HPE Community
Internet Products
1829490 Members
1761 Online
109991 Solutions
New Discussion

overrun with virus and no internet access... help?

 
Molly Watson
New Member

‎06-12-2004 04:31 AM

‎06-12-2004 04:31 AM

overrun with virus and no internet access... help?

a couple of days ago, i was experiencing some serious problems with explorer.exe (i'm running windows xp), wherein i would start up my computer and a minute or so afterward, explorer would upon up on its own, and get stuck in a loop until i had no choice but to manually reboot. so, i thought, okay, it's either a virus, or some serious spyware. alright.

so, i was able to get online yesterday night and run mcafee's online free virus scan, and found out that i have the following viruses/worms:

Downloader-KL
Downloader-JU
JS/IEstart.gen.d
JS/Noclose.gen
VBS/Psyme
VBS/Alphx.worm
Keylog/Briss

also, i'm getting a looong stream of messages from zonealarm about how webrebates.exe is trying to setup a server which is, you know, vaguely disturbing.

since then, because i'm on a school server for internet, it's completely shut me out, so now even if i do happen to clean out my system, i won't be able to get online. so, you know, all online fixes are completely out of the question, and i've only got diskettes to transfer fixes.

messed up, non? if ANYONE can help me with this, i will buy them a great many chocolates.

thanks,
noiie.
0 Kudos
4 REPLIES 4
Norman_21
Honored Contributor

‎06-12-2004 05:49 AM

‎06-12-2004 05:49 AM

Re: overrun with virus and no internet access... help?

Hello,

You could have cleaned the Viruses when you could scan them. However, before doing anything set a Restore Point.
Go to Start>Run>Accessories>System Tools>System Restore. Give the New Restore Point a Name that will remind you of what this Restore Point is about.

For JS/IEstart.gen.d and JS/Noclose.gen, do the following:
Description:

This registry script modifies the Internet Explorer home page and the search page.

Solution:

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

1. Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
2. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
3. In the right panel, locate and delete the entry:
OPQFile
Removing Other Malware Entries from the Registry

This malware modifies the registry to change the start and search pages of the Internet Explorer browser. Depending on the version of this malware, some registry entries may not exist in the Registry Editor.

1. Still in Registry Editor, in the left panel, double-click the following:

2.HKEY_CURRENT_USER>Software>Microsoft>Internet Explorer In the right panel, delete the entry:
SearchURL
3.In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Internet Explorer>Main
4.In the right panel, delete the entries:
Default_Search_URL
Search Bar
SearchURL
Search Page
5.In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Internet Explorer>Search
6.In the right panel, delete the entries:
SearchAssistant
CustomizeSearch
7.In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Internet Explorer>Search
8.In the right panel, delete the entries:
Search Assistant
CustomizeSearch
Search Page
Search Bar
Search URL
9.Close Registry Editor

Resetting Internet Explorer Homepage and Search Page

This procedure restores the Internet Explorer home page and search page to the default settings.

1.Close all Internet Explorer windows.
2.Open Control Panel. Click Start>Settings>Control Panel
3.Double-click the Internet Options icon.
4.In the Internet Properties window, click the Programs tab.
5.Click the â Reset Web Settingsâ ¦â button.
6.Select â Also reset my home page.â Click Yes.
7.Click OK.


For VBS/Psyme :
Kill these running processes with Task Manager:
1.exe
Remove these files if present:
1.exe
5.htm
5a.htm
error.jsp
gift-with-headers.html
ie-mediaplayer execute.htm
Both Files and Directories may be found and removed using Windows Explorer:

Right-click on the Start button (lower left of your screen).
Choose Explore.
Locate the file or directory of interest and highlight it.
Right-click to invoke the popup menu, and choose Delete.

For VBS/Alphx.worm manual removal:
Manual Removal Instructions


Apply the MS03-040 patch
Delete the following registry keys (Information on deleting registry keys )
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "Antivirus"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Start Page"
Restart the computer
Delete the files (if present)
c:\a.exe
c:\av.ex
%WinDir%\av.exe
%WinDir%\b.exe

As far as Keylog/Briss, Upon execution, the trojan modifies the registry to automatically load itself into memory at the next startup.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"systray" = C:\test\A.EXE

You will need to run an Anti-Virus and clean the rest..there isn't manual removal for all viruses.
http://housecall.trendmicro.com/housecall/start_corp.asp

SpySweeper will remove more stuff including keyloggers:
http://www.spysweeper.com/download.html

Hope this help and consider ass
"Attitudes are contagious, is yours worth catching"/ My first point was given by SEP on January 31, 2003
0 Kudos
Norman_21
Honored Contributor

‎06-12-2004 05:51 AM

‎06-12-2004 05:51 AM

Re: overrun with virus and no internet access... help?

One more thing:
also, i'm getting a looong stream of messages from zonealarm about how webrebates.exe is trying to setup a server which is, you know, vaguely disturbing.

Tell ZoneAlram NO and it'll block it.
"Attitudes are contagious, is yours worth catching"/ My first point was given by SEP on January 31, 2003
0 Kudos
Tim Patton
Advisor

‎06-13-2004 03:05 AM

‎06-13-2004 03:05 AM

Re: overrun with virus and no internet access... help?

Noiie,

Webrebates.exe is typically a file that is associated with a Spyware application. This isn't technically a virus, however it can be just as annoying!

Adaware calls this particular file (webrebates.exe) a TopMoxie object.

In any case, you should run a Spyware removal program on this PC, to clean off these programs. Both Adaware and Spybot are excellent FREE utilities that you can use to clean the Spyware off your PC.

Spybot
http://www.safer-networking.org/

Adaware
http://www.lavasoftusa.com/

Tim
0 Kudos
Ron Kinner
Honored Contributor

‎06-13-2004 11:04 AM

‎06-13-2004 11:04 AM

Re: overrun with virus and no internet access... help?

Adaware and Spybot are both useful programs but sometimes not enough.

On a friend's computer go to:

http://www.majorgeeks.com/downloads31.html

and get CWShredder and HijackThis unzip them (if they end in .zip) with Winzip -you can get a demo version at http://www.winzip.com and put them on a floppy (they will both fit on floppies) and install them on your PC.

First close all windows, right click on the Explorer Icon on your desktop and select Properties then select Delete Cookies and tell it OK. When that finishes hit Delete Files (check the box in front of Delete Off-line Content and tell it OK). This one can take a while to finish be patient. Close the properties window and any other programs y0u have running.

Now run the CWShredder and let it Fix your system. (If you are not infected with Cool Web Search it won't hurt anything.) If it asks you if a file name is random, write down the file name and tell it NO then ask us. You can always run the program again and say Yes if need be.

Now run Hijack This, click on Scan and copy the output to a floppy and have your frined post it here and we will tell you which ones to check so that HiJackThis can remove them.

Ron
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.