virus blocking NAV from updating. BOO! 2

[simon707]

Hi i have a virus and my Norton Anti-virus freezes during "live- Update".

here the symptoms i've been having....

really slow in-windows navigation,several seconds going up windows.

15-20 second delay when right-clicking icon in system-tray before context-sensitive window comes up.

computer freezes when too many windows are open at once.

Here's what shappend so far...

Usind "Spybot-Search'n Destroy" results said "error during check" with that red triangle with the exclamation point, followed by "wild media" and then a bunch of german crap.

When rebooting after a freeze i got this message:
"Scandisk encountered a data error while reding cluster 168320....Scandisk will try to continue past this error. When scandisk offers to perform a surface scan on this drive choose yes "s

then after doing a surface scan it says:
"Skandisk found error on this drive and fixed them all.... ect ect with 16,384 bad sectors"

But after the bad sectors where fixed the PC is STILL slow and STILL freezes during live-update. Just as it goes to "retreiving files" it stops, not the whole pc, but just NAV.It has frozen like this over and over.

Then today i turned on the computer and the "NAV repair wizard" window was up and showing that NAV had found a virus:
"Trojan.ByteVerify", it was found in : WIndows\Application data\SUN\Java\cache\java bla bla bla and it goes on forever.
But it look's like it's in JAva???

Anyway the files where quarintined, and i rebooted, but NAV STILL wont update. And i had symptoms for over a week before the "Trojan.ByteVerify" so maybe that was a new one?

I've also recently switched from KAzzaa to Emule for p2p last month if that's relevant.

Can a virus cause 'bad sectors' on a drive? IS that a seperate problem? How can i find whats blocking my NAV??

sorry about the LOONG story, thanks for any help.

 

[jimbopalmer]

So long as you do P2P you will be getting this stuff, so technical help is really no help at all, but lets assume YOU have changed YOUR behavior.

I am betting that some malware has altered your HOSTS file to point virus scanners to bad IP addresses.

OPEN WITH.... Hosts using WORDPAD

delete any entries but localhost 127.0.0.1
update Notrons
update windows
delete programs from add/remove programs files offering toolbars or bargins
then run the usual gang of fixes

adaware
ccleaner (issues, repeating until there are no issues)
spybot
ccleaner (issues, repeating until there are no issues)
yahoo anti spy
ccleaner (issues, repeating until there are no issues)
Hijackthis
ccleaner (issues, repeating until there are no issues)
housecall.trendmicro.com
ccleaner (issues, repeating until there are no issues)


I tried to remain child-like, all I acheived was childish.

 

[pechenegs]

that's only a trojan if your using windows Java VM. Do this to check and see and get rid of it!


Do you have Sun's java , or Microsoft's javaVM? If you have sun's go to control panel, click on java, click cache and clear. If you have Microsoft's uninstall it and download Sun's java.

http://www.helpwithwindows.com/WindowsXP/howto-21.html

http://java.com/en/download/help/cache_virus.jsp

this is the download page for Sun's Java

http://java.com/en/download/manual.jsp

 

[simon707]

I'm not sure what this instruction is supposed to mean...

I am betting that some malware has altered your HOSTS file to point virus scanners to bad IP addresses.

OPEN WITH.... Hosts using WORDPAD

is "open with" a command line i'nm supposed to put in the "run" field or something else??

Also , you said, that this always happens on p2p. Does that mean, just being connected to the network can infect you or does it come in specific files you download...cause i always scan them before opening. Some files have tried to "request a lisence" when playing them and have tried to access the net. Would those be the offending files?

 

[jimbopalmer]

Many flavors of Windows, when you right click a file will offer a choice of OPEN WITH... If you choose it you get a selection of programs to open the file with. You could also just start Wordpad from START ACCESSORIES WORD PAD and then navigate to the HOSTS file in the OPEN dialog.

When dealing with people with no sense of the rights of others, YOU are one of the 'others' they have no shame in violating. It is not like "There is no honor among theives" is a recent discovery.

You will also find infected files at free porn sites and in the 'money for nothing' scams, the only way to avoid them is to not do P2P, porn, or get rich quick on the PC.

I tried to remain child-like, all I acheived was childish.

 

[simon707]

AHH! after i opend my Host.sam file with notepad my CWshredder can't scan because it sais "HOSTS" file not found...!

I have noticed that after i assign a file with "open with" it permantently changes its icon to match the chosen application.

Has this instruction screwed up my hosts file?? Is it even save to reboot?

Also, i cleared the cache in JAVA and checked the HOST file, no extra entries and NAV still freezes while trying to update.

 

[jimbopalmer]

On all the versions of Windows I am used to there is a HOSTS file and a HOST.SAM file (typically the same data)

I would copy HOSTS.SAM to HOSTS, in the same folder.

I tried to remain child-like, all I acheived was childish.

 

[pechenegs]

Download the Hoster from:

http://www.funkytoad.com/download/hoster.zip

UnZip
the file and press "Restore Original Hosts" and press "OK". Exit Program.

 

[aquias]

There are some other options open to you, at this point.

First off Jimbopalmer is correct, P2P networks are notorious for infected software. Additionally, you are opening known ports and sharing out portions of your drive with the world. It is a VERY large security risk.

Now, I would recommend running Microsoft Antispyware (provided you are on XP). Additionally, I would run Panda's online scanner (or Trendmicro). This should pick up additional infections and help to clear them out.

Lastly, Hijack This to see what is left on your system.

 

[simon707]

Pechenegs I folowed your advice to fix what may have happend to my HOSTS file, some bad signs came up:

I downloaded "HOSTER" and when loading up it said "couldn't find host file, Press OK to create one" so i clicked "OK" and then clicked "Restore Original HOSTS", like you suggested. I then pressed "change to read-only". I dont know if "creating" one was a good idea becaue the original changed one is still there i suppoese, will i now have duplicated complications?

There are still some suspicious behaviours though:

Now CWShredder does say "Found HOSTS file" but after only six lines the report ends :


CWShredder v1.59.1 scan only report
Please understand that a CWShredder 'Scan only' report
might not be sufficient to troubleshoot an infected system.
You can use HijackThis for that:

http://www.merijn.org/files/hijackthis.zip

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Windows 98 (4.10.2222 A)
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\SYSTEM
AppData folder: C:\WINDOWS\Application Data
Username: {edited out by me}

Found Hosts file: C:\WINDOWS\hosts (686 bytes, RA)
Found Win.ini file: C:\WINDOWS\win.ini (9288 bytes, A)
Found line in Win.ini: load=
Found line in Win.ini: run=
Found System.ini file: C:\WINDOWS\system.ini (2662 bytes, -)
Found line in System.ini: shell=Explorer.exe


- END OF REPORT -


When normally this scan goes through a lengthy list of things it's checking for.It seems its stoping in mid-scan just like my SPYBOT.

Also i then tried PANDA ONLINE SCAN and during the java applet scan window , after clicking "start scan" it says : Error Downloading Panda Active Scan, Please repeat process. If problems continue restart system and try again. Possible problems:Not allowing Active X, Problems with net connection . And this HOSTS file thing has something to do with internet connection right?? Is this a bad sign that this program wouldn't run? I rebooted and had same problem. SO i now...SPYBOT won't scan....NAV won't update....and Panda won't online scan...

One good sign is this TrendMICRO thing has sucessfully scanned my pc and apparently found nothing... BUT it seems stuck mid-process in between "step2:SCAN" and "step3: SUMMARY". I've been waiting for it for over an hour , i think i'll just close it as it hasn't found anything.


So do you think my HOSTS file is fixed/safe? Anyway to check? I'm not sure if i should follow JIMBOPAMLER 's advice, which i dont understand (copy HOST to HOSTS, in same folder??) and would like PENGENES's opinion, or any other second opinion on what to do.

Also, despite no Virus's found in the TrendMicro scan, my NAV still freezez during LiveUpdate Wich is what i was trying to figure out in the first place.Any last ideas?

Finally to AQUIAS i do have Hijack this , can i post a log for you guys to analayze? thought i should ask first.

Simon .

 

[diogenes10]

cwshredder can't do any repairs unless you click the fix button. Scan only won't accomplish much for you.

Yes we will look at a hijackthis log for you.

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[pechenegs]

delete the hosts file then and any backups and download a clean one!


get the hosts file from here.

http://www.mvps.org/winhelp2002/hosts.htm

put it into :


Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC
Win 98\ME = C:\WINDOWS

 

[diogenes10]

For your antivirus scan

Trendmicro has something called sysclean:

http://www.trendmicro.com/download/dcs.asp

You can download this and a current pattern file (look at the readme file for instructions), install it and then run it in safe mode on your system.
That might help you get a completed scan instead of the hangups you are currently experiencing.

You can also try this scanner:

http://www.mwti.net/antivirus/mwav.asp

The free download version will only identify problems but that is still useful.



-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[simon707]

hey Deogenes10 [/d]I used the MWAV scanner you suggested and it found a buch of stuff, i couldnt copy and past the results so i had to copy in manuually, UGH!!alot of the lines seemed to be about things other the viruses here's what it said:


Object "Alexa Spyware/Adware" found in File System! Action Taken: No Action Taken

Object "iSearch Spyware/Adware" found in File System! Action Taken: No Action Taken

Then several lines describing "'Entry:' bunch of numbers 'refers to invalid object'...and then a location"..there not virus's but somthing else. Then there are four lines descibing viruses, the first and the last lines are repeats but thats how they appeared in the scan, it's not a typo on my part. Also, lines 2 and 3 seem almost identical but they are also two different entries:


C:\WINDOWS\sb.dll infected by "Trojan.WinREG.StartPage" Virus! Action Taken: No Action Taken

C:\WINDOWS\TEMPOR~1\CONTENT.IE5\SP2RWPYJ\hdplugin_1019bundle43v3d33[1].cab tagges as "not-a-virus:AdWare.Gator.1019" Action Taken: No Action Taken

C:\ WINDOWS\Temporary Internet Files\Content.IE5\SP2RWPYJ\hdplugin_1019bundle43v3d33[1].cab tagges as "not-a-virus:AdWare.Gator.1019" Action Taken: No Action Taken

C:\WINDOWS\sb.dll infected by "Trojan.WinREG.StartPage" Virus! Action Taken: No Action Taken


Then there's a long list of viruses stored in NAV's quarantine folder wich i could never type out but i don't think i need to worry about those.

So what do i do about those first two lines and then the the group of four?? i didn't run the "trendmicro syscleaner" because it does something to the registry. I used "REGISTRY CLEANER" in the fall and i got a blue screen and couldn't load windows and had to restore the registry, which was scarry. So seeing as how the other scanner found stuff i thought i should ask what to do next before useing the "trendmicro syscleaner". Does it look like thats what i have to use or no?

Also here's my Hijackthis log:


Logfile of HijackThis v1.97.6
Scan saved at 2:14:30 AM, on 8/10/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\TABLET.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\SIERRA\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\ALARM.EXE
C:\VSTASCAN\VSACCESS.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\MY DOCUMENTS\DOWNLOADED'''PROGRAMS\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\SIERRA\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON ANTIVIRUS\POProxy.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
O4 - HKLM\..\RunServices: [Tablet] C:\WINDOWS\SYSTEM\Tablet.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Net2Phone (HKLM)
O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -

http://download.macromedia.com/pub/shockwave/cabs/director/swdir8d205.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -

http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37919.5612847222

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://www.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) -

http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -

http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -

http://housecall60.trendmicro.com/housecall/xscan60.cab

See anything to get rid of??

Also to penchenegs [/b,] I fixed my HOSTS file, thanks!! The PANADA scan started to load the activeX controls and was working for a while, but then got cut off again. But i think the HOSTS file wouldn't be the reason now.

Thanks again , SIMON.

 

[pechenegs]

Download the pocket killbox

http://www.bleepingcomputer.com/files/killbox.php

*Download Cleanup from Here

http://www.stevengould.org/software/cleanup/

* A window will open and choose SAVE, then DESKTOP as the destination.
* On your Desktop, click on Cleanup40.exe icon.
* Then, click RUN and place a checkmark beside "I Agree"
* Then click NEXT followed by START and OK.
* A window will appear with many choices, keep all the defaults as set
when the Slide Bar to the left is set to Standard Quality.
* Click OK
* DO NOT RUN IT YET




go to start/run/type msconfig /click ok/click startup/ uncheck KB891711.EXE/click ok/exit


have hijack this fix this one.


O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE


Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the Full Path of File to Delete box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confirmation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the Paste Full Path of File to Delete box.



Note: It is possible that Killbox will tell you that one or more files do notexist. If that happens, just continue on with all the files. Be sure you don't miss any.


C:\WINDOWS\sb.dll




Now run cleanup

 

[pechenegs]

also update spybot and run it, adaware should take care of alexa.


go to this site and adaware Se and update it.

Set adaware to do a full system scan and deselect, "search for neglible risk entries". Click next to start the scan. Delete everything adaware finds.

http://www.majorgeeks.com/downloads31.html

 

[simon707]

Ok Pengenegs

I'm just in the middle of following your intructions and I have a few questions.

1. At this point in our instructions when you say:

go to start/run/type msconfig /click ok/click startup/ uncheck KB891711.EXE/click ok/exit


have hijack this fix this one.


O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

After i uncheck it in MSYCONFIG it asks me to restart my pc for settings to take effect. Then after rebooting i go to look for the "KB891711.EXE" line in Hijackthis only now that line i need to check off is no longer showing up in the scan.

So is it taken care of? Or did unchecking it in mysconfig make it unvisible to Hijack?

#2. You say with Killbox i need to :


copy and paste each of the following lines.....
...until you have copied and pasted all of these in the Paste Full Path of File to Delete box.

But then you only list ONE line, were there supposed to be more LINES or did you realize there was only one line that needed it? Just thought i should check.

Simon

 

[pechenegs]

Yes, because there is only one pest to be deleted, and yes, unchecking it in msconfig probably means it's not showing up in hijack this!