Virus?

Soldato
Joined
11 Nov 2002
Posts
3,947
Location
West Mids
(I've just posted this on the internet security forums and thought I might get a response if I post it here to)

Hi everyone,
It seem that my computer has a virus which is screwing my computer up in very random ways.

I believe I caught this virus when I was on MSN Messenger. I was in a conversation with a friend. What I thought was my friend sending me a message was actually not him. I recieved a message saying: "Is this you?" and then a link next to the text.
I clicked the click which seemed to be an openable file but nothing happened when I opened it. I became suspicious and talked in person to my friend who I was in the MSN conversation with and he said he hadn't sent me such a link and he had a virus on his computer which he had caught the same way.

So, at first nothing seemed to be effected but now many programs won't open or work properly.

For example, Microsoft Word will not open, MSN messenger won't sign in, I can't sign into to my university email, my Norton Security software will notopen on start-up. However, I can still surf the internet and my computer fires up as normal.

Before I ask for a diagnosis and possible soultion first of all I must warn you that HiJackthis will not open when download the .rar file. As soon as I open the file, it closes. asqaured and sybot search&destroy will not work either.


What is going on and is there way to fix it?

Thanks a lot.
 

sfx

sfx

Associate
Joined
13 Dec 2004
Posts
926
Tweek_1984 said:
Where can I find my hosts file and what would I be looking for?
Host file is here: C:\WINDOWS\system32\drivers\etc

The default file should look like this:
Code:
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost

If your is any different replace it with this.

sfx
 
Associate
Joined
7 Mar 2005
Posts
1,597
Location
Eating PI
Here is the order of what you should do:

1. Download Avast Antivirus
2. Download Sygate Personal Firewall
3. Download Adaware SE
4. Remove Norton & Reboot
5. Remove anything even romotely involved with Symatec Corporation
6. Install Avast, Sygate & Adaware & Reboot
7. Run above programs
8. Reboot
9. Run Avast & Adaware again to be safe.

If you need help finding web pages to download the mentioned programs do a search in google, they're all free and Avast & Sygate are 100times better than Norton.

I had problems like you're having many times in the past while running Norton, never had a single problem while running Avast and I download a lot more stuff now, probably nearly 100gb/month.

Avast has 7 on-access scanners and i'm pretty sure Norton only has 2.

BTW Sygate has just been bought by Symantec (Who own Norton) it's still okay atm but updates have stopped and I'm currently looking for a new one, but in the meantime it will really help you.
 
Soldato
OP
Joined
11 Nov 2002
Posts
3,947
Location
West Mids
Ok, I've researched the problem a bit more and the virus I have seem to be the new 'wow is this you' irus which is spread through messenger. So far nobody seems to have come up with a simple solution.

here's a description of the problem I took from another forum by a poster named Mel C (Neamh) from the free computer help community:

"Hi all - some little smarty sent me something yesterday which has me stumped.

Whatever it is, won't allow me to run msconfig, av software, firewall or pretty well anything else which could help me determine what it wrong in any mode other than safemode.

Each time I've scanned in safe mode, clean up, boot up, back to square 1.

I have scanned 3 times with AVG, I've tried the cleaner trojan scanner, cws shredder picked up 1, Spybot S&D as well as webroot's spysweeper. I've checked my Hijackthis report.... usually I'm the one who picks up on the problems for everyone else but this one has me stumped... I'm sure it's something I'm just too tired to see now and would really appreciate some help.

I'm running Windows XP Home on an Off the shelf HP - no modifications on this machine other than being on a home LAN. I don't have Sp2 installed - when I bought the machine, I found it was one of the models that HP advised against updating at the time and I haven't had the time to check since to see if that status has changed.

Hijackthis currently also shuts down before I can run the scan - however I managed to get a log earlier in safe mode.... won't even let me open the notepad document, not even in word - shuts down the software! Will go back to safe mode and report back with log in 5"


basically this virus stops people using anti-virus software and stops them going to certain radom sites, but mostly I cannot get into anti-virus sites, email or any secure websites.

If anyone can join the fight to get rid of this virus it'd be much appreciated by a lot of people.
 
Associate
Joined
7 Mar 2005
Posts
1,597
Location
Eating PI
Personally I don't rate AVG that highly, the main reason I like Avast is that it stops anything actually coming in. It's worth trying it anyway, remove AVG & install Avast. Then run Avast in safe mode, and then agin in normal boot mode.
 
Soldato
Joined
12 May 2005
Posts
12,631
What I would probablly try, and forgive me if you have tried something already.

First up, if a friend can download avast for you and put it on a CD, that would be great. Make sure that after that you do as suggested and check your hosts, then try install the programs in safe mode.

I would also check services.msc and msconfig startup. http://www.spywareinfo.com/~merijn/downloads.html grab startup list from there and see if that runs.

If it really does not get any better you may have to format.... do you know what the virus is called?
 

Deleted member 651465

D

Deleted member 651465

CWShredder or HijackThis closes immediately after opening?

There is a variant of the Coolwebsearch trojan spreading that closes several anti-spyware apps when you try to open them.
If this is happening to you, download PepiMK's CoolWWWSearch.SmartKiller removal tool first and run it. After it does its job, CWShredder and HijackThis will run properly (as well Spybot S&D, Ad-aware and several anti-spyware forums).

http://www.safer-networking.org/files/delcwssk.zip
 
Soldato
OP
Joined
11 Nov 2002
Posts
3,947
Location
West Mids
EVH said:
CWShredder or HijackThis closes immediately after opening?

There is a variant of the Coolwebsearch trojan spreading that closes several anti-spyware apps when you try to open them.
If this is happening to you, download PepiMK's CoolWWWSearch.SmartKiller removal tool first and run it. After it does its job, CWShredder and HijackThis will run properly (as well Spybot S&D, Ad-aware and several anti-spyware forums).

http://www.safer-networking.org/files/delcwssk.zip

I've been away for a week so havent done anything about the virus all week.

I tried that smartkiller thing and it didnt work. It said it never found anything but I still cant open hijack this.

here's my hosts file:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample LMHOSTS file used by the Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to computernames
# (NetBIOS) names. Each entry should be kept on an individual line.
# The IP address should be placed in the first column followed by the
# corresponding computername. The address and the computername
# should be separated by at least one space or tab. The "#" character
# is generally used to denote the start of a comment (see the exceptions
# below).
#
# This file is compatible with Microsoft LAN Manager 2.x TCP/IP lmhosts
# files and offers the following extensions:
#
# #PRE
# #DOM:<domain>
# #INCLUDE <filename>
# #BEGIN_ALTERNATE
# #END_ALTERNATE
# \0xnn (non-printing character support)
#
# Following any entry in the file with the characters "#PRE" will cause
# the entry to be preloaded into the name cache. By default, entries are
# not preloaded, but are parsed only after dynamic name resolution fails.
#
# Following an entry with the "#DOM:<domain>" tag will associate the
# entry with the domain specified by <domain>. This affects how the
# browser and logon services behave in TCP/IP environments. To preload
# the host name associated with #DOM entry, it is necessary to also add a
# #PRE to the line. The <domain> is always preloaded although it will not
# be shown when the name cache is viewed.
#
# Specifying "#INCLUDE <filename>" will force the RFC NetBIOS (NBT)
# software to seek the specified <filename> and parse it as if it were
# local. <filename> is generally a UNC-based name, allowing a
# centralized lmhosts file to be maintained on a server.
# It is ALWAYS necessary to provide a mapping for the IP address of the
# server prior to the #INCLUDE. This mapping must use the #PRE directive.
# In addtion the share "public" in the example below must be in the
# LanManServer list of "NullSessionShares" in order for client machines to
# be able to read the lmhosts file successfully. This key is under
# \machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionshares
# in the registry. Simply add "public" to the list found there.
#
# The #BEGIN_ and #END_ALTERNATE keywords allow multiple #INCLUDE
# statements to be grouped together. Any single successful include
# will cause the group to succeed.
#
# Finally, non-printing characters can be embedded in mappings by
# first surrounding the NetBIOS name in quotations, then using the
# \0xnn notation to specify a hex value for a non-printing character.
#
# The following example illustrates all of these extensions:
#
# 102.54.94.97 rhino #PRE #DOM:networking #net group's DC
# 102.54.94.102 "appname \0x14" #special app server
# 102.54.94.123 popular #PRE #source server
# 102.54.94.117 localsrv #PRE #needed for the include
#
# #BEGIN_ALTERNATE
# #INCLUDE \\localsrv\public\lmhosts
# #INCLUDE \\rhino\public\lmhosts
# #END_ALTERNATE
#
# In the above example, the "appname" server contains a special
# character in its name, the "popular" and "localsrv" server names are
# preloaded, and the "rhino" server name is specified so it can be used
# to later #INCLUDE a centrally maintained lmhosts file if the "localsrv"
# system is unavailable.
#
# Note that the whole file is parsed including comments on each lookup,
# so keeping the number of comments to a minimum will improve performance.
# Therefore it is not advisable to simply add lmhosts file entries onto the
# end of this file.



Can you guys give me some info about a format. I bought my laptop from a shop and I'm not sure exactly what i have to do to re-install xp and re-activate it?

any info would be appreciated.

Its safe to say this virus is a pain in the neck. Avoid at all costs.
 
Last edited:
Soldato
OP
Joined
11 Nov 2002
Posts
3,947
Location
West Mids
Ok, whenever I run AIMFIX whether in safe mode or not it always finds this file and deletes it:

Found HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss
Removed HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss

However, nothing happens once it deletes it. Its as if there is another file that is hiding somwhere and restarting the virus as soon as it is deleted or something. I also believe that csrss is a critical process, however, whenever I run taskkill in safemode there are two csrss files. Obviously the virus is hiding behind that name. So it'd be a gamble to delete it from hijackthis or taskill because I'd get the blue screen of death or something worse.

I did a full system scan of avg in safe mode and it found nothing.

what now?

Can somebody post the info from the link i posted above, I still cant access that page. Thanks.
 
Associate
Joined
10 Nov 2003
Posts
1,123
Location
N.Ireland
As much as I hate to say this but Format C is the best cure for this imho. Anytime I have caught a Virus, I cant be bothered mesing around. Shove the xp disc in and clean install ;)

Heres the stuff you are looking

Skip navigation Home Virus info Virus analyses
W32/Chode-C
Summary
Summary Description Recovery Advanced
Name W32/Chode-C
Type Worm

How it spreads Chat programs

Affected operating systems Windows

Side effects Turns off anti-virus applications
Allows others to access the computer
Downloads code from the internet
Installs itself in the Registry
Used in DOS attacks

Aliases WORM_CHOD.GEN

Protection available since 6 June 2005 20:32:14 (GMT)
Included in our products from July 2005 (3.95)

Staying up to date
EM Library provides fully automated updating of Sophos Anti-Virus on a wide range of platforms. If you're using one of our enterprise solutions and aren't already using EM Library, check it out now. Users of our small business solutions are automatically updated by Sophos AutoUpdate.
 
Back
Top Bottom