Re: [OT] I think I have a virus
Looks like it may be a new version of CoolWebSearch,
I'm not sure though. The winlogon key is at
HKLM\Software\MS\WindowsNT\CurVer\Winlogon. Sorry, I
think Yahoos word wrapping may have gotten the best of
us on the last message.
As far as the group policy helping with virus and
spyware removal, its much improved since Windows 2000.
You can tell Windows to include file types other than
just .exe. Some of the spyware sets the security so
tight, you can't even view the security tab while it
is running, much less delete it. To get to the
software retrictions, run MMC. Go to File, Add/Remove
Snap In. Then click the Add button. Select Group
Policy, click Add, Finish, Close, and OK. Open Local
Computer Policy, Computer Configuration, Windows
Settings, Security Settings, Software Restrictions.
Double click Enforcement to bring up the options.
Select All Software Files, and All Users and click ok.
Then, open up the Security Levels folder, Right click
on Disallowed, and click set as default. Then we want
to open the Additional Rules folder. Right click in a
blank spot for the rules and select New Hash Rule.
Click the browse button and point it to
C:\Windows\System32\iets32.exe. It should
automatically set it to Disallowed, wich is what we
want. We also want to create a new hash rule for
C:\WINDOWS\System32\msdxm.ocx,
C:\WINDOWS\system32\rundll32.vbe.
Also, check to see if there is a folder under program
files called Toolbar, or one under Program
Files\Common Files called Wintools. If there is, we
want to create a New Path Rule. Right click on a
blank spot in the rules list, click New Path Rule, and
select these folders if they exist. Of course, make
sure they are set to disallowed.
After the rules are set, close MMC, save the console
if you want, it doesn't matter. Then restart. When
you boot up, you should get errors saying these files
aren't allowed to run. This is, of course, expected.
Now, run Spybot S&D. If you don't already have it,
you can get it from download.com. Just do a search
for Spybot S&D at download.com's main page. Its the
easiest way to find it. It should find these files
and remove them. If it doesn't, I'd suggest creating
a folder on your desktop and moving the files there.
Iets32.exe I'm not sure on, but since it put its self
back in the startup, and I can't find any info on it,
I'd bet its Spyware or a virus with a random file
name. I did a search of my hard drives and didn't
find anything there either. If a valid program
complains about not being able to find it, you can
always put it back and allow it to run. The other two
are coolwebsearch files. You may have to go to the
security tab under properties, go to advanced, take
ownership, and assign everyone full control. Then,
run Hijack This again, tell it to fix the lines with
these programs, it should remove them from the
registry. There are some other lines that need to be
fixed as well, I've added fix to the begining of them
and separated them so they are easier to find.
After this is done, reboot again, and try to surf.
Hopefully, now it will be working better. If it is,
and the files havn't been put back, Open MMC, and go
to group policy again. Right click on Local Computer
policy. Put a check mark in both the boxes to disable
the settings. Or, you can leave them, it won't hurt
Windows any, and it shouldn't keep programs you do
want running from running.
If you'd like, I can do an RDP session and clean it up
over the net, provided you have broadband. I do this
every day for a company called SwiftTechs
(www.swiftechs.com). This has pretty much turned in
to our bread and butter lately. One last thing I
would like to check, the winsock keys. They are at
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries.
IF you could just tell me how many catalog entries
there are. Thanks.
Chris
--- Greg Haberek <ghaberek at wowway.com> wrote:
> What page in particular?
Of all pages, the "about:blank" page! Its modifying
pages right before they
finish loading. The progress bar on the bottom will
hit 100% but not go away
for a couple of seconds, during which the pages is
locked up. Obviously
something is taking over during that time.
> Did anything put its self back in the startup?
name: iets32
file: C:\WINDOWS\system32\iets32.exe
reg key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> >I'm pretty sure its a virus or a
> > worm or something.
> > Anyone have any ideas or suggestions?
> >
> > ~Greg
>
> Download HijackThis if you haven't already. Run
it
> and send the log to me, I can look at it and help
you
> remove any virus/spyware you may have. Also, if
you
> want to disable stuff running at startup, try
AutoRuns
> from Sysinternals (www.sysinternals.com). It
shows a
> lot of things msconfig leaves out. One place in
the
> registry to check that both leave out is the
winlogon
> key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\Winlogon\Notify. There should
be
> several entries in there pointing to crypt32.dll
and
> wlnotify.dll. These Dll's are called every time
you
> log on, log off, go in and out of screen saver,
etc.
> Some spyware, specifically better internet, have
> started using this key to keep themselves loaded.
> BTW, are you running XP Pro or Home edition. Pro
> makes it much easier to get rid of this stuff with
> group policies.
I've attached hijackthis.log.
I could not find a Winlogon\Notify entry!
I am running XP Pro.
Of all that I know about Active Directory and Group
Policies (I only took a
class called Windows 2000 - Active Directory and
Group Polocies) I'm a
little fuzzy on how I'd use it to get rid of spy
ware.
Thanks,
~Greg
ATTACHMENT part 2 application/octet-stream
name=hijackthis.log
For Topica's complete suite of email marketing
solutions visit:
http://www.topica.com/?p=TEXFOOTER
|
Not Categorized, Please Help
|
|
