shows a
lot of things msconfig leaves out. One place in the
registry to check that both leave out is the winlogon
key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify. There should be
several entries in there pointing to crypt32.dll and
wlnotify.dll. These Dll's are called every time you
log on, log off, go in and out of screen saver, etc.
Some spyware, specifically better internet, have
started using this key to keep themselves loaded.
BTW, are you running XP Pro or Home edition. Pro
makes it much easier to get rid of this stuff with
group policies.
Chris
8. Re: [OT] I think I have a virus
> What page in particular?
Of all pages, the "about:blank" page! Its modifying pages right before they
finish loading. The progress bar on the bottom will hit 100% but not go away
for a couple of seconds, during which the pages is locked up. Obviously
something is taking over during that time.
> Did anything put its self back in the startup?
name: iets32
file: C:\WINDOWS\system32\iets32.exe
reg key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> >I'm pretty sure its a virus or a
> > worm or something.
> > Anyone have any ideas or suggestions?
> >
> > ~Greg
>
> Download HijackThis if you haven't already. Run it
> and send the log to me, I can look at it and help you
> remove any virus/spyware you may have. Also, if you
> want to disable stuff running at startup, try AutoRuns
> from Sysinternals (www.sysinternals.com). It shows a
> lot of things msconfig leaves out. One place in the
> registry to check that both leave out is the winlogon
> key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\Winlogon\Notify. There should be
> several entries in there pointing to crypt32.dll and
> wlnotify.dll. These Dll's are called every time you
> log on, log off, go in and out of screen saver, etc.
> Some spyware, specifically better internet, have
> started using this key to keep themselves loaded.
> BTW, are you running XP Pro or Home edition. Pro
> makes it much easier to get rid of this stuff with
> group policies.
I've attached hijackthis.log.
I could not find a Winlogon\Notify entry!
I am running XP Pro.
Of all that I know about Active Directory and Group Policies (I only took a
class called Windows 2000 - Active Directory and Group Polocies) I'm a
little fuzzy on how I'd use it to get rid of spy ware.
Thanks,
~Greg
begin 666 hijackthis.log
M3&]G9FEL92!O9B!(:6IA8VM4:&ES('8Q+CDX+C -"E-C86X@<V%V960@870@
M,3HS,SHS-B!032P at ;VX@."\Q-2\R,# T#0I0;&%T9F]R;3H@5VEN9&]W<R!8
M4" @*%=I;DY4(#4N,#$N,C8P,"D-"DU3244Z($EN=&5R;F5T($5X<&QO<F5R
M('8V+C P("@V+C P+C(V,# N,# P,"D-"@T*4G5N;FEN9R!P<F]C97-S97,Z
M#0I#.EQ724Y$3U=37%-Y<W1E;3,R7'-M<W,N97AE#0I#.EQ724Y$3U=37'-Y
M<W1E;3,R7'=I;FQO9V]N+F5X90T*0SI<5TE.1$]74UQS>7-T96TS,EQS97)V
M:6-E<RYE>&4-"D,Z7%=)3D1/5U-<<WES=&5M,S)<;'-A<W,N97AE#0I#.EQ7
M24Y$3U=37'-Y<W1E;3,R7'-V8VAO<W0N97AE#0I#.EQ724Y$3U=37%-Y<W1E
M;3,R7'-V8VAO<W0N97AE#0I#.EQ724Y$3U=37'-Y<W1E;3,R7'-P;V]L<W8N
M97AE#0I#.EQ0<F]G<F%M($9I;&5S7$%64&5R<V]N86Q<059'54%21"Y%6$4-
M"D,Z7%!R;V=R86T@1FEL97-<059097)S;VYA;%Q!5E=54%-25BY%6$4-"D,Z
M7%!R;V=R86T@1FEL97-<06-T:79E0G5D9'E<0G5D9'E38W)I<'0@4T1+7&)I
M;EQB;60N97AE#0I#.EQ724Y$3U=37'-Y<W1E;3,R7&YT:V$S,BYE>&4-"D,Z
M7%=)3D1/5U-<4WES=&5M,S)<<W9C:&]S="YE>&4-"D,Z7%=)3D1/5U-<17AP
M;&]R97(N15A%#0I#.EQ0<F]G<F%M($9I;&5S7$%64&5R<V]N86Q<05938VAE
M9#,R+D5810T*0SI<4')O9W)A;2!&:6QE<UQ!5E!E<G-O;F%L7$%61TY4+D58
M10T*0SI<4')O9W)A;2!&:6QE<UQ1=6EC:U1I;65<<71T87-K+F5X90T*0SI<
M4')O9W)A;2!&:6QE<UQ38V%N4V]F=%Q087!E<E!O<G1<<'!T9#0P;G0N97AE
M#0I#.EQ724Y$3U=37'-Y<W1E;3,R7&EE=',S,BYE>&4-"D,Z7%!R;V=R86T@
M1FEL97-<04E-.35<86EM+F5X90T*0SI<4')O9W)A;2!&:6QE<UQ':7)D97(S
M7$=I<F1E<BYE>&4-"D,Z7%!R;V=R86T@1FEL97-<06YA;&]G6%Q-87A-96U<
M;6%X;65M+F5X90T*0SI<15502$]224%<4&]P=7!';W)I;&QA7'9E<C N-%Q0
M;W!U<$=O<FEL;&$N97AE#0I#.EQ0<F]G<F%M($9I;&5S7$]P96Y/9F9I8V4N
M;W)G,2XP+C)<<')O9W)A;5QS;V9F:6-E+F5X90T*0SI<5TE.1$]74UQ3>7-T
M96TS,EQW=6%U8VQT+F5X90T*0SI<4')O9W)A;2!&:6QE<UQ/=71L;V]K($5X
M<')E<W-<;7-I;6XN97AE#0I#.EQ0<F]G<F%M($9I;&5S7%-P>6)O=" M(%-E
M87)C:" F($1E<W1R;WE<5&5A5&EM97(N97AE#0I#.EQ0<F]G<F%M($9I;&5S
M7$-O;6UO;B!&:6QE<UQ296%L7%5P9&%T95]/0EQR96%L<V-H960N97AE#0I#
M.EQ0<F]G<F%M($9I;&5S7$]U=&QO;VL@17AP<F5S<UQM<VEM;BYE>&4-"D,Z
M7%=)3D1/5U-<<F5G961I="YE>&4-"D,Z7%!R;V=R86T@1FEL97-<26YT97)N
M970@17AP;&]R97)<:65X<&QO<F4N97AE#0I#.EQ->2!$;W=N;&]A9'-<2&EJ
M86-K5&AI<RYE>&4-"@T*4C$@+2!(2T-57%-O9G1W87)E7$UI8W)O<V]F=%Q)
M;G1E<FYE="!%>'!L;W)E<BQ396%R8VA!<W-I<W1A;G0@/2 L#0I2,2 M($A+
M0U5<4V]F='=A<F5<36EC<F]S;V9T7$EN=&5R;F5T($5X<&QO<F5R+$-U<W1O
M;6EZ95-E87)C:" ]("P-"E(Q("T@2$M#55Q3;V9T=V%R95Q-:6-R;W-O9G1<
M26YT97)N970@17AP;&]R97)<36%I;BQ$969A=6QT7U-E87)C:%]54DP@/2!H
M='1P.B\O9')U<V5A<F-H+F-O;2]S96%R8V@N:'1M; T*4C$@+2!(2T-57%-O
M9G1W87)E7$UI8W)O<V]F=%Q);G1E<FYE="!%>'!L;W)E<EQ-86EN+%-E87)C
M:$%S<VES=&%N=" ]("P-"E(Q("T@2$M#55Q3;V9T=V%R95Q-:6-R;W-O9G1<
M26YT97)N970@17AP;&]R97)<36%I;BQ396%R8V@@0F%R(#T at <F5S.B\O0SI<
M5TE.1$]74UQK>G5R>"YD;&PO<W N:'1M;",Y-C8W-@T*4C$@+2!(2T-57%-O
M9G1W87)E7$UI8W)O<V]F=%Q);G1E<FYE="!%>'!L;W)E<EQ-86EN+%-E87)C
M:"!086=E(#T at <F5S.B\O0SI<5TE.1$]74UQK>G5R>"YD;&PO<W N:'1M;",Y
M-C8W-@T*4C$@+2!(2T-57%-O9G1W87)E7$UI8W)O<V]F=%Q);G1E<FYE="!%
M>'!L;W)E<EQ-86EN+%-E87)C:%523" ](&AT=' Z+R]C;V]L<V5A<F-H97(N
M;F5T+V-Y8F5R+FAT;6P-"E(Q("T@2$M,35Q3;V9T=V%R95Q-:6-R;W-O9G1<
M26YT97)N970@17AP;&]R97)<36%I;BQ$969A=6QT7U!A9V5?55),(#T@86)O
M=70Z8FQA;FL-"E(Q("T@2$M,35Q3;V9T=V%R95Q-:6-R;W-O9G1<26YT97)N
M970@17AP;&]R97)<36%I;BQ$969A=6QT7U-E87)C:%]54DP@/2!R97,Z+R]#
M.EQ724Y$3U=37&MZ=7)X+F1L;"]S<"YH=&UL(SDV-C<V#0I2,2 M($A+3$U<
M4V]F='=A<F5<36EC<F]S;V9T7$EN=&5R;F5T($5X<&QO<F5R7$UA:6XL4V5A
M<F-H07-S:7-T86YT(#T@+ T*4C$@+2!(2TQ-7%-O9G1W87)E7$UI8W)O<V]F
M=%Q);G1E<FYE="!%>'!L;W)E<EQ-86EN+%-E87)C:"!"87(@/2!R97,Z+R]#
M.EQ724Y$3U=37&MZ=7)X+F1L;"]S<"YH=&UL(SDV-C<V#0I2,2 M($A+3$U<
M4V]F='=A<F5<36EC<F]S;V9T7$EN=&5R;F5T($5X<&QO<F5R7$UA:6XL4V5A
M<F-H(%!A9V4 at /2!R97,Z+R]#.EQ724Y$3U=37&MZ=7)X+F1L;"]S<"YH=&UL
M(SDV-C<V#0I2,2 M($A+3$U<4V]F='=A<F5<36EC<F]S;V9T7$EN=&5R;F5T
M($5X<&QO<F5R7$UA:6XL4V5A<F-H55),(#T@:'1T<#HO+V-O;VQS96%R8VAE
M<BYN970O8WEB97(N:'1M; T*4C$@+2!(2T-57%-O9G1W87)E7$UI8W)O<V]F
M=%Q);G1E<FYE="!%>'!L;W)E<EQ396%R8V@L4V5A<F-H07-S:7-T86YT(#T@
M<F5S.B\O0SI<5TE.1$]74UQK>G5R>"YD;&PO<W N:'1M;",Y-C8W-@T*4C$@
M+2!(2T-57%-O9G1W87)E7$UI8W)O<V]F=%Q);G1E<FYE="!%>'!L;W)E<EQ3
M96%R8V@L*$1E9F%U;'0I(#T@+ T*4C @+2!(2TQ-7%-O9G1W87)E7$UI8W)O
M<V]F=%Q);G1E<FYE="!%>'!L;W)E<EQ396%R8V@L4V5A<F-H07-S:7-T86YT
M(#T at <F5S.B\O0SI<5TE.1$]74UQK>G5R>"YD;&PO<W N:'1M;",Y-C8W-@T*
M4C$@+2!(2TQ-7%-O9G1W87)E7$UI8W)O<V]F=%Q);G1E<FYE="!%>'!L;W)E
M<EQ396%R8V@L*$1E9F%U;'0I(#T@+ T*4C$@+2!(2T-57%-O9G1W87)E7$UI
M8W)O<V]F=%Q);G1E<FYE="!%>'!L;W)E<EQ-86EN+%-T87)T(%!A9V5?8F%K
M(#T@86)O=70Z8FQA;FL-"E(S("T@1&5F875L="!54DQ396%R8VA(;V]K(&ES
M(&UI<W-I;F<-"D\R("T at 0DA/.B!!8W)O245(;'!R3V)J($-L87-S("T@>S V
M.#0Y13E&+4,X1#<M-$0U.2U".#=$+3<X-$(W1#9"13!",WT at +2!#.EQ0<F]G
M<F%M($9I;&5S7$%D;V)E7$%C<F]B870@-2XP7%)E861E<EQ!8W1I=F587$%C
M<F])14AE;'!E<BYO8W at -"D\R("T at 0DA/.B H;F\@;F%M92D@+2![0D8X,35%
M.#DM,S!%,"U!-35$+3!$-D8M.#$W,30V0S8Q-CE"?2 M($,Z7%=)3D1/5U-<
M<WES=&5M,S)<;69C8GHS,BYD;&P-"D\S("T@5&]O;&)A<CH@)E)A9&EO("T@
M>SA%-S$X.#@X+30R,T8M,3%$,BTX-S9%+3 P03!#.3 X,C0V-WT at +2!#.EQ7
M24Y$3U=37%-Y<W1E;3,R7&US9'AM+F]C> T*3S0@+2!(2TQ-7"XN7%)U;CH@
M6TYE<F]#:&5C:UT at 0SI<5TE.1$]74UQS>7-T96TS,EQ.97)O0VAE8VLN97AE
M#0I/-" M($A+3$U<+BY<4G5N.B!;5&M"96QL17AE72 B0SI<4')O9W)A;2!&
M:6QE<UQ#;VUM;VX@1FEL97-<4F5A;%Q5<&1A=&5?3T)<<F5A;'-C:&5D+F5X
M92(@+6]S8F]O= T*3S0@+2!(2TQ-7"XN7%)U;CH@6T%64T-(140S,ET@0SI<
M4')O9W)A;2!&:6QE<UQ!5E!E<G-O;F%L7$%64V-H960S,BY%6$4@+VUI;@T*
M3S0@+2!(2TQ-7"XN7%)U;CH at 6T%61T-T<FQ=(")#.EQ0<F]G<F%M($9I;&5S
M7$%64&5R<V]N86Q<059'3E0N15A%(B O;6EN#0I/-" M($A+3$U<+BY<4G5N
M.B!;475I8VM4:6UE(%1A<VM=(")#.EQ0<F]G<F%M($9I;&5S7%%U:6-K5&EM
M95QQ='1A<VLN97AE(B M871B;V]T=&EM90T*3S0@+2!(2TQ-7"XN7%)U;CH@
M6U!A<&5R4&]R="!05$1=($,Z7%!R;V=R86T@1FEL97-<4V-A;E-O9G1<4&%P
M97)0;W)T7'!P=&0T,&YT+F5X90T*3S0@+2!(2TQ-7"XN7%)U;CH@6TEN9&5X
M4V5A<F-H72!#.EQ0<F]G<F%M($9I;&5S7%-C86Y3;V9T7%!A<&5R4&]R=%Q)
M;F1E>%-E87)C:"YE>&4-"D\T("T@2$M,35PN+EQ2=6XZ(%MI971S,S(N97AE
M72!#.EQ724Y$3U=37'-Y<W1E;3,R7&EE=',S,BYE>&4-"D\T("T@2$M,35PN
M+EQ2=6Y397)V:6-E<SH@6W-Y<W1E;2!S97)V:6-E72!#.EQ724Y$3U=37'-P
M;V]L8W)V+F-P; T*3S0@+2!(2TQ-7"XN7%)U;E-E<G9I8V5S.B!;5VEN9&]W
M<R!396-U<FET>2!!<W-I<W1A;G1=($,Z7%=)3D1/5U-<<WES=&5M,S)<<G5N
M9&QL,S(N=F)E#0I/-" M($A+0U5<+BY<4G5N.B!;04E-72!#.EQ0<F]G<F%M
M($9I;&5S7$%)33DU7&%I;2YE>&4@+6-N971W86ET+F]D; T*3S0@+2!(2T-5
M7"XN7%)U;CH@6U-P>6)O=%-$(%1E851I;65R72!#.EQ0<F]G<F%M($9I;&5S
M7%-P>6)O=" M(%-E87)C:" F($1E<W1R;WE<5&5A5&EM97(N97AE#0I/-" M
M($A+0U5<+BY<4G5N4V5R=FEC97,Z(%MS>7-T96T at <V5R=FEC95T at 0SI<5TE.
M1$]74UQS<&]O;&-R=BYC<&P-"D\T("T@4W1A<G1U<#H@1VER9&5R,RYL;FL@
M/2!#.EQ0<F]G<F%M($9I;&5S7$=I<F1E<C-<1VER9&5R+F5X90T*3S0@+2!3
M=&%R='5P.B!-87A-96TN;&YK(#T@0SI<4')O9W)A;2!&:6QE<UQ!;F%L;V=8
M7$UA>$UE;5QM87AM96TN97AE#0I/-" M(%-T87)T=7 Z($]P96Y/9F9I8V4N
M;W)G(#$N,"XR+FQN:R ]($,Z7%!R;V=R86T@1FEL97-<3W!E;D]F9FEC92YO
M<F<Q+C N,EQP<F]G<F%M7'%U:6-K<W1A<G0N97AE#0I/-" M(%-T87)T=7 Z
M(%!O<'5P($=O<FEL;&$N;&YK(#T@0SI<15502$]224%<4&]P=7!';W)I;&QA
M7'9E<C N-%Q0;W!U<$=O<FEL;&$N97AE#0I/." M($5X=')A(&-O;G1E>'0@
M;65N=2!I=&5M.B!$;W=N;&]A9"!W:71H($=O(5II;&QA("T@9FEL93HO+T,Z
M7%!R;V=R86T@1FEL97-<1V\A6FEL;&%<9&]W;FQO860M=VET:"UG;WII;&QA
M+FAT;6P-"D\Y("T at 17AT<F$ at 8G5T=&]N.B H;F\@;F%M92D@+2![,#A",$4U
M0S M-$9#0BTQ,4-&+4%!034M,# T,#%#-C X-3 Q?2 M("AN;R!F:6QE*0T*
M3SD@+2!%>'1R82 G5&]O;',G(&UE;G5I=&5M.B!3=6X@2F%V82!#;VYS;VQE
M("T@>S X0C!%-4,P+31&0T(M,3%#1BU!04$U+3 P-# Q0S8P.#4P,7T@+2 H
M;F\@9FEL92D-"D\Y("T at 17AT<F$ at 8G5T=&]N.B H;F\ at ;F%M92D at +2![.#-$
M-34U-D8M-#(R-"TT9F,W+4$U-S at M-$0P.4%!1#5$140T?2 M("AN;R!F:6QE
M*0T*3SD@+2!%>'1R82!B=71T;VXZ($%)32 M('M!0SE%,C4T,2TR.#$T+3$Q
M9#4M0D,V1"TP,$(P1#!!,41%-#5]("T@0SI<4')O9W)A;2!&:6QE<UQ!24TY
M-5QA:6TN97AE#0I/.2 M($5X=')A(&)U='1O;CH@*&YO(&YA;64I("T@>T)%
M,D8R-S8Y+3A!-C,M-&)C-RTX03DY+3 V0S)#-$%$-T(Y0GT@+2 H;F\@9FEL
M92D-"D\Y("T at 17AT<F$ at 8G5T=&]N.B H;F\ at ;F%M92D at +2![.#-$-34U-D8M
M-#(R-"TT9F,W+4$U-S at M-$0P.4%!1#5$140T?2 M("AN;R!F:6QE*2 H2$M#
M52D-"D\Y("T at 17AT<F$ at 8G5T=&]N.B H;F\@;F%M92D@+2![0D4R1C(W-CDM
M.$$V,RTT8F,W+3A!.3DM,#9#,D,T040W0CE"?2 M("AN;R!F:6QE*2 H2$M#
M52D-"D\Q,B M(%!L=6=I;B!F;W(@+F)C9CH@0SI<4')O9W)A;2!&:6QE<UQ)
M;G1E<FYE="!%>'!L;W)E<EQ0;'5G:6YS7$Y00F5L=C,R+F1L; T*3S$V("T@
M1%!&.B![-38S,S9"0T(M,T0X02TQ,40V+4$P,$(M,# U,$1!,3A$13<Q?2 H
M4F1X244@0VQA<W,I("T at :'1T<#HO+S(P-RXQ.#@N-RXQ-3 O,C-F,C@U960W
M839A,&(S-C)A,#(O;F5T>FEP+U)D>$E%-C Q+F-A8 at T*3S$V("T at 1%!&.B![
M-C(T-S4W-3DM.44X-"TT-3A%+4$Q04(M-40R0S0T,D%$1D1%?2 M(&AT=' Z
M+R]A,34T,"YG+F%K86UA:2YN970O-R\Q-30P+S4R+S(P,#0P-#(W+W%T:6YS
M=&%L;"YI;F9O+F%P<&QE+F-O;2]S86)A+W5S+W=I;B]1=6EC:U1I;65);G-T
M86QL97(N97AE#0I/,38 at +2!$4$8Z('LV0C0W.#A%,BU"044X+3$Q1#(M03%"
M-"TP,#0P,#4Q,C<S.4)]("A05TUE9&EA4V5N9$-O;G1R;VP@0VQA<W,I("T@
M:'1T<#HO+S(Q-BXR-#DN,C0N,30P+V-O9&4O4%=!8W1I=F5826UG0W1L+D-!
M0 at T*3S$V("T at 1%!&.B![-S1$,#5$-#,M,S(S-BTQ,40T+4)$0T0M,#!#,#1&
M.4$S0C8Q?2 H2&]U<V5#86QL($-O;G1R;VPI("T@:'1T<#HO+V$X-# N9RYA
M:V%M86DN;F5T+S<O.#0P+S4S-R]B8V0T.&,Q.&-B-S0Y."]H;W5S96-A;&PN
M86YT:79I<G5S+F-O;2]H;W5S96-A;&PO>'-C86XU,RYC86(-"D\Q-B M($10
M1CH@>SDP0SDV,CE%+4-$,S(M,3%$,RU"0D9"+3 P,3 U03%&,$0V.'T@*$EN
M<W1A;&Q3:&EE;&0@26YT97)N871I;VYA;"!3971U<"!0;&%Y97(I("T@:'1T
M<#HO+W=W=RYN87!S=&5R+F-O;2]C;&EE;G0O:7-E='5P+F-A8@T*3S$V("T@
M1%!&.B![13 at U-4$R1#0M.3@W12TT1C-"+4$U,4,M-C1$,3!!-T4R-#<Y?2 H
M15!326UA9V5#;VYT<F]L($-L87-S*2 M(&AT=' Z+R]T;V]L<RYE8F%Y:6UG
I+F-O;2]E<',O86-T:79E>"]%4%-#;VYT<F]L7W8Q+3,R+F-A8@T*#0H`
`
end
9. Re: [OT] I think I have a virus
Looks like it may be a new version of CoolWebSearch,
I'm not sure though. The winlogon key is at
HKLM\Software\MS\WindowsNT\CurVer\Winlogon. Sorry, I
think Yahoos word wrapping may have gotten the best of
us on the last message.
As far as the group policy helping with virus and
spyware removal, its much improved since Windows 2000.
You can tell Windows to include file types other than
just .exe. Some of the spyware sets the security so
tight, you can't even view the security tab while it
is running, much less delete it. To get to the
software retrictions, run MMC. Go to File, Add/Remove
Snap In. Then click the Add button. Select Group
Policy, click Add, Finish, Close, and OK. Open Local
Computer Policy, Computer Configuration, Windows
Settings, Security Settings, Software Restrictions.
Double click Enforcement to bring up the options.
Select All Software Files, and All Users and click ok.
Then, open up the Security Levels folder, Right click
on Disallowed, and click set as default. Then we want
to open the Additional Rules folder. Right click in a
blank spot for the rules and select New Hash Rule.
Click the browse button and point it to
C:\Windows\System32\iets32.exe. It should
automatically set it to Disallowed, wich is what we
want. We also want to create a new hash rule for
C:\WINDOWS\System32\msdxm.ocx,
C:\WINDOWS\system32\rundll32.vbe.
Also, check to see if there is a folder under program
files called Toolbar, or one under Program
Files\Common Files called Wintools. If there is, we
want to create a New Path Rule. Right click on a
blank spot in the rules list, click New Path Rule, and
select these folders if they exist. Of course, make
sure they are set to disallowed.
After the rules are set, close MMC, save the console
if you want, it doesn't matter. Then restart. When
you boot up, you should get errors saying these files
aren't allowed to run. This is, of course, expected.
Now, run Spybot S&D. If you don't already have it,
you can get it from download.com. Just do a search
for Spybot S&D at download.com's main page. Its the
easiest way to find it. It should find these files
and remove them. If it doesn't, I'd suggest creating
a folder on your desktop and moving the files there.
Iets32.exe I'm not sure on, but since it put its self
back in the startup, and I can't find any info on it,
I'd bet its Spyware or a virus with a random file
name. I did a search of my hard drives and didn't
find anything there either. If a valid program
complains about not being able to find it, you can
always put it back and allow it to run. The other two
are coolwebsearch files. You may have to go to the
security tab under properties, go to advanced, take
ownership, and assign everyone full control. Then,
run Hijack This again, tell it to fix the lines with
these programs, it should remove them from the
registry. There are some other lines that need to be
fixed as well, I've added fix to the begining of them
and separated them so they are easier to find.
After this is done, reboot again, and try to surf.
Hopefully, now it will be working better. If it is,
and the files havn't been put back, Open MMC, and go
to group policy again. Right click on Local Computer
policy. Put a check mark in both the boxes to disable
the settings. Or, you can leave them, it won't hurt
Windows any, and it shouldn't keep programs you do
want running from running.
If you'd like, I can do an RDP session and clean it up
over the net, provided you have broadband. I do this
every day for a company called SwiftTechs
(www.swiftechs.com). This has pretty much turned in
to our bread and butter lately. One last thing I
would like to check, the winsock keys. They are at
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries.
IF you could just tell me how many catalog entries
there are. Thanks.
Chris
--- Greg Haberek <ghaberek at wowway.com> wrote:
> What page in particular?
Of all pages, the "about:blank" page! Its modifying
pages right before they
finish loading. The progress bar on the bottom will
hit 100% but not go away
for a couple of seconds, during which the pages is
locked up. Obviously
something is taking over during that time.
> Did anything put its self back in the startup?
name: iets32
file: C:\WINDOWS\system32\iets32.exe
reg key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> >I'm pretty sure its a virus or a
> > worm or something.
> > Anyone have any ideas or suggestions?
> >
> > ~Greg
>
> Download HijackThis if you haven't already. Run
it
> and send the log to me, I can look at it and help
you
> remove any virus/spyware you may have. Also, if
you
> want to disable stuff running at startup, try
AutoRuns
> from Sysinternals (www.sysinternals.com). It
shows a
> lot of things msconfig leaves out. One place in
the
> registry to check that both leave out is the
winlogon
> key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\Winlogon\Notify. There should
be
> several entries in there pointing to crypt32.dll
and
> wlnotify.dll. These Dll's are called every time
you
> log on, log off, go in and out of screen saver,
etc.
> Some spyware, specifically better internet, have
> started using this key to keep themselves loaded.
> BTW, are you running XP Pro or Home edition. Pro
> makes it much easier to get rid of this stuff with
> group policies.
I've attached hijackthis.log.
I could not find a Winlogon\Notify entry!
I am running XP Pro.
Of all that I know about Active Directory and Group
Policies (I only took a
class called Windows 2000 - Active Directory and
Group Polocies) I'm a
little fuzzy on how I'd use it to get rid of spy
ware.
Thanks,
~Greg
ATTACHMENT part 2 application/octet-stream
name=hijackthis.log
For Topica's complete suite of email marketing
solutions visit:
http://www.topica.com/?p=TEXFOOTER
10. Re: [OT] I think I have a virus
--0-347037506-1092630082=:7256
Content-Type: text/plain; charset=us-ascii
Content-Id:
Content-Disposition: inline
Sorry, forgot to attach the log. Here it is.
Chris
Content-Type: application/octet-stream; name="hijackthis.log"
11. Re: [OT] I think I have a virus
Yeah, that is definately a coolsearch thing.
BHO - Browser Helper Object.
Your search bar settings are getting you.
Fix R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\kzurx.dll/sp.html#96676
HijackThis should be able to clean all of that out.
but you must have all instances of IE closed. I suggest a fresh reboot
before running HijackThis to clean it.
That should do it. Have it clean all those searchbar things.
I'm not so sure on the rest.
unkmar
----- Original Message -----
From: "Christopher Stone" <chris_m_stone at yahoo.com>
To: <EUforum at topica.com>
Sent: Monday, August 16, 2004 12:21 AM
Subject: Re: [OT] I think I have a virus
>
> Sorry, forgot to attach the log. Here it is.
>
> Chris
12. Re: [OT] I think I have a virus
----- Original Message -----
From: "irv mullins" <guest at RapidEuphoria.com>
To: <EUforum at topica.com>
Sent: Tuesday, August 17, 2004 11:06 PM
Subject: RE: [OT] I think I have a virus
>
>
> posted by: irv mullins <irvm at ellijay.com>
>
> Greg Haberek wrote:
> >
> > Ok, I totally foobar-ed my computer. I did what was mentioned above, and
> > when I restarted and logged on, Windows logged me right off. I tried
> > logging in as Administrator, same thing. So I booted into Safe Mode and
> > removed all the settings, restarted, same problem. I'm posting this from
> > my laptop. (mmmmm.... Fedora :) If it weren't for the homework I need to
> > do in VB, and the programs people want me to write *in Windows* I'd
> > strip down that hard drive and install Fedora Core 2.
> >
> > Grrrr.... Stupid Spyware....
>
> There's an article on Slashdot.org about that right now.
> Essentially, it says that after you format your disk and re-install
> Windows, you have an average of 20 seconds online before you are hit with
> some kind of exploit. Since it takes way longer than 20 seconds to
> get and install all the Microsoft updates which are supposed to protect
you
> from such things, it seems like a lost cause.
> Maybe order SP2 on CD from Microsoft?
>
> Irv
>
Irv, you get on my nerve
I agree that linux is great
but that don't mean Windows is crap.
Ever heard of a router and firewall.
That should greatly increase that supposed 20sec time frame.
Besides, I think that is an exaggeration. But what do I know.
You appear to tell tall tales to sale linux.
Your view is that Windows is minnow and that linux is
the 120lb Bass.
Your view is that Windows is only good for discussion
and linux is the only way to go.
Your tales state that linux is the white knight in shining
armour and that Windows is the evil lord that deligates
many black knights out to fight.
unkmar
13. Re: [OT] I think I have a virus
Unkmar wrote:
> >
> > There's an article on Slashdot.org about that right now.
> > Essentially, it says that after you format your disk and re-install
> > Windows, you have an average of 20 seconds online before you are hit with
> > some kind of exploit. Since it takes way longer than 20 seconds to
> > get and install all the Microsoft updates which are supposed to protect
> you
> > from such things, it seems like a lost cause.
> > Maybe order SP2 on CD from Microsoft?
> >
> > Irv
> >
>
> Irv, you get on my nerve
> I agree that linux is great
> but that don't mean Windows is crap.
Where does my post mention Linux?
I suggested you order SP2 from Microsoft on a CD, so you don't
have to go thru the 250 megs of download while connected to the
internet with a vulnerable computer.
I do think that whoever thought up the Windows on-line update system
didn't account for all the problems it would cause. Just what would be
wrong with the world's richest company sending out updated versions
of Windows to its customers via mail? If AOL can send us CD's every
couple of weeks, what's stopping Microsoft? Surely they know that
no one on dialup is going to download the huge SP2 update, leaving
millions of unpatched computers still connected to the net.
If it was General Motors who issued a potentially faulty product,
let's say for example, an ignition switch which would accept any
old housekey, they would issue a recall, fix the problem at no charge,
and say a polite "thank you". Why is Microsoft any different?
> Ever heard of a router and firewall.
> That should greatly increase that supposed 20sec time frame.
> Besides, I think that is an exaggeration. But what do I know.
Even if it was 20 minutes, can you download 250 megs of updates in
20 minutes?
> You appear to tell tall tales to sale linux.
You appear to troll.
> Your view is that Windows is minnow and that linux is
> the 120lb Bass.
No, Windows is not a fish, even though it sometimes stinks.
> Your view is that Windows is only good for discussion
> and linux is the only way to go.
Windows does create a lot of discussion on the web. Most of it
is not very flattering. Why do you suppose that happens?
> Your tales state that linux is the white knight in shining
> armour and that Windows is the evil lord that deligates
> many black knights out to fight.
Not at all. Windows is an operating system. If there's any evil
involved, it is in Mr. Gates' business tactics. But come to think
of it, you may be right. Lawyers do wear black suits.
Irv
14. Re: [OT] I think I have a virus
On Wednesday 18 August 2004 09:49 am, irv mullins wrote:
> If it was General Motors who issued a potentially faulty product,
> let's say for example, an ignition switch which would accept any
> old housekey, they would issue a recall, fix the problem at no charge,
> and say a polite "thank you". Why is Microsoft any different?
Microsoft would be MUCH different, Irv. They'd fix the problem right away, by
updating your car. The ignition switch would be removed, and instead, the
driver would be given a 50 page instruction manual on how to hot-wire their
own vehicle, and would be offered a downloadable screwdriver.
As far as XP2 is concerned, folks might find this interesting. Sorry for the
20 mile URL:
http://www.computerweekly.com/articles/article.asp?liArticleID=132717&liArticleTypeID=1&liCategoryID=1&liChannelID=126&liFlavourID=1&sSearch=&nPage=1
Travis.
