Virus?

Tweek_1984 · 19 Feb 2006 at 08:27

(I've just posted this on the internet security forums and thought I might get a response if I post it here to)

Hi everyone,
It seem that my computer has a virus which is screwing my computer up in very random ways.

I believe I caught this virus when I was on MSN Messenger. I was in a conversation with a friend. What I thought was my friend sending me a message was actually not him. I recieved a message saying: "Is this you?" and then a link next to the text.
I clicked the click which seemed to be an openable file but nothing happened when I opened it. I became suspicious and talked in person to my friend who I was in the MSN conversation with and he said he hadn't sent me such a link and he had a virus on his computer which he had caught the same way.

So, at first nothing seemed to be effected but now many programs won't open or work properly.

For example, Microsoft Word will not open, MSN messenger won't sign in, I can't sign into to my university email, my Norton Security software will notopen on start-up. However, I can still surf the internet and my computer fires up as normal.

Before I ask for a diagnosis and possible soultion first of all I must warn you that HiJackthis will not open when download the .rar file. As soon as I open the file, it closes. asqaured and sybot search&destroy will not work either.

What is going on and is there way to fix it?

Thanks a lot.

Tweek_1984 · 19 Feb 2006 at 20:49

How do I switch off/on system restore?

Tweek_1984 · 19 Feb 2006 at 20:54

Anyways, whenever I click that link it says that the connection was refused.

Maybe this virus has blocked a number of virus checker sites?

Tweek_1984 · 19 Feb 2006 at 22:31

Anyone?

Tweek_1984 · 20 Feb 2006 at 00:01

Where can I find my hosts file and what would I be looking for?

Tweek_1984 · 20 Feb 2006 at 03:07

Ok, I've researched the problem a bit more and the virus I have seem to be the new 'wow is this you' irus which is spread through messenger. So far nobody seems to have come up with a simple solution.

here's a description of the problem I took from another forum by a poster named Mel C (Neamh) from the free computer help community:

"Hi all - some little smarty sent me something yesterday which has me stumped.

Whatever it is, won't allow me to run msconfig, av software, firewall or pretty well anything else which could help me determine what it wrong in any mode other than safemode.

Each time I've scanned in safe mode, clean up, boot up, back to square 1.

I have scanned 3 times with AVG, I've tried the cleaner trojan scanner, cws shredder picked up 1, Spybot S&D as well as webroot's spysweeper. I've checked my Hijackthis report.... usually I'm the one who picks up on the problems for everyone else but this one has me stumped... I'm sure it's something I'm just too tired to see now and would really appreciate some help.

I'm running Windows XP Home on an Off the shelf HP - no modifications on this machine other than being on a home LAN. I don't have Sp2 installed - when I bought the machine, I found it was one of the models that HP advised against updating at the time and I haven't had the time to check since to see if that status has changed.

Hijackthis currently also shuts down before I can run the scan - however I managed to get a log earlier in safe mode.... won't even let me open the notepad document, not even in word - shuts down the software! Will go back to safe mode and report back with log in 5"

basically this virus stops people using anti-virus software and stops them going to certain radom sites, but mostly I cannot get into anti-virus sites, email or any secure websites.

If anyone can join the fight to get rid of this virus it'd be much appreciated by a lot of people.

Tweek_1984 · 20 Feb 2006 at 13:08

I can't even access the avast website mate. Thats a result of the virus. I doubt I'd be able to run it either, once I download it.

Tweek_1984 · 25 Feb 2006 at 04:36

EVH said:
CWShredder or HijackThis closes immediately after opening?

There is a variant of the Coolwebsearch trojan spreading that closes several anti-spyware apps when you try to open them.
If this is happening to you, download PepiMK's CoolWWWSearch.SmartKiller removal tool first and run it. After it does its job, CWShredder and HijackThis will run properly (as well Spybot S&D, Ad-aware and several anti-spyware forums).

http://www.safer-networking.org/files/delcwssk.zip

I've been away for a week so havent done anything about the virus all week.

I tried that smartkiller thing and it didnt work. It said it never found anything but I still cant open hijack this.

here's my hosts file:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample LMHOSTS file used by the Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to computernames
# (NetBIOS) names. Each entry should be kept on an individual line.
# The IP address should be placed in the first column followed by the
# corresponding computername. The address and the computername
# should be separated by at least one space or tab. The "#" character
# is generally used to denote the start of a comment (see the exceptions
# below).
#
# This file is compatible with Microsoft LAN Manager 2.x TCP/IP lmhosts
# files and offers the following extensions:
#
# #PRE
# #DOM:<domain>
# #INCLUDE <filename>
# #BEGIN_ALTERNATE
# #END_ALTERNATE
# \0xnn (non-printing character support)
#
# Following any entry in the file with the characters "#PRE" will cause
# the entry to be preloaded into the name cache. By default, entries are
# not preloaded, but are parsed only after dynamic name resolution fails.
#
# Following an entry with the "#DOM:<domain>" tag will associate the
# entry with the domain specified by <domain>. This affects how the
# browser and logon services behave in TCP/IP environments. To preload
# the host name associated with #DOM entry, it is necessary to also add a
# #PRE to the line. The <domain> is always preloaded although it will not
# be shown when the name cache is viewed.
#
# Specifying "#INCLUDE <filename>" will force the RFC NetBIOS (NBT)
# software to seek the specified <filename> and parse it as if it were
# local. <filename> is generally a UNC-based name, allowing a
# centralized lmhosts file to be maintained on a server.
# It is ALWAYS necessary to provide a mapping for the IP address of the
# server prior to the #INCLUDE. This mapping must use the #PRE directive.
# In addtion the share "public" in the example below must be in the
# LanManServer list of "NullSessionShares" in order for client machines to
# be able to read the lmhosts file successfully. This key is under
# \machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionshares
# in the registry. Simply add "public" to the list found there.
#
# The #BEGIN_ and #END_ALTERNATE keywords allow multiple #INCLUDE
# statements to be grouped together. Any single successful include
# will cause the group to succeed.
#
# Finally, non-printing characters can be embedded in mappings by
# first surrounding the NetBIOS name in quotations, then using the
# \0xnn notation to specify a hex value for a non-printing character.
#
# The following example illustrates all of these extensions:
#
# 102.54.94.97 rhino #PRE #DOM:networking #net group's DC
# 102.54.94.102 "appname \0x14" #special app server
# 102.54.94.123 popular #PRE #source server
# 102.54.94.117 localsrv #PRE #needed for the include
#
# #BEGIN_ALTERNATE
# #INCLUDE \\localsrv\public\lmhosts
# #INCLUDE \\rhino\public\lmhosts
# #END_ALTERNATE
#
# In the above example, the "appname" server contains a special
# character in its name, the "popular" and "localsrv" server names are
# preloaded, and the "rhino" server name is specified so it can be used
# to later #INCLUDE a centrally maintained lmhosts file if the "localsrv"
# system is unavailable.
#
# Note that the whole file is parsed including comments on each lookup,
# so keeping the number of comments to a minimum will improve performance.
# Therefore it is not advisable to simply add lmhosts file entries onto the
# end of this file.

Can you guys give me some info about a format. I bought my laptop from a shop and I'm not sure exactly what i have to do to re-install xp and re-activate it?

any info would be appreciated.

Its safe to say this virus is a pain in the neck. Avoid at all costs.

Tweek_1984 · 25 Feb 2006 at 05:08

Hey can somebidy post up the info from the sophos site. It seems to have info about the virus. Again I cant access the site, likely due to the virus itself.

Sophos link

Cheers.

Tweek_1984 · 25 Feb 2006 at 23:06

Ok, whenever I run AIMFIX whether in safe mode or not it always finds this file and deletes it:

Found HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss
Removed HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss

However, nothing happens once it deletes it. Its as if there is another file that is hiding somwhere and restarting the virus as soon as it is deleted or something. I also believe that csrss is a critical process, however, whenever I run taskkill in safemode there are two csrss files. Obviously the virus is hiding behind that name. So it'd be a gamble to delete it from hijackthis or taskill because I'd get the blue screen of death or something worse.

I did a full system scan of avg in safe mode and it found nothing.

what now?

Can somebody post the info from the link i posted above, I still cant access that page. Thanks.