elaborate unknown virus?

[413345]

came across a really elaborate virus or trojan the problems began after booting and receiving a message from windows that the system had had to restore several files (unfortunately I didn't note which)

the malicious little creep has performed the following on my system:


1. denies access to internet through IE (attempts to download files to the temporary internet folder, which doesn't exist so it fail (* astonished)
2. alters NAV and any other AV program files
3. blocks windows help (as if that would really do any good ) (again attempting to download files in place of opening the progam)
4. deletes the "run" button in the start menu
5. disables the possibility of entering programs through start menu

Have run HJT etc and gone through registry without detecting any conspicious new commands or files.
Have searched and googled for three days without coming across a virus that excactly matches the description.

So, a plead for help here...

 

[billcmh]

Deleting the run button is certainly new to me. I've seen a couple of virus advisories this week, but haven't seen the actual virus yet. I assume you have checked the websites for the latest viruses. Perhaps try the latest version of McAfee's stinger? I assume its been updated this week.

 

[aquias]

Disabling the AV and other tools makes me think it may be a variant of this

http://www.virusportal.com/com/virusinfo/encyclopedia/overview.aspx?idvirus=49760

If I recall, I cannot recall which virus, but recently there was another virus that was released which acted very similiarly.

Can you get any web pages to run at present?

 

[413345]

Hi
thanks for your replies

It is not the atak I think, as there is not svrhost.exe file to be found

I can't get access to the net at all, in reply to your other Q...

 

[413345]

In the registry I found a

nodrivetypeautorun

entry in the HKCU register

may this be of help to identify the bleep?

 

[aquias]

Do me a favor and check your hosts file

C:\WINDOWS\system32\drivers\etc\hosts

And make certain that there are no entries, other than 127.0.0.1

As to the virus, I'm hoping that someone else can recall what the recent attack was (I believe it was only a few months ago)...and speaking of which...I found it.

Check for

http://www.virusportal.com/com/virusinfo/encyclopedia/overview.aspx?idvirus=45593

Or one of its several variants.

It doesn't remove the run function, but let's focus on getting you back to the web before we move onto that specific problem.

 

[413345]

Thanks again...

The host file hasn't been changed since 2003 so I think it is ok...

also, in reference to the virus you suggested, there is no winupd.exe file on my harddisk afaik...

 

[erikhertzel]

413345,

Have you tried to put a copy with updated virus defs from AVG on the machine and do a full scan? That could solve your issue.

Go to

http://www.grisoft.com

and download it and the definitions (make sure they are the newest) from a different PC and burn a CD or transfer it with a Pen Drive or something to that effect. Then, try and hammer the virus.

Hope that helps,

Erik

 

[413345]

thanks for your reply mate, but have done and failed miserably avg did not detect any virus...

 

[billcmh]

You mentioned the host file, did you search for duplicates, or actually look inside? Sometimes in situations like this a program called Winsockfix has helped restore web access. I dont' remember where I got it, but can email you a copy.

 

[erikhertzel]

Have you tried spyware issues and used Microsoft Antispyware and Spybot. I would recommend giving them a go also, make sure you have the updated defs...

We will figure it out.

Erik

 

[erikhertzel]

Also, what does your host file say? What is in it besides
127.0.0.1

Thanks,

Erik

 

[413345]

host file has nothing besides 127.0.0.1
have tried spybot,etc...

 

[aquias]

I'm leaning towards bill with this. Download two programs...

LSPFix and the Winsock Fix.

Run the LSPFix, if that doesn't work then move on and run the Winsock fix.

 

[aquias]

Links would be nice, eh?

LSPfix

http://www.spychecker.com/screenshots/lspfix.htm

Winsock Fix

http://www.spychecker.com/program/winsockxpfix.html

 

[erikhertzel]

Winsock fix may do the trick...good idea Aquias.

Erik

 

[413345]

thanks will give it a go and reply about the results tomorrow!

 

[aquias]

Thankie Erik! But Billcmh was the one that mentioned, it just looks like I'm a touch louder about it ;-)

 

[erikhertzel]

Aquias,

We should go into business together, I like your ideas!!



Take care.

 

[billcmh]

Links would be nice, eh?"

Thanks Aquias, I am unfamiliar with LSPfix, I will check the link.