Some kind of virus HELP

[Axel7]

I have some kind of Virus..

XP pro/ NAV 2004

I just noticed yesterday I have lost NAV in the sys tray
so i go and restart it and it comes up with a red x beside
auto-protect and a red error beside email scanning.

I try to liveupdate NAV and it will not connect.

I open explorer and try to goto norton website . and it will not load the page, same with mcafee and all the the others....

I have read about the host file trick that some virus do.
so i goto c:/windows/system32/drivers/etc/host and i edit the host file with notepad and i find all the websites listed like

127.0.0.0.1

http://www.mcafee.com

etc
etc
etc

i edit the the file and save.
And i can goto the site again (till i restart the computer and they are back in there)
I then run live update and scann the computer and a error comes up LU1823 try again and get error LU1815 etc.....
i run adaware and clean out all that crap..
I run in safemode with restore OFF and a clean host file
and do a full scan there and it runs thru and finds nothing.

I goto regedit and look at the Hkey LM-software/microsoft/windows/currentversion/run
and i find nothing out of place ????

does anybody have any good idea what is next

PS i ran mcafee stinger as of 4/26/04
i also went to safemode and ran free version of f-prot

 

[jrbarnett]

Have you tried running another spyware scanner (Spybot Search & Destroy, Bazooka)? If not, try them and see if they find anything. Ad-aware doesn't pick everthing up, but neither do the others. Best to get a second opinion.
Also ensure that the scanners have the latest updates applied to pick up the newest threats.

John

 

[Axel7]

Never thought a spyware would change the host file and block out norton and others web sites as well as attack NAV 2004
But i will try it later today we i get home???


Anybody else with any thoughts

 

[jrbarnett]

Another point: there are more places than that in the registry where programs can load from. I would run msconfig and check the HKCU key as well.
You can use MSConfig on Windows XP to check all places easily together.

John

 

[MasterRacker]

I'd go at it with Hi-Jack This as well.


Jeff
The future is already here - it's just not widely distributed yet...

 

[bfralia]

Sounds like you have the GAOBOT worm that corrupts the host file where you cannot access any of the AV sites.

McAfee was giving us a lot of QHOSTS.ABP detections when users booted up. That's the result, not the cause. Neither the Symantec special removal tool nor NAI tools told us anything.

We finally traced it down to a program soundcontrl.exe . I sent a copy to McAfee and they sent an extra.dat file to eliminate the virus. It finds both soundcontrl and the multitude of files that come down off the internet to infect the computer.

I expect today's DAT release will find all this junque.

 

[balajipn]

Hi,

Try downloading the free smartcop virus scanner from

http://www.s-cop.com.

One of the smallest and great antivirus software.

You could also try nod32 for dos from

http://www.nod32.com.

Thanks,
Balaji.

 

[dearingkr]

Another thing to try is

http://www.trendmicro.com

They have a free online scanner that works very well.

MCSE CCNA CCDA

 

[Kesser]

Trend's online scanner is pretty rubbish but download their SYSCLEAN package and a pattern file and run that in safe mode with sys restore turned off, it picks up a lot. After that, run spybot and adaware, empty all cached files (temp internet, temps, cookies etc), reboot and turn sys restore back on. Go into MSCONFIG and disable anything that is non-essential, then go back in in safe mode and run sysclean again to be safe.

Kes