1. [OT] I think I have a virus
- Posted by "Greg Haberek" <ghaberek at wowway.com> Aug 13, 2004
- 581 views
- Notepad closes randomly (actually I think its after a specific interval) - Internet Explorer takes forever to start - my start page has been set to some "Home Search" crap - my memory almost maxes out right after windows starts (i use MaxMem by AnalogX) I ran Ad-aware, Anti-Vir, and Bazooka Spyware scanner, and stripped down my boot with msconfig. I'm pretty sure its a virus or a worm or something. Anyone have any ideas or suggestions? ~Greg
2. Re: [OT] I think I have a virus
- Posted by Guillermo Bonvehi <knixeur at speedy.com.ar> Aug 13, 2004
- 556 views
It seems more a Spyware than a virus, try running Spybot - Search & Destroy, i've been using some months so far and it has detected all ugly stuff at work. On Thu, 12 Aug 2004 23:39:48 -0400 Greg Haberek <ghaberek at wowway.com> wrote: > > > - Notepad closes randomly (actually I think its after a specific interval) > - Internet Explorer takes forever to start > - my start page has been set to some "Home Search" crap > - my memory almost maxes out right after windows starts (i use MaxMem by > AnalogX) > > I ran Ad-aware, Anti-Vir, and Bazooka Spyware scanner, and stripped down my > boot with msconfig. I'm pretty sure its a virus or a worm or something. > Anyone have any ideas or suggestions? > > ~Greg
3. Re: [OT] I think I have a virus
- Posted by "Unkmar" <L3Euphoria at bellsouth.net> Aug 13, 2004
- 512 views
http://www.lavasoft.de/ - Ad-aware - But you said that one. http://www.safer-networking.org/ - Spybot Search & Destroy http://www.siena.edu/antivirus/Spyware/hijackthis.htm - Hi-jack This http://www.nod32.com/ - NOD32 unkmar ----- Original Message ----- From: "Greg Haberek" Sent: Thursday, August 12, 2004 11:39 PM Subject: [OT] I think I have a virus > > - Notepad closes randomly (actually I think its after a specific interval) > - Internet Explorer takes forever to start > - my start page has been set to some "Home Search" crap > - my memory almost maxes out right after windows starts (i use MaxMem by > AnalogX) > > I ran Ad-aware, Anti-Vir, and Bazooka Spyware scanner, and stripped down my > boot with msconfig. I'm pretty sure its a virus or a worm or something. > Anyone have any ideas or suggestions? > > ~Greg
4. Re: [OT] I think I have a virus
- Posted by irv mullins <irvm at ellijay.com> Aug 13, 2004
- 520 views
Unkmar wrote: > > <a href="http://www.lavasoft.de/">http://www.lavasoft.de/</a> - Ad-aware - > But you said that one. > <a > href="http://www.safer-networking.org/">http://www.safer-networking.org/</a> - > Spybot Search & Destroy > <a > href="http://www.siena.edu/antivirus/Spyware/hijackthis.htm">http://www.siena.edu/antivirus/Spyware/hijackthis.htm</a> > - Hi-jack This > > <a href="http://www.nod32.com/">http://www.nod32.com/</a> - NOD32 Another effective solution: 1. format C: 2. Reload Windows 3. install a real firewall. 4. Connect to internet. 5. Get all Windows updates. Or, better yet, 1. Insert Mandrake Linux setup disk. 2. Hit reset. 3. Follow instructions :) Irv
5. Re: [OT] I think I have a virus
- Posted by Don <eunexus at yahoo.com> Aug 13, 2004
- 515 views
One of my friends computer did this. He (I guess) like some internet site. Oh you know which ones! And the adware/ spyware was so bad he could no longer even browze the internet. Each page took an average of something like 5-10 minutes to load. After fighting with the browzer for an hour or so, I finally got all the spyware removed (as recommended above). Rebooted twice and didnt help. After much hair pulling, turned out to be a trojan worm virus which would (upon connecting to the internet) use 100% processor resources. I would suggest this: http://housecall.trendmicro.com/ Its a free online virus scanner and it can fix most things right off the web. Good luck. Don Phillips - aka Graebel National Instruments mailto: eunexus @ yahoo.com
6. Re: [OT] I think I have a virus
- Posted by milagros_jones_ib at micro-g.com.sg Aug 13, 2004
- 510 views
This is an autoresponder. I'll never see your message.
7. Re: [OT] I think I have a virus
- Posted by Christopher Stone <chris_m_stone at yahoo.com> Aug 15, 2004
- 559 views
--- Greg Haberek <ghaberek at wowway.com> wrote: - Notepad closes randomly (actually I think its after a specific interval) - Internet Explorer takes forever to start - my start page has been set to some "Home Search" crap What page in particular? - my memory almost maxes out right after windows starts (i use MaxMem by AnalogX) I ran Ad-aware, Anti-Vir, and Bazooka Spyware scanner, and stripped down my boot with msconfig. Did anything put its self back in the startup? I'm pretty sure its a virus or a worm or something. Anyone have any ideas or suggestions? ~Greg Download HijackThis if you haven't already. Run it and send the log to me, I can look at it and help you remove any virus/spyware you may have. Also, if you want to disable stuff running at startup, try AutoRuns from Sysinternals (www.sysinternals.com). It shows a lot of things msconfig leaves out. One place in the registry to check that both leave out is the winlogon key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify. There should be several entries in there pointing to crypt32.dll and wlnotify.dll. These Dll's are called every time you log on, log off, go in and out of screen saver, etc. Some spyware, specifically better internet, have started using this key to keep themselves loaded. BTW, are you running XP Pro or Home edition. Pro makes it much easier to get rid of this stuff with group policies. Chris
8. Re: [OT] I think I have a virus
- Posted by "Greg Haberek" <ghaberek at wowway.com> Aug 15, 2004
- 516 views
> What page in particular? Of all pages, the "about:blank" page! Its modifying pages right before they finish loading. The progress bar on the bottom will hit 100% but not go away for a couple of seconds, during which the pages is locked up. Obviously something is taking over during that time. > Did anything put its self back in the startup? name: iets32 file: C:\WINDOWS\system32\iets32.exe reg key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run > >I'm pretty sure its a virus or a > > worm or something. > > Anyone have any ideas or suggestions? > > > > ~Greg > > Download HijackThis if you haven't already. Run it > and send the log to me, I can look at it and help you > remove any virus/spyware you may have. Also, if you > want to disable stuff running at startup, try AutoRuns > from Sysinternals (www.sysinternals.com). It shows a > lot of things msconfig leaves out. One place in the > registry to check that both leave out is the winlogon > key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows > NT\CurrentVersion\Winlogon\Notify. There should be > several entries in there pointing to crypt32.dll and > wlnotify.dll. These Dll's are called every time you > log on, log off, go in and out of screen saver, etc. > Some spyware, specifically better internet, have > started using this key to keep themselves loaded. > BTW, are you running XP Pro or Home edition. Pro > makes it much easier to get rid of this stuff with > group policies. I've attached hijackthis.log. I could not find a Winlogon\Notify entry! I am running XP Pro. Of all that I know about Active Directory and Group Policies (I only took a class called Windows 2000 - Active Directory and Group Polocies) I'm a little fuzzy on how I'd use it to get rid of spy ware. Thanks, ~Greg begin 666 hijackthis.log M3&]G9FEL92!O9B!(:6IA8VM4:&ES('8Q+CDX+C -"E-C86X@<V%V960@870@ M,3HS,SHS-B!032P at ;VX@."\Q-2\R,# T#0I0;&%T9F]R;3H@5VEN9&]W<R!8 M4" @*%=I;DY4(#4N,#$N,C8P,"D-"DU3244Z($EN=&5R;F5T($5X<&QO<F5R M('8V+C P("@V+C P+C(V,# N,# P,"D-"@T*4G5N;FEN9R!P<F]C97-S97,Z M#0I#.EQ724Y$3U=37%-Y<W1E;3,R7'-M<W,N97AE#0I#.EQ724Y$3U=37'-Y M<W1E;3,R7'=I;FQO9V]N+F5X90T*0SI<5TE.1$]74UQS>7-T96TS,EQS97)V M:6-E<RYE>&4-"D,Z7%=)3D1/5U-<<WES=&5M,S)<;'-A<W,N97AE#0I#.EQ7 M24Y$3U=37'-Y<W1E;3,R7'-V8VAO<W0N97AE#0I#.EQ724Y$3U=37%-Y<W1E M;3,R7'-V8VAO<W0N97AE#0I#.EQ724Y$3U=37'-Y<W1E;3,R7'-P;V]L<W8N M97AE#0I#.EQ0<F]G<F%M($9I;&5S7$%64&5R<V]N86Q<059'54%21"Y%6$4- M"D,Z7%!R;V=R86T@1FEL97-<059097)S;VYA;%Q!5E=54%-25BY%6$4-"D,Z M7%!R;V=R86T@1FEL97-<06-T:79E0G5D9'E<0G5D9'E38W)I<'0@4T1+7&)I M;EQB;60N97AE#0I#.EQ724Y$3U=37'-Y<W1E;3,R7&YT:V$S,BYE>&4-"D,Z M7%=)3D1/5U-<4WES=&5M,S)<<W9C:&]S="YE>&4-"D,Z7%=)3D1/5U-<17AP M;&]R97(N15A%#0I#.EQ0<F]G<F%M($9I;&5S7$%64&5R<V]N86Q<05938VAE M9#,R+D5810T*0SI<4')O9W)A;2!&:6QE<UQ!5E!E<G-O;F%L7$%61TY4+D58 M10T*0SI<4')O9W)A;2!&:6QE<UQ1=6EC:U1I;65<<71T87-K+F5X90T*0SI< M4')O9W)A;2!&:6QE<UQ38V%N4V]F=%Q087!E<E!O<G1<<'!T9#0P;G0N97AE M#0I#.EQ724Y$3U=37'-Y<W1E;3,R7&EE=',S,BYE>&4-"D,Z7%!R;V=R86T@ M1FEL97-<04E-.35<86EM+F5X90T*0SI<4')O9W)A;2!&:6QE<UQ':7)D97(S M7$=I<F1E<BYE>&4-"D,Z7%!R;V=R86T@1FEL97-<06YA;&]G6%Q-87A-96U< M;6%X;65M+F5X90T*0SI<15502$]224%<4&]P=7!';W)I;&QA7'9E<C N-%Q0 M;W!U<$=O<FEL;&$N97AE#0I#.EQ0<F]G<F%M($9I;&5S7$]P96Y/9F9I8V4N M;W)G,2XP+C)<<')O9W)A;5QS;V9F:6-E+F5X90T*0SI<5TE.1$]74UQ3>7-T M96TS,EQW=6%U8VQT+F5X90T*0SI<4')O9W)A;2!&:6QE<UQ/=71L;V]K($5X M<')E<W-<;7-I;6XN97AE#0I#.EQ0<F]G<F%M($9I;&5S7%-P>6)O=" M(%-E M87)C:" F($1E<W1R;WE<5&5A5&EM97(N97AE#0I#.EQ0<F]G<F%M($9I;&5S M7$-O;6UO;B!&:6QE<UQ296%L7%5P9&%T95]/0EQR96%L<V-H960N97AE#0I# M.EQ0<F]G<F%M($9I;&5S7$]U=&QO;VL@17AP<F5S<UQM<VEM;BYE>&4-"D,Z M7%=)3D1/5U-<<F5G961I="YE>&4-"D,Z7%!R;V=R86T@1FEL97-<26YT97)N M970@17AP;&]R97)<:65X<&QO<F4N97AE#0I#.EQ->2!$;W=N;&]A9'-<2&EJ M86-K5&AI<RYE>&4-"@T*4C$@+2!(2T-57%-O9G1W87)E7$UI8W)O<V]F=%Q) M;G1E<FYE="!%>'!L;W)E<BQ396%R8VA!<W-I<W1A;G0@/2 L#0I2,2 M($A+ M0U5<4V]F='=A<F5<36EC<F]S;V9T7$EN=&5R;F5T($5X<&QO<F5R+$-U<W1O M;6EZ95-E87)C:" ]("P-"E(Q("T@2$M#55Q3;V9T=V%R95Q-:6-R;W-O9G1< M26YT97)N970@17AP;&]R97)<36%I;BQ$969A=6QT7U-E87)C:%]54DP@/2!H M='1P.B\O9')U<V5A<F-H+F-O;2]S96%R8V@N:'1M; T*4C$@+2!(2T-57%-O M9G1W87)E7$UI8W)O<V]F=%Q);G1E<FYE="!%>'!L;W)E<EQ-86EN+%-E87)C M:$%S<VES=&%N=" ]("P-"E(Q("T@2$M#55Q3;V9T=V%R95Q-:6-R;W-O9G1< M26YT97)N970@17AP;&]R97)<36%I;BQ396%R8V@@0F%R(#T at <F5S.B\O0SI< M5TE.1$]74UQK>G5R>"YD;&PO<W N:'1M;",Y-C8W-@T*4C$@+2!(2T-57%-O M9G1W87)E7$UI8W)O<V]F=%Q);G1E<FYE="!%>'!L;W)E<EQ-86EN+%-E87)C M:"!086=E(#T at <F5S.B\O0SI<5TE.1$]74UQK>G5R>"YD;&PO<W N:'1M;",Y M-C8W-@T*4C$@+2!(2T-57%-O9G1W87)E7$UI8W)O<V]F=%Q);G1E<FYE="!% M>'!L;W)E<EQ-86EN+%-E87)C:%523" ](&AT=' Z+R]C;V]L<V5A<F-H97(N M;F5T+V-Y8F5R+FAT;6P-"E(Q("T@2$M,35Q3;V9T=V%R95Q-:6-R;W-O9G1< M26YT97)N970@17AP;&]R97)<36%I;BQ$969A=6QT7U!A9V5?55),(#T@86)O M=70Z8FQA;FL-"E(Q("T@2$M,35Q3;V9T=V%R95Q-:6-R;W-O9G1<26YT97)N M970@17AP;&]R97)<36%I;BQ$969A=6QT7U-E87)C:%]54DP@/2!R97,Z+R]# M.EQ724Y$3U=37&MZ=7)X+F1L;"]S<"YH=&UL(SDV-C<V#0I2,2 M($A+3$U< M4V]F='=A<F5<36EC<F]S;V9T7$EN=&5R;F5T($5X<&QO<F5R7$UA:6XL4V5A M<F-H07-S:7-T86YT(#T@+ T*4C$@+2!(2TQ-7%-O9G1W87)E7$UI8W)O<V]F M=%Q);G1E<FYE="!%>'!L;W)E<EQ-86EN+%-E87)C:"!"87(@/2!R97,Z+R]# M.EQ724Y$3U=37&MZ=7)X+F1L;"]S<"YH=&UL(SDV-C<V#0I2,2 M($A+3$U< M4V]F='=A<F5<36EC<F]S;V9T7$EN=&5R;F5T($5X<&QO<F5R7$UA:6XL4V5A M<F-H(%!A9V4 at /2!R97,Z+R]#.EQ724Y$3U=37&MZ=7)X+F1L;"]S<"YH=&UL M(SDV-C<V#0I2,2 M($A+3$U<4V]F='=A<F5<36EC<F]S;V9T7$EN=&5R;F5T M($5X<&QO<F5R7$UA:6XL4V5A<F-H55),(#T@:'1T<#HO+V-O;VQS96%R8VAE M<BYN970O8WEB97(N:'1M; T*4C$@+2!(2T-57%-O9G1W87)E7$UI8W)O<V]F M=%Q);G1E<FYE="!%>'!L;W)E<EQ396%R8V@L4V5A<F-H07-S:7-T86YT(#T@ M<F5S.B\O0SI<5TE.1$]74UQK>G5R>"YD;&PO<W N:'1M;",Y-C8W-@T*4C$@ M+2!(2T-57%-O9G1W87)E7$UI8W)O<V]F=%Q);G1E<FYE="!%>'!L;W)E<EQ3 M96%R8V@L*$1E9F%U;'0I(#T@+ T*4C @+2!(2TQ-7%-O9G1W87)E7$UI8W)O M<V]F=%Q);G1E<FYE="!%>'!L;W)E<EQ396%R8V@L4V5A<F-H07-S:7-T86YT M(#T at <F5S.B\O0SI<5TE.1$]74UQK>G5R>"YD;&PO<W N:'1M;",Y-C8W-@T* M4C$@+2!(2TQ-7%-O9G1W87)E7$UI8W)O<V]F=%Q);G1E<FYE="!%>'!L;W)E M<EQ396%R8V@L*$1E9F%U;'0I(#T@+ T*4C$@+2!(2T-57%-O9G1W87)E7$UI M8W)O<V]F=%Q);G1E<FYE="!%>'!L;W)E<EQ-86EN+%-T87)T(%!A9V5?8F%K M(#T@86)O=70Z8FQA;FL-"E(S("T@1&5F875L="!54DQ396%R8VA(;V]K(&ES M(&UI<W-I;F<-"D\R("T at 0DA/.B!!8W)O245(;'!R3V)J($-L87-S("T@>S V M.#0Y13E&+4,X1#<M-$0U.2U".#=$+3<X-$(W1#9"13!",WT at +2!#.EQ0<F]G M<F%M($9I;&5S7$%D;V)E7$%C<F]B870@-2XP7%)E861E<EQ!8W1I=F587$%C M<F])14AE;'!E<BYO8W at -"D\R("T at 0DA/.B H;F\@;F%M92D@+2![0D8X,35% M.#DM,S!%,"U!-35$+3!$-D8M.#$W,30V0S8Q-CE"?2 M($,Z7%=)3D1/5U-< M<WES=&5M,S)<;69C8GHS,BYD;&P-"D\S("T@5&]O;&)A<CH@)E)A9&EO("T@ M>SA%-S$X.#@X+30R,T8M,3%$,BTX-S9%+3 P03!#.3 X,C0V-WT at +2!#.EQ7 M24Y$3U=37%-Y<W1E;3,R7&US9'AM+F]C> T*3S0@+2!(2TQ-7"XN7%)U;CH@ M6TYE<F]#:&5C:UT at 0SI<5TE.1$]74UQS>7-T96TS,EQ.97)O0VAE8VLN97AE M#0I/-" M($A+3$U<+BY<4G5N.B!;5&M"96QL17AE72 B0SI<4')O9W)A;2!& M:6QE<UQ#;VUM;VX@1FEL97-<4F5A;%Q5<&1A=&5?3T)<<F5A;'-C:&5D+F5X M92(@+6]S8F]O= T*3S0@+2!(2TQ-7"XN7%)U;CH@6T%64T-(140S,ET@0SI< M4')O9W)A;2!&:6QE<UQ!5E!E<G-O;F%L7$%64V-H960S,BY%6$4@+VUI;@T* M3S0@+2!(2TQ-7"XN7%)U;CH at 6T%61T-T<FQ=(")#.EQ0<F]G<F%M($9I;&5S M7$%64&5R<V]N86Q<059'3E0N15A%(B O;6EN#0I/-" M($A+3$U<+BY<4G5N M.B!;475I8VM4:6UE(%1A<VM=(")#.EQ0<F]G<F%M($9I;&5S7%%U:6-K5&EM M95QQ='1A<VLN97AE(B M871B;V]T=&EM90T*3S0@+2!(2TQ-7"XN7%)U;CH@ M6U!A<&5R4&]R="!05$1=($,Z7%!R;V=R86T@1FEL97-<4V-A;E-O9G1<4&%P M97)0;W)T7'!P=&0T,&YT+F5X90T*3S0@+2!(2TQ-7"XN7%)U;CH@6TEN9&5X M4V5A<F-H72!#.EQ0<F]G<F%M($9I;&5S7%-C86Y3;V9T7%!A<&5R4&]R=%Q) M;F1E>%-E87)C:"YE>&4-"D\T("T@2$M,35PN+EQ2=6XZ(%MI971S,S(N97AE M72!#.EQ724Y$3U=37'-Y<W1E;3,R7&EE=',S,BYE>&4-"D\T("T@2$M,35PN M+EQ2=6Y397)V:6-E<SH@6W-Y<W1E;2!S97)V:6-E72!#.EQ724Y$3U=37'-P M;V]L8W)V+F-P; T*3S0@+2!(2TQ-7"XN7%)U;E-E<G9I8V5S.B!;5VEN9&]W M<R!396-U<FET>2!!<W-I<W1A;G1=($,Z7%=)3D1/5U-<<WES=&5M,S)<<G5N M9&QL,S(N=F)E#0I/-" M($A+0U5<+BY<4G5N.B!;04E-72!#.EQ0<F]G<F%M M($9I;&5S7$%)33DU7&%I;2YE>&4@+6-N971W86ET+F]D; T*3S0@+2!(2T-5 M7"XN7%)U;CH@6U-P>6)O=%-$(%1E851I;65R72!#.EQ0<F]G<F%M($9I;&5S M7%-P>6)O=" M(%-E87)C:" F($1E<W1R;WE<5&5A5&EM97(N97AE#0I/-" M M($A+0U5<+BY<4G5N4V5R=FEC97,Z(%MS>7-T96T at <V5R=FEC95T at 0SI<5TE. M1$]74UQS<&]O;&-R=BYC<&P-"D\T("T@4W1A<G1U<#H@1VER9&5R,RYL;FL@ M/2!#.EQ0<F]G<F%M($9I;&5S7$=I<F1E<C-<1VER9&5R+F5X90T*3S0@+2!3 M=&%R='5P.B!-87A-96TN;&YK(#T@0SI<4')O9W)A;2!&:6QE<UQ!;F%L;V=8 M7$UA>$UE;5QM87AM96TN97AE#0I/-" M(%-T87)T=7 Z($]P96Y/9F9I8V4N M;W)G(#$N,"XR+FQN:R ]($,Z7%!R;V=R86T@1FEL97-<3W!E;D]F9FEC92YO M<F<Q+C N,EQP<F]G<F%M7'%U:6-K<W1A<G0N97AE#0I/-" M(%-T87)T=7 Z M(%!O<'5P($=O<FEL;&$N;&YK(#T@0SI<15502$]224%<4&]P=7!';W)I;&QA M7'9E<C N-%Q0;W!U<$=O<FEL;&$N97AE#0I/." M($5X=')A(&-O;G1E>'0@ M;65N=2!I=&5M.B!$;W=N;&]A9"!W:71H($=O(5II;&QA("T@9FEL93HO+T,Z M7%!R;V=R86T@1FEL97-<1V\A6FEL;&%<9&]W;FQO860M=VET:"UG;WII;&QA M+FAT;6P-"D\Y("T at 17AT<F$ at 8G5T=&]N.B H;F\@;F%M92D@+2![,#A",$4U M0S M-$9#0BTQ,4-&+4%!034M,# T,#%#-C X-3 Q?2 M("AN;R!F:6QE*0T* M3SD@+2!%>'1R82 G5&]O;',G(&UE;G5I=&5M.B!3=6X@2F%V82!#;VYS;VQE M("T@>S X0C!%-4,P+31&0T(M,3%#1BU!04$U+3 P-# Q0S8P.#4P,7T@+2 H M;F\@9FEL92D-"D\Y("T at 17AT<F$ at 8G5T=&]N.B H;F\ at ;F%M92D at +2![.#-$ M-34U-D8M-#(R-"TT9F,W+4$U-S at M-$0P.4%!1#5$140T?2 M("AN;R!F:6QE M*0T*3SD@+2!%>'1R82!B=71T;VXZ($%)32 M('M!0SE%,C4T,2TR.#$T+3$Q M9#4M0D,V1"TP,$(P1#!!,41%-#5]("T@0SI<4')O9W)A;2!&:6QE<UQ!24TY M-5QA:6TN97AE#0I/.2 M($5X=')A(&)U='1O;CH@*&YO(&YA;64I("T@>T)% M,D8R-S8Y+3A!-C,M-&)C-RTX03DY+3 V0S)#-$%$-T(Y0GT@+2 H;F\@9FEL M92D-"D\Y("T at 17AT<F$ at 8G5T=&]N.B H;F\ at ;F%M92D at +2![.#-$-34U-D8M M-#(R-"TT9F,W+4$U-S at M-$0P.4%!1#5$140T?2 M("AN;R!F:6QE*2 H2$M# M52D-"D\Y("T at 17AT<F$ at 8G5T=&]N.B H;F\@;F%M92D@+2![0D4R1C(W-CDM M.$$V,RTT8F,W+3A!.3DM,#9#,D,T040W0CE"?2 M("AN;R!F:6QE*2 H2$M# M52D-"D\Q,B M(%!L=6=I;B!F;W(@+F)C9CH@0SI<4')O9W)A;2!&:6QE<UQ) M;G1E<FYE="!%>'!L;W)E<EQ0;'5G:6YS7$Y00F5L=C,R+F1L; T*3S$V("T@ M1%!&.B![-38S,S9"0T(M,T0X02TQ,40V+4$P,$(M,# U,$1!,3A$13<Q?2 H M4F1X244@0VQA<W,I("T at :'1T<#HO+S(P-RXQ.#@N-RXQ-3 O,C-F,C@U960W M839A,&(S-C)A,#(O;F5T>FEP+U)D>$E%-C Q+F-A8 at T*3S$V("T at 1%!&.B![ M-C(T-S4W-3DM.44X-"TT-3A%+4$Q04(M-40R0S0T,D%$1D1%?2 M(&AT=' Z M+R]A,34T,"YG+F%K86UA:2YN970O-R\Q-30P+S4R+S(P,#0P-#(W+W%T:6YS M=&%L;"YI;F9O+F%P<&QE+F-O;2]S86)A+W5S+W=I;B]1=6EC:U1I;65);G-T M86QL97(N97AE#0I/,38 at +2!$4$8Z('LV0C0W.#A%,BU"044X+3$Q1#(M03%" M-"TP,#0P,#4Q,C<S.4)]("A05TUE9&EA4V5N9$-O;G1R;VP@0VQA<W,I("T@ M:'1T<#HO+S(Q-BXR-#DN,C0N,30P+V-O9&4O4%=!8W1I=F5826UG0W1L+D-! M0 at T*3S$V("T at 1%!&.B![-S1$,#5$-#,M,S(S-BTQ,40T+4)$0T0M,#!#,#1& M.4$S0C8Q?2 H2&]U<V5#86QL($-O;G1R;VPI("T@:'1T<#HO+V$X-# N9RYA M:V%M86DN;F5T+S<O.#0P+S4S-R]B8V0T.&,Q.&-B-S0Y."]H;W5S96-A;&PN M86YT:79I<G5S+F-O;2]H;W5S96-A;&PO>'-C86XU,RYC86(-"D\Q-B M($10 M1CH@>SDP0SDV,CE%+4-$,S(M,3%$,RU"0D9"+3 P,3 U03%&,$0V.'T@*$EN M<W1A;&Q3:&EE;&0@26YT97)N871I;VYA;"!3971U<"!0;&%Y97(I("T@:'1T M<#HO+W=W=RYN87!S=&5R+F-O;2]C;&EE;G0O:7-E='5P+F-A8@T*3S$V("T@ M1%!&.B![13 at U-4$R1#0M.3@W12TT1C-"+4$U,4,M-C1$,3!!-T4R-#<Y?2 H M15!326UA9V5#;VYT<F]L($-L87-S*2 M(&AT=' Z+R]T;V]L<RYE8F%Y:6UG I+F-O;2]E<',O86-T:79E>"]%4%-#;VYT<F]L7W8Q+3,R+F-A8@T*#0H` ` end
9. Re: [OT] I think I have a virus
- Posted by Christopher Stone <chris_m_stone at yahoo.com> Aug 16, 2004
- 537 views
Looks like it may be a new version of CoolWebSearch, I'm not sure though. The winlogon key is at HKLM\Software\MS\WindowsNT\CurVer\Winlogon. Sorry, I think Yahoos word wrapping may have gotten the best of us on the last message. As far as the group policy helping with virus and spyware removal, its much improved since Windows 2000. You can tell Windows to include file types other than just .exe. Some of the spyware sets the security so tight, you can't even view the security tab while it is running, much less delete it. To get to the software retrictions, run MMC. Go to File, Add/Remove Snap In. Then click the Add button. Select Group Policy, click Add, Finish, Close, and OK. Open Local Computer Policy, Computer Configuration, Windows Settings, Security Settings, Software Restrictions. Double click Enforcement to bring up the options. Select All Software Files, and All Users and click ok. Then, open up the Security Levels folder, Right click on Disallowed, and click set as default. Then we want to open the Additional Rules folder. Right click in a blank spot for the rules and select New Hash Rule. Click the browse button and point it to C:\Windows\System32\iets32.exe. It should automatically set it to Disallowed, wich is what we want. We also want to create a new hash rule for C:\WINDOWS\System32\msdxm.ocx, C:\WINDOWS\system32\rundll32.vbe. Also, check to see if there is a folder under program files called Toolbar, or one under Program Files\Common Files called Wintools. If there is, we want to create a New Path Rule. Right click on a blank spot in the rules list, click New Path Rule, and select these folders if they exist. Of course, make sure they are set to disallowed. After the rules are set, close MMC, save the console if you want, it doesn't matter. Then restart. When you boot up, you should get errors saying these files aren't allowed to run. This is, of course, expected. Now, run Spybot S&D. If you don't already have it, you can get it from download.com. Just do a search for Spybot S&D at download.com's main page. Its the easiest way to find it. It should find these files and remove them. If it doesn't, I'd suggest creating a folder on your desktop and moving the files there. Iets32.exe I'm not sure on, but since it put its self back in the startup, and I can't find any info on it, I'd bet its Spyware or a virus with a random file name. I did a search of my hard drives and didn't find anything there either. If a valid program complains about not being able to find it, you can always put it back and allow it to run. The other two are coolwebsearch files. You may have to go to the security tab under properties, go to advanced, take ownership, and assign everyone full control. Then, run Hijack This again, tell it to fix the lines with these programs, it should remove them from the registry. There are some other lines that need to be fixed as well, I've added fix to the begining of them and separated them so they are easier to find. After this is done, reboot again, and try to surf. Hopefully, now it will be working better. If it is, and the files havn't been put back, Open MMC, and go to group policy again. Right click on Local Computer policy. Put a check mark in both the boxes to disable the settings. Or, you can leave them, it won't hurt Windows any, and it shouldn't keep programs you do want running from running. If you'd like, I can do an RDP session and clean it up over the net, provided you have broadband. I do this every day for a company called SwiftTechs (www.swiftechs.com). This has pretty much turned in to our bread and butter lately. One last thing I would like to check, the winsock keys. They are at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries. IF you could just tell me how many catalog entries there are. Thanks. Chris --- Greg Haberek <ghaberek at wowway.com> wrote: > What page in particular? Of all pages, the "about:blank" page! Its modifying pages right before they finish loading. The progress bar on the bottom will hit 100% but not go away for a couple of seconds, during which the pages is locked up. Obviously something is taking over during that time. > Did anything put its self back in the startup? name: iets32 file: C:\WINDOWS\system32\iets32.exe reg key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run > >I'm pretty sure its a virus or a > > worm or something. > > Anyone have any ideas or suggestions? > > > > ~Greg > > Download HijackThis if you haven't already. Run it > and send the log to me, I can look at it and help you > remove any virus/spyware you may have. Also, if you > want to disable stuff running at startup, try AutoRuns > from Sysinternals (www.sysinternals.com). It shows a > lot of things msconfig leaves out. One place in the > registry to check that both leave out is the winlogon > key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows > NT\CurrentVersion\Winlogon\Notify. There should be > several entries in there pointing to crypt32.dll and > wlnotify.dll. These Dll's are called every time you > log on, log off, go in and out of screen saver, etc. > Some spyware, specifically better internet, have > started using this key to keep themselves loaded. > BTW, are you running XP Pro or Home edition. Pro > makes it much easier to get rid of this stuff with > group policies. I've attached hijackthis.log. I could not find a Winlogon\Notify entry! I am running XP Pro. Of all that I know about Active Directory and Group Policies (I only took a class called Windows 2000 - Active Directory and Group Polocies) I'm a little fuzzy on how I'd use it to get rid of spy ware. Thanks, ~Greg ATTACHMENT part 2 application/octet-stream name=hijackthis.log For Topica's complete suite of email marketing solutions visit: http://www.topica.com/?p=TEXFOOTER
10. Re: [OT] I think I have a virus
- Posted by Christopher Stone <chris_m_stone at yahoo.com> Aug 16, 2004
- 524 views
--0-347037506-1092630082=:7256 Content-Type: text/plain; charset=us-ascii Content-Id: Content-Disposition: inline Sorry, forgot to attach the log. Here it is. Chris Content-Type: application/octet-stream; name="hijackthis.log"
11. Re: [OT] I think I have a virus
- Posted by "Unkmar" <L3Euphoria at bellsouth.net> Aug 16, 2004
- 533 views
Yeah, that is definately a coolsearch thing. BHO - Browser Helper Object. Your search bar settings are getting you. Fix R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kzurx.dll/sp.html#96676 HijackThis should be able to clean all of that out. but you must have all instances of IE closed. I suggest a fresh reboot before running HijackThis to clean it. That should do it. Have it clean all those searchbar things. I'm not so sure on the rest. unkmar ----- Original Message ----- From: "Christopher Stone" <chris_m_stone at yahoo.com> To: <EUforum at topica.com> Sent: Monday, August 16, 2004 12:21 AM Subject: Re: [OT] I think I have a virus > > Sorry, forgot to attach the log. Here it is. > > Chris
12. Re: [OT] I think I have a virus
- Posted by "Unkmar" <L3Euphoria at bellsouth.net> Aug 18, 2004
- 519 views
----- Original Message ----- From: "irv mullins" <guest at RapidEuphoria.com> To: <EUforum at topica.com> Sent: Tuesday, August 17, 2004 11:06 PM Subject: RE: [OT] I think I have a virus > > > posted by: irv mullins <irvm at ellijay.com> > > Greg Haberek wrote: > > > > Ok, I totally foobar-ed my computer. I did what was mentioned above, and > > when I restarted and logged on, Windows logged me right off. I tried > > logging in as Administrator, same thing. So I booted into Safe Mode and > > removed all the settings, restarted, same problem. I'm posting this from > > my laptop. (mmmmm.... Fedora :) If it weren't for the homework I need to > > do in VB, and the programs people want me to write *in Windows* I'd > > strip down that hard drive and install Fedora Core 2. > > > > Grrrr.... Stupid Spyware.... > > There's an article on Slashdot.org about that right now. > Essentially, it says that after you format your disk and re-install > Windows, you have an average of 20 seconds online before you are hit with > some kind of exploit. Since it takes way longer than 20 seconds to > get and install all the Microsoft updates which are supposed to protect you > from such things, it seems like a lost cause. > Maybe order SP2 on CD from Microsoft? > > Irv > Irv, you get on my nerve I agree that linux is great but that don't mean Windows is crap. Ever heard of a router and firewall. That should greatly increase that supposed 20sec time frame. Besides, I think that is an exaggeration. But what do I know. You appear to tell tall tales to sale linux. Your view is that Windows is minnow and that linux is the 120lb Bass. Your view is that Windows is only good for discussion and linux is the only way to go. Your tales state that linux is the white knight in shining armour and that Windows is the evil lord that deligates many black knights out to fight. unkmar
13. Re: [OT] I think I have a virus
- Posted by irv mullins <irvm at ellijay.com> Aug 18, 2004
- 540 views
Unkmar wrote: > > > > There's an article on Slashdot.org about that right now. > > Essentially, it says that after you format your disk and re-install > > Windows, you have an average of 20 seconds online before you are hit with > > some kind of exploit. Since it takes way longer than 20 seconds to > > get and install all the Microsoft updates which are supposed to protect > you > > from such things, it seems like a lost cause. > > Maybe order SP2 on CD from Microsoft? > > > > Irv > > > > Irv, you get on my nerve > I agree that linux is great > but that don't mean Windows is crap. Where does my post mention Linux? I suggested you order SP2 from Microsoft on a CD, so you don't have to go thru the 250 megs of download while connected to the internet with a vulnerable computer. I do think that whoever thought up the Windows on-line update system didn't account for all the problems it would cause. Just what would be wrong with the world's richest company sending out updated versions of Windows to its customers via mail? If AOL can send us CD's every couple of weeks, what's stopping Microsoft? Surely they know that no one on dialup is going to download the huge SP2 update, leaving millions of unpatched computers still connected to the net. If it was General Motors who issued a potentially faulty product, let's say for example, an ignition switch which would accept any old housekey, they would issue a recall, fix the problem at no charge, and say a polite "thank you". Why is Microsoft any different? > Ever heard of a router and firewall. > That should greatly increase that supposed 20sec time frame. > Besides, I think that is an exaggeration. But what do I know. Even if it was 20 minutes, can you download 250 megs of updates in 20 minutes? > You appear to tell tall tales to sale linux. You appear to troll. > Your view is that Windows is minnow and that linux is > the 120lb Bass. No, Windows is not a fish, even though it sometimes stinks. > Your view is that Windows is only good for discussion > and linux is the only way to go. Windows does create a lot of discussion on the web. Most of it is not very flattering. Why do you suppose that happens? > Your tales state that linux is the white knight in shining > armour and that Windows is the evil lord that deligates > many black knights out to fight. Not at all. Windows is an operating system. If there's any evil involved, it is in Mr. Gates' business tactics. But come to think of it, you may be right. Lawyers do wear black suits. Irv
14. Re: [OT] I think I have a virus
- Posted by Travis Beaty <eucoder at travisbeaty.us> Aug 18, 2004
- 539 views
On Wednesday 18 August 2004 09:49 am, irv mullins wrote: > If it was General Motors who issued a potentially faulty product, > let's say for example, an ignition switch which would accept any > old housekey, they would issue a recall, fix the problem at no charge, > and say a polite "thank you". Why is Microsoft any different? Microsoft would be MUCH different, Irv. They'd fix the problem right away, by updating your car. The ignition switch would be removed, and instead, the driver would be given a 50 page instruction manual on how to hot-wire their own vehicle, and would be offered a downloadable screwdriver. As far as XP2 is concerned, folks might find this interesting. Sorry for the 20 mile URL: http://www.computerweekly.com/articles/article.asp?liArticleID=132717&liArticleTypeID=1&liCategoryID=1&liChannelID=126&liFlavourID=1&sSearch=&nPage=1 Travis.