Virus Help

[Matt24]

I just got a virus today and it is ****ing up my computer. Whenever I'm connected to the internet, everything slows down, internet explorer will work somewhat but not all the time, MSN will usually work, and I cant connect to AOL. I downloaded the new Norton, but if I am connected it wont let me run it, so I am running it currently offline to see if that finds anything. While it was running it I noticed at the start the same files over and over, and I figured out that was part of the virus and I have deleted all of those. Here are the names of those files, so hopefully someone recognizes this virus and can help me get rid of the rest of it or any ideas. Like restoring my computer to a few days ago. Will that work?

Here are the virus file names that I found

windows sourcecode update!.doc.exe
ACDSEE 9.exe
microsoft office 2003 Crack Working.exe
Windows Longhorn beta leak.exe
Porno.exe
XXX.exe
opera 8.exe
winamp 6 new!.exe
matrix 3.exe
adobe full.exe
keygen.exe
ahead nero.exe
serials.txt.exe


There were 11 files of each of these in all of my shared folders, not shared necessarily, but ones named shared. Thanks in advance.

 

[TTinCO]

Boy....someone stuck it to you in a big way.

First, go to www.trend.com & run the free online scanner. Then go to download.com & get "SpySweeper". Install, update and run it...I'm sure it will find an absolute SHITPILE of items--remove them all.

If that doesn't do it, also get TrojanHunter from download.com.

Once you're back on your feet, go to windowsupdate.com and get ALL of the critical updates.

Let me know if you're still having problems at that point. Also, do yourself a favor and buy Norton Internet Security or some other type of personal firewall.

(Do I sound like a broken record yet?)

 

[1cheater]

You could also use your computer's GOBACK feature to reset the registry back to a date when your weren't having problems..

 

[Matt24]

I have downloaded Spy Sweeper and I ran it, it found over 4000 traces and over 50 programs. Those are now gone. I have now downloaded Trojan Hunter and I am scanning, but I dont think I did the live update part of it. I click on it, but nothing happens, so I dont know if that matters or not. I also have Norton now, but it wont run if I am connected to the internet, it just shuts down and says execution error.

I did run a scan without the liveupdate of Norton and it didnt find anything.

Also all those files are back today.
So currently, I am waiting for the TrojanHunter to finish up its scan, it has already found some stuff with those files, that is how I noticed they were back.

Also what do you think Ttinco about the restore feature? Would that work?

 

[oldmantime]

Matt,
I've got Spy sweeper installed also. But it only finds 1 program. (I thought maybe it was referring to Spybot--for a program, but am not sure, what that is.) It does clean up the traces ok.

 

[Matt24]

I got Trojan Hutner working and found 3 trojans and I deleted those, I can now sign on to AOL and everything is working better. But I still cant run Liveupdate for Symantec Anti-Virus

 

[Matt24]

well i restarted my computer and those files were back. They are windows/system32/winsys.exe
and windows/system32/drivers/svchost.exe

I can't delete them, but their are 2 files along with teh winsys.exe taht I can delete. So i use norton to quarantine and delete and it says they are deleted, but I can still see them in the files, so they arent gone. Anyway to get rid of them?

 

[AAA15]

If you are familiar with software I would suggest that you backup your system(Important Files) and reinstall the operating system. That is the best way to go. Also get Norton Internet Security, it comes with Norton Antivirus. Have the system do a system check on a regular basis. If possible have it perform checks of your hard disk when you are sleeping so it does not interfare with your typical usage. I was downloading a file recently and a virus was detected that would allow the hacker to control my computer and see my files. It was blocked and identified for me. Also I use spybot and Adware to perform checks on my computer. They check your registry for files that are listed in their databank. Make sure you update the software first. Also update your windows system they have many holes in their software.

Start Fresh If you're Willing!!
And remember Updates Are Always you Friend.

Good Luck Man!!

 

[1cheater]

Matt, here is the WORM you have at Trnd Micro WORM_MORB.A

(Details:

Installation

Upon execution, this worm drops svchost.exe and msapi.exe in the Windows directory. It also drops winsyst32.exe in the Windows system directory.

SVCHOST.EXE is a copy of the worm while the two other dropped files are backdoor programs detected as BKDR_SDBOT.05.B.

These dropped files are also used by the worm for its installation during bootup) <<< Just a taste of what you have from that page, click details.....



Follow the directions on the page very. VERY CLOSELY, Write them down or print them out..

ALSO make sure you read the damage potential, the puppy you have could be very nasty...

All the best my friend!

[This message was edited by #1cheater# on April 21, 2004 at 09:25 PM.]

 

[Rickf]

The best thing and easiest thing to do is use www.trendmicro.com Download the virus update, click on the drives you wish to clean and scan away. When u find the virus thats causing the problems there is a further step that must be taken.

The virus is usually running in your system processes. You must (And this is important) CRL+ALT+DELETE. Search in the system processes
for the name of the virus that was found with the scan. You must than end the process so it can be removed from windows. Once you end the process, you can than delete it from. Do a search through all folders and files for the virus name untill all traces of the virus are gone.

Most viruses can't be removed while windows is running. You might also be asked to remove some viruses from DOS Command Prompt. Try what I said first and when you reboot the viruses will be gone.

 

[1cheater]

Rickf,

this basicly says the same thing, but there is more to it then that..

 

[Matt24]

thanks guys

#1 cheater, that link doesnt come up for me, is that the right link?

rick- I tried to do that and once I started ending those processes the system started a auto shutdown and also svchost.exe just kept on recreating itself.

 

[1cheater]

Matt, try this http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MORB.A

 

[Matt24]

ok those links work now. I went to a different computer, good thing I livein a college apt and we have 3 in here. I dont see how I got this worm, I dont use outlook?

 

[Matt24]

i dont run kazaa either, are you guys sure this is the right one, since it doesnt say anything about svchost? and also i dont recognize any of those other file names

 

[1cheater]

Details:



Installation

Upon execution, this worm drops svchost.exe and msapi.exe in the Windows directory. It also drops winsyst32.exe in the Windows system directory.

SVCHOST.EXE is a copy of the worm while the two other dropped files are backdoor programs detected as BKDR_SDBOT.05.B.

These dropped files are also used by the worm for its installation during bootup.

 

[1cheater]

Make sure you read, copy, and print out the

Solution: <<Located in that link I gave you, scroll down the page..



Identifying the Malware Program

Before proceeding to remove this malware, first identify the malware program.

Scan your system with Trend Micro antivirus and NOTE all files detected as WORM_MORB.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.

Open Windows Task Manager.
On Windows 95/98/ME systems, press
CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, then click the Processes tab.
In the list of running programs*, locate the malware file or files detected earlier.
Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
Do the same for all detected malware files in the list of running processes.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
*NOTE: On systems running Windows 95/98/ME, Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

Important: Trend Micro advises users to take extra precaution while editing the registry. Any error made while editing the registry may adversely affect system configuration and may even require you to reinstall your operating system. Please consult the following articles from Microsoft for more information about the registry and the registry editor:

About the Registry and How to Use Registry Editor
HOW TO: Backup, Edit, and Restore the Registry in Windows 95, Windows 98, and Windows Me
HOW TO: Backup, Edit, and Restore the Registry in Windows NT 4.0
HOW TO: Back Up, Edit, and Restore the Registry in Windows XP
HOW TO: Backup, Edit, and Restore the Registry in Windows 2000
To remove the malware autostart entries:

Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry or entries:
svchost = "C:\WINDOWS\svchost.exe"
WinSyst32 = "winsyst32.exe"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>RunOnce
In the right panel, locate and delete the entry or entries:
WinSyst32="winsyst32.exe"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>RunServices
In the right panel, locate and delete the entry or entries:
WinSyst32 = winsyst32.exe
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry or entries:
svchost = "%WINDOWS%\svchost.exe"
"%WINNT%\svchost.exe"
WinSyst32 = "winsyst32.exe"
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>RunOnce
In the right panel, locate and delete the entry or entries:
WinSyst32 = "winsyst32.exe"
In the left panel, double-click the following:
HKEY_USERS>.Default>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry or entries:
svchost = "%WINDOWS%\svchost.exe" or "%WINNT%\svchost.exe" WinSyst32 = "winsyst32.exe"
In the left panel, double-click the following:
HKEY_USERS>.Default>Software>Microsoft>
Windows>CurrentVersion>RunOnce
In the right panel, locate and delete the entry or entries:
WinSyst32 = "winsyst32.exe
Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
Restoring MIRC.INI

Check the MIRC.INI load value and remove the malware application file if present.

Look for the MIRC.INI file in your hard drive.
Locate for “[rfiles]” and check if the application file name refer to MScript.ini as follows:
[rfiles]
n(no.)=MScript.ini

Delete MScript.ini.
Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_MORB.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro’s free online virus scanner.

 

[Matt24]

yeah i must have missed that, i just printed it out and am getting ready to try to kill it, but I just noticed something, I looked at both of my roommates processes, and both of them have svchost.exe running. But their computers are fine

 

[1cheater]

That's just because the worm could be sleeping and needs to be excuted... Believe me, if they have it, they both need to do the same thing

 

[Matt24]

whenever I try to end the processes of winsys.exe and svchost.exe, the computer initiates its own shutdown, so i cant do anything with that