OK I hold my hands up, it's entirely my fault. We have 2 pc's and one is connected via a wireless network (not to our other pc as it wouldn't connect to it) I stupidly didn't get round to installing Zonealarm and now we have a virus.

We run AVG and ad-aware. Ad-aware will run but AVG will not. The home page has been hijacked and won't change back. We can connect to the internet but if I try and search using the words Spyware or anti-virus, it just closes IE down. It will not allow system restore either. I noticed some icons for something called 'dabiz.com' and no-one installed it or knows what it is. I looked in programmes and add/remove but it's not showing up at all.

Can anyone help me please?

Yeah I know, we shouldn't connect via someone elses network so we deserve all we get, but no lectures please!!

Boot into "Safe" mode and try running AVG and associated spyware/scumware removal tools on your system??

Try downloading 'stinger' to clean out the virus from here:
http://www.laughingpoliceman.com/free_software.htm

The link for stinger download is below the Mc Affee logo in the middle of the page.

My advice would be to run Panda Active Scan (http://www.pandasoftware.com/activescan/com/activescan_principal.htm) and install CWShredder (http://www.spywareinfo.com/~merijn/downloads.html).
Boot in to safe mode(repeatedly tap f8 while starting computer and select SAFE MODE).
Try turning off system restore.
Now run CWShredder and have it fix anything it finds.

If this doesn't help just shout up and we'll try something else ;).

Originally posted by Draggletail
Try downloading 'stinger' to clean out the virus from here:
http://www.laughingpoliceman.com/free_software.htm

The link for stinger download is below the Mc Affee logo in the middle of the page.

I did this and afterwards I was able to run AVG. It said I had a Trojan virus and it removed it. Hey! I thought it was fine. Turned the PC back on later and hey presto, back to the way it was before, virus still there, home page still hijacked! Grrrrrrr!! It wouldn't even let me see this thread. Whenever I clicked on it, it just shut IE down!

Will try what Vidster suggests tomorrow morning and see how it goes.

Thanks everyone :thumbsup:

Fetish Fairy are you using xp because if you are you need to run the stinger again and then turn of the system restore before you reboot. If you don't it will come back because a copy has been stored in the system restore file which runs at start up.

Originally posted by wendy
Fetish Fairy are you using xp because if you are you need to run the stinger again and then turn of the system restore before you reboot. If you don't it will come back because a copy has been stored in the system restore file which runs at start up.

We do use XP yes. When I tried to do a system restore before, it said something along the lines of ' this is not allowed as it is turned off. contact group administrator' or something like that. How do I turn off system restore (if it's not already turned off)?

I'll Pm you.

Wendy

If you are the Administrator (you should be), you just right click on 'My Computer', select 'Properties' and then go to system restore. You can turn it off there.
Reboot your computer and all restore points will be gone. Then run Stinger again.
If Stinger doesn't remove it, there is a dedicated online Trojan remover Here (http://www.windowsecurity.com/trojanscan/).

Again..Let it fix anything it finds ;)

Originally posted by vidster
If you are the Administrator (you should be), you just right click on 'My Computer', select 'Properties' and then go to system restore. You can turn it off there.
Reboot your computer and all restore points will be gone. Then run Stinger again.
If Stinger doesn't remove it, there is a dedicated online Trojan remover Here (http://www.windowsecurity.com/trojanscan/).

Again..Let it fix anything it finds ;)

Vidster I think it's the trojan that has blocked her from getting into system restore. If she reruns the stinger and AVG so that it show it as deleted again. She should then be able to get into the system restore - it's part fo trojan's means of stopping you deleting it! I once had this problem on my son's old machine that had windows me on it and I didn't know about system restore at the time as I had 98 on mine. I found this out from the help facility in windows.

Things have gone from bad to worse now! I turned it on this morning and it came up with this ........ British National Party Windows picture and fax viewer screen, along with a Notepad saying some message about stupid n0000bs and evil death or something! This was before I had even clicked on anything! It also comes uo with an error message saying ..... Error loadingC:\DOCUME~1\ADMINI~1\LOCALS1\TEMP\se.dll Access is denied.

I then turned off, booted up in safe mode and ran AVG whuch said it had a Trojan Horse startpage 16.BD

AVG said it has healed it so I booted up again.

Virus still there.

So I ran the stinger again, then AVG, all in all I have done this about 5 times and each time it says it has removed the Trojan Horse but when I boot up again it is still there.

System restore says ...... System restore has been turned off by group policy. To turn on System restore, contact your domain administrator.

Thanks for the PM Wendy but I can't see how to turn off system restore. I f I click on properties it doesn't bring up anything about system restore.

Vidster, I tried to run CWShredder etc but it won't even let me acces the page as it blocks anything that is related to anti-virus or spyware, just closing IE down or showing an error page.

Thanks so much for all your suggestions but it's still there as nasty as ever and I really DON'T want BNP filth on my PC.

Fetish Fairy if you don't turn off the system restore before you reboot it will come back every time because it has a copy in there. Immediately after AVG has said it has healed it try the system restore again because you should be able to get in then. You will not be able to get in before that and Do not reboot until you have tried turning restore off.

If I understand what FF is saying corectly, the System restore IS turned off.

System restore says ...... System restore has been turned off by group policy.

Originally posted by cgksheff
If I understand what FF is saying corectly, the System restore IS turned off.

:blush: So she did!:blush: That'll teach me to read the post properly.

I've run out of ideas for now then.

Unless anyone else comes up with a cure for this FetishFairy, i would now say we are at the HijackThis (http://www.download.com/HijackThis/3000-8022_4-10307556.html?tag=lst-0-1) stage.

I would recommend joining the forum in my signature. That way your HJT log will be looked at by a few of us instead of just me.
If not, follow the instructions below and i'll see what i can do.

CAUTION
This program can ruin your operating system so do NOT take any advice off anyone you don't completely trust.

Once HijackThis is installed you need to create a new folder on your desktop (Right click anywhere on desktop and select 'New' then select 'Folder'.) Name this folder HijackThis.log .
Now run HJT and save the log to the new folder on your desktop. DO NOT HAVE HJT FIX ANYTHING YET.
Copy and paste your HJT log on the CbtTechs forum or on here (if it will fit in a post ;) ).
I/we will then analyze the log and give you further instructions.

Log from Hijack this. Means nothing to me lol!!

Logfile of HijackThis v1.98.2
Scan saved at 22:13:42, on 10/03/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\802.11 Wireless LAN\802.11b Pen Size Wireless USB 2.0 Adapter HW.31 V.1.00\WlanCU.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\me\Local Settings\Temp\Temporary Directory 2 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\me\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\me\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O1 - Hosts: 64.233.167.104 www.symantec.com
O1 - Hosts: 64.233.167.104 www.sophos.com
O1 - Hosts: 64.233.167.104 www.mcafee.com
O1 - Hosts: 64.233.167.104 www.viruslist.com
O1 - Hosts: 64.233.167.104 www.f-secure.com
O1 - Hosts: 64.233.167.104 www.avp.com
O1 - Hosts: 64.233.167.104 www.kaspersky.com
O1 - Hosts: 64.233.167.104 www.networkassociates.com
O1 - Hosts: 64.233.167.104 www.ca.com
O1 - Hosts: 64.233.167.104 www.my-etrust.com
O1 - Hosts: 64.233.167.104 www.nai.com
O1 - Hosts: 64.233.167.104 www.trendmicro.com
O1 - Hosts: 64.233.167.104 www.grisoft.com
O1 - Hosts: 64.233.167.104 securityresponse.symantec.com
O1 - Hosts: 64.233.167.104 symantec.com
O1 - Hosts: 64.233.167.104 sophos.com
O1 - Hosts: 64.233.167.104 mcafee.com
O1 - Hosts: 64.233.167.104 liveupdate.symantecliveupdate.com
O1 - Hosts: 64.233.167.104 viruslist.com
O1 - Hosts: 64.233.167.104 f-secure.com
O1 - Hosts: 64.233.167.104 kaspersky.com
O1 - Hosts: 64.233.167.104 kaspersky-labs.com
O1 - Hosts: 64.233.167.104 avp.com
O1 - Hosts: 64.233.167.104 networkassociates.com
O1 - Hosts: 64.233.167.104 ca.com
O1 - Hosts: 64.233.167.104 mast.mcafee.com
O1 - Hosts: 64.233.167.104 my-etrust.com
O1 - Hosts: 64.233.167.104 download.mcafee.com
O1 - Hosts: 64.233.167.104 dispatch.mcafee.com
O1 - Hosts: 64.233.167.104 secure.nai.com
O1 - Hosts: 64.233.167.104 nai.com
O1 - Hosts: 64.233.167.104 update.symantec.com
O1 - Hosts: 64.233.167.104 updates.symantec.com
O1 - Hosts: 64.233.167.104 us.mcafee.com
O1 - Hosts: 64.233.167.104 liveupdate.symantec.com
O1 - Hosts: 64.233.167.104 customer.symantec.com
O1 - Hosts: 64.233.167.104 rads.mcafee.com
O1 - Hosts: 64.233.167.104 trendmicro.com
O1 - Hosts: 64.233.167.104 grisoft.com
O1 - Hosts: 64.233.167.104 sandbox.norman.no
O1 - Hosts: 64.233.167.104 www.pandasoftware.com
O1 - Hosts: 64.233.167.104 uk.trendmicro-europe.com
O2 - BHO: (no name) - {3B399B4A-A3F5-43DB-95B1-9DB260AC0C07} - C:\WINDOWS\System32\acij.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [ltwob] C:\WINDOWS\System32\formatsys.exe
O4 - HKLM\..\Run: [avnort] C:\WINDOWS\msmbw.exe
O4 - HKLM\..\Run: [serpe] C:\WINDOWS\System32\serbw.exe
O4 - HKLM\..\RunServices: [ltwob] C:\WINDOWS\System32\formatsys.exe
O4 - HKLM\..\RunServices: [avnort] C:\WINDOWS\msmbw.exe
O4 - HKLM\..\RunServices: [serpe] C:\WINDOWS\System32\serbw.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Wireless Configuration Utility HW.31.lnk = C:\Program Files\802.11 Wireless LAN\802.11b Pen Size Wireless USB 2.0 Adapter HW.31 V.1.00\WlanCU.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Win32 Classes - file://C:\WINDOWS\Java\classes\win32ie4.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O18 - Filter: text/html - {8454E6D2-6755-4FA4-9286-FB7CC121BEB5} - C:\WINDOWS\System32\acij.dll
O18 - Filter: text/plain - {8454E6D2-6755-4FA4-9286-FB7CC121BEB5} - C:\WINDOWS\System32\acij.dll

I'll get right on it FetishFairy but it takes a long time so i don't know how long i'll be ;).
In the meantime you may want to back-up anything that is important to you.......Just in case :).

Originally posted by vidster
I'll get right on it FetishFairy but it takes a long time so i don't know how long i'll be ;).
In the meantime you may want to back-up anything that is important to you.......Just in case :).

Thank you so much Vidster. I could give you a big hug right now for being so kind in the face of my downright stupidity!! Thank you so much for all your time and help. It really is appreciated very much. :thumbsup: :clap: :love: :banana:

OK FetishFairy, i 'think' i found your problem :).

Run HJT again and place a check in the box's below. Have HJT fix them.

O2 - BHO: (no name) - {3B399B4A-A3F5-43DB-95B1-9DB260AC0C07} - C:\WINDOWS\System32\acij.dll
O4 - HKLM\..\Run: [ltwob] C:\WINDOWS\System32\formatsys.exe
O4 - HKLM\..\Run: [avnort] C:\WINDOWS\msmbw.exe
O4 - HKLM\..\Run: [serpe] C:\WINDOWS\System32\serbw.exe
O4 - HKLM\..\RunServices: [ltwob] C:\WINDOWS\System32\formatsys.exe
O4 - HKLM\..\RunServices: [avnort] C:\WINDOWS\msmbw.exe
O4 - HKLM\..\RunServices: [serpe] C:\WINDOWS\System32\serbw.exe


I also noticed these entries too.


O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE


Although these are valid entries they aren't supposed to appear in uppercase (MSMSGS.EXE). Therefore i recommend you open Task Manager (Ctrl+Alt+Del). Look under processes for the EXACT spelling (including upper and lower case letters). Now check Here (http://www.answersthatwork.com/Tasklist_pages/tasklist.htm) to see if it is a valid process. If you can't find it, run HJT again and have it fix them.

If this does not solve the problem. Re-run HJT and post a fresh log.
I hope this helps :thumbsup:

Originally posted by vidster
OK FetishFairy, i 'think' i found your problem :).

Run HJT again and place a check in the box's below. Have HJT fix them.

O2 - BHO: (no name) - {3B399B4A-A3F5-43DB-95B1-9DB260AC0C07} - C:\WINDOWS\System32\acij.dll
O4 - HKLM\..\Run: [ltwob] C:\WINDOWS\System32\formatsys.exe
O4 - HKLM\..\Run: [avnort] C:\WINDOWS\msmbw.exe
O4 - HKLM\..\Run: [serpe] C:\WINDOWS\System32\serbw.exe
O4 - HKLM\..\RunServices: [ltwob] C:\WINDOWS\System32\formatsys.exe
O4 - HKLM\..\RunServices: [avnort] C:\WINDOWS\msmbw.exe
O4 - HKLM\..\RunServices: [serpe] C:\WINDOWS\System32\serbw.exe


I also noticed these entries too.


O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE


Although these are valid entries they aren't supposed to appear in uppercase (MSMSGS.EXE). Therefore i recommend you open Task Manager (Ctrl+Alt+Del). Look under processes for the EXACT spelling (including upper and lower case letters). Now check Here (http://www.answersthatwork.com/Tasklist_pages/tasklist.htm) to see if it is a valid process. If you can't find it, run HJT again and have it fix them.

If this does not solve the problem. Re-run HJT and post a fresh log.
I hope this helps :thumbsup:




W32.Serflog.A [Symantec/Norton], Win32.Bropia.U [Computer Associates], Sumom.A [F-Secure], IM-Worm.Win32.Sumom.a [Kaspersky Lab], W32/Crog.worm [McAfee], W32/Sumom-A [Sophos], WORM_FATSO.A [Trend Micro] (http://www.sarc.com/avcenter/venc/data/w32.serflog.a.html).


Removal of this is a little more "involved" as this virus drops a few hidden files onto your system, and creates lots of copies of itself.

Symantec has a removal tool available.

I can DL and stick it on a website/domain you will still be able to access if required?

Originally posted by sccsux
W32.Serflog.A [Symantec/Norton], Win32.Bropia.U [Computer Associates], Sumom.A [F-Secure], IM-Worm.Win32.Sumom.a [Kaspersky Lab], W32/Crog.worm [McAfee], W32/Sumom-A [Sophos], WORM_FATSO.A [Trend Micro] (http://www.sarc.com/avcenter/venc/data/w32.serflog.a.html).


Removal of this is a little more "involved" as this virus drops a few hidden files onto your system, and creates lots of copies of itself.

Symantec has a removal tool available.

I can DL and stick it on a website/domain you will still be able to access if required?

I'm not sure what worm your looking at sccsux :?. Did i miss something?. Let me know what i missed so i don't do it again in the future :thumbsup: .

This (http://securityresponse.symantec.com/avcenter/venc/data/w32.serflog.a.removal.tool.html) seems to be the removal tool for the worm sccsux found above :).

from what you have been saying and what you're going through (don't you have you're original start up discs) why don't you wipe the whole darn computer clean, and start fresh..it's easyOriginally posted by vidster
Unless anyone else comes up with a cure for this FetishFairy, i would now say we are at the HijackThis (http://www.download.com/HijackThis/3000-8022_4-10307556.html?tag=lst-0-1) stage.

I would recommend joining the forum in my signature. That way your HJT log will be looked at by a few of us instead of just me.
If not, follow the instructions below and i'll see what i can do.

CAUTION
This program can ruin your operating system so do NOT take any advice off anyone you don't completely trust.

Once HijackThis is installed you need to create a new folder on your desktop (Right click anywhere on desktop and select 'New' then select 'Folder'.) Name this folder HijackThis.log .
Now run HJT and save the log to the new folder on your desktop. DO NOT HAVE HJT FIX ANYTHING YET.
Copy and paste your HJT log on the CbtTechs forum or on here (if it will fit in a post ;) ).
I/we will then analyze the log and give you further instructions.

Originally posted by vidster
I'm not sure what worm your looking at sccsux :?. Did i miss something?. Let me know what i missed so i don't do it again in the future :thumbsup: .

This (http://securityresponse.symantec.com/avcenter/venc/data/w32.serflog.a.removal.tool.html) seems to be the removal tool for the worm sccsux found above :).


The combination of:

O4 - HKLM\..\Run: [ltwob] C:\WINDOWS\System32\formatsys.exe (http://www.google.co.uk/search?hl=en&q=%22formatsys.exe%22&btnG=Google+Search&meta=) <--GOOGLE!
O4 - HKLM\..\Run: [avnort] C:\WINDOWS\msmbw.exe
O4 - HKLM\..\Run: [serpe] C:\WINDOWS\System32\serbw.exe
O4 - HKLM\..\RunServices: [ltwob] C:\WINDOWS\System32\formatsys.exe
O4 - HKLM\..\RunServices: [avnort] C:\WINDOWS\msmbw.exe
O4 - HKLM\..\RunServices: [serpe] C:\WINDOWS\System32\serbw.exe

and the edits to the hosts file:

O1 - Hosts: 64.233.167.104 www.symantec.com
O1 - Hosts: 64.233.167.104 www.sophos.com
O1 - Hosts: 64.233.167.104 www.mcafee.com
O1 - Hosts: 64.233.167.104 www.viruslist.com
O1 - Hosts: 64.233.167.104 www.f-secure.com
O1 - Hosts: 64.233.167.104 www.avp.com
O1 - Hosts: 64.233.167.104 www.kaspersky.com
O1 - Hosts: 64.233.167.104 www.networkassociates.com
O1 - Hosts: 64.233.167.104 www.ca.com
O1 - Hosts: 64.233.167.104 www.my-etrust.com
O1 - Hosts: 64.233.167.104 www.nai.com
O1 - Hosts: 64.233.167.104 www.trendmicro.com
O1 - Hosts: 64.233.167.104 www.grisoft.com
O1 - Hosts: 64.233.167.104 securityresponse.symantec.com
O1 - Hosts: 64.233.167.104 symantec.com
O1 - Hosts: 64.233.167.104 sophos.com
O1 - Hosts: 64.233.167.104 mcafee.com
O1 - Hosts: 64.233.167.104 liveupdate.symantecliveupdate.com
O1 - Hosts: 64.233.167.104 viruslist.com
O1 - Hosts: 64.233.167.104 f-secure.com
O1 - Hosts: 64.233.167.104 kaspersky.com
O1 - Hosts: 64.233.167.104 kaspersky-labs.com
O1 - Hosts: 64.233.167.104 avp.com
O1 - Hosts: 64.233.167.104 networkassociates.com
O1 - Hosts: 64.233.167.104 ca.com
O1 - Hosts: 64.233.167.104 mast.mcafee.com
O1 - Hosts: 64.233.167.104 my-etrust.com
O1 - Hosts: 64.233.167.104 download.mcafee.com
O1 - Hosts: 64.233.167.104 dispatch.mcafee.com
O1 - Hosts: 64.233.167.104 secure.nai.com
O1 - Hosts: 64.233.167.104 nai.com
O1 - Hosts: 64.233.167.104 update.symantec.com
O1 - Hosts: 64.233.167.104 updates.symantec.com
O1 - Hosts: 64.233.167.104 us.mcafee.com
O1 - Hosts: 64.233.167.104 liveupdate.symantec.com
O1 - Hosts: 64.233.167.104 customer.symantec.com
O1 - Hosts: 64.233.167.104 rads.mcafee.com
O1 - Hosts: 64.233.167.104 trendmicro.com
O1 - Hosts: 64.233.167.104 grisoft.com
O1 - Hosts: 64.233.167.104 sandbox.norman.no
O1 - Hosts: 64.233.167.104 www.pandasoftware.com
O1 - Hosts: 64.233.167.104 uk.trendmicro-europe.com


which are all symptoms of W32.Serflog.A.*




Got the info by Googling for the various running processes, then cross referenced with instances of the hosts file edits + then simply checked the eventual links.


All the AV mftrs know of this one.

AVG (http://forum.grisoft.cz/freeforum/read.php?7,26510,backpage=)

Trend (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_FATSO.A&VSect=T)

McAfee (http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=132209)

F-Secure (http://www.f-secure.com/v-descs/sumom_a.shtml) shows it as being pretty new (7 March 2005).


Seems to be spread via MSM or FileShares.


What's the betting a search of Windows/System (with show hidden & system file on) shows up instances of British National Party.jpg, Crazy-Frog.Html, Message to n00b LARISSA.txt ?







* Addenum:

Also, the fact that AV has been turned off (another symptom) System Restore has been turned off (another symptom).:thumbsup:

Originally posted by all4_ofus
from what you have been saying and what you're going through (don't you have you're original start up discs) why don't you wipe the whole darn computer clean, and start fresh..it's easy


'cause it's only a virus??

Albeit a new one.


And there's removal tools/instructions available almost everywhere?:loopy: ;)

Originally posted by vidster
This (http://securityresponse.symantec.com/avcenter/venc/data/w32.serflog.a.removal.tool.html) seems to be the removal tool for the worm sccsux found above :).


The problem with this link, is the OP will not be able to access it as it is hosted on one of the sites that is being blocked by the virus (hence my offer to host it - and the instructions - for a while).


A copy of this removal tool can be found on my (unfinished) personal website: Line1 (http://www.line1.co.uk/free/index.php?faction=view_entry&dldid=18#). I'll leave it up for the next week (in case others have need for it)! Oh.... I've also copied the Symantec Instructions page as if anyone has this virus they will be unable to access Symantec's etc website until after removal.

Good points..Well put sccsux! ;)

Do you not think that having HJT fix all the entries in the host file would work?. Or do you think there are other 'hidden' files on the system?.

It would be interesting to see if this worm reincarnated itself after being fixed by HJT. But then we're not here to play with other people's computers.

FerishFairy: You could let HJT fix everything i mentioned, as well as adding everything in the host file: O1 - Hosts: 64.233.167.104 www.symantec.com
O1 - Hosts: 64.233.167.104 www.sophos.com
O1 - Hosts: 64.233.167.104 www.mcafee.com
O1 - Hosts: 64.233.167.104 www.viruslist.com
O1 - Hosts: 64.233.167.104 www.f-secure.com
O1 - Hosts: 64.233.167.104 www.avp.com
O1 - Hosts: 64.233.167.104 www.kaspersky.com
O1 - Hosts: 64.233.167.104 www.networkassociates.com
O1 - Hosts: 64.233.167.104 www.ca.com
O1 - Hosts: 64.233.167.104 www.my-etrust.com
O1 - Hosts: 64.233.167.104 www.nai.com
O1 - Hosts: 64.233.167.104 www.trendmicro.com
O1 - Hosts: 64.233.167.104 www.grisoft.com
O1 - Hosts: 64.233.167.104 securityresponse.symantec.com
O1 - Hosts: 64.233.167.104 symantec.com
O1 - Hosts: 64.233.167.104 sophos.com
O1 - Hosts: 64.233.167.104 mcafee.com
O1 - Hosts: 64.233.167.104 liveupdate.symantecliveupdate.com
O1 - Hosts: 64.233.167.104 viruslist.com
O1 - Hosts: 64.233.167.104 f-secure.com
O1 - Hosts: 64.233.167.104 kaspersky.com
O1 - Hosts: 64.233.167.104 kaspersky-labs.com
O1 - Hosts: 64.233.167.104 avp.com
O1 - Hosts: 64.233.167.104 networkassociates.com
O1 - Hosts: 64.233.167.104 ca.com
O1 - Hosts: 64.233.167.104 mast.mcafee.com
O1 - Hosts: 64.233.167.104 my-etrust.com
O1 - Hosts: 64.233.167.104 download.mcafee.com
O1 - Hosts: 64.233.167.104 dispatch.mcafee.com
O1 - Hosts: 64.233.167.104 secure.nai.com
O1 - Hosts: 64.233.167.104 nai.com
O1 - Hosts: 64.233.167.104 update.symantec.com
O1 - Hosts: 64.233.167.104 updates.symantec.com
O1 - Hosts: 64.233.167.104 us.mcafee.com
O1 - Hosts: 64.233.167.104 liveupdate.symantec.com
O1 - Hosts: 64.233.167.104 customer.symantec.com
O1 - Hosts: 64.233.167.104 rads.mcafee.com
O1 - Hosts: 64.233.167.104 trendmicro.com
O1 - Hosts: 64.233.167.104 grisoft.com
O1 - Hosts: 64.233.167.104 sandbox.norman.no
O1 - Hosts: 64.233.167.104 www.pandasoftware.com
O1 - Hosts: 64.233.167.104 uk.trendmicro-europe.com

Although i suspect it will now be wiser to do as sccsux has suggested and use the removal tool on his site ;).

Originally posted by vidster
Do you not think that having HJT fix all the entries in the host file would work?. Or do you think there are other 'hidden' files on the system?


It'd probably fix the hosts file, but ther damn thing leaves residual files that could reactivate (especially via MSM).


Originally posted by vidster
It would be interesting to see if this worm reincarnated itself after being fixed by HJT. But then we're not here to play with other people's computers.


It would, indeed, be interesting to see if it would re-appear. Wouldn't mind looking @ it in a sandbox environment. I do have a laptop that needs a new HD. Might see what it can catch;).

Originally posted by sccsux
It would, indeed, be interesting to see if it would re-appear. Wouldn't mind looking @ it in a sandbox environment. I do have a laptop that needs a new HD. Might see what it can catch;).


If you try it, let me know what happens :thumbsup:

Well I spent ages today messing about with it. So far I have done HJT 5 times but it still comes up with the same stuff.

The BNP, crazy frog and message to N00b are all there as sccsux says and MSN (which my daughter uses as many hours a day as she possibly can!) is acting wierd too.

Right now I am knackered and I've had the 'blue screen of death' twice this evening so I will give up and try again tomorrow.

I'll do what sccsux suggests and see how it goes tomorrow.

Once again, thanks so very very much for all your time and trouble. Makes me smile to think of such nice people out there who are willing to help a total stranger.

Hugs to you all! X x X

Wooo hooo!!!

I finally managed to get rid of that nasty virus thanks to all the wonderful help and information from Vidster and sccsux.

It took some doing but here's what I had to do in the end in case anyone is interested.

First I ran the McAfee stinger from the link Vidster provided. This then allowed me to open up AVG and update it. I then ran AVG which identified 21 files, 19 of which wre the Worm/Fatso.A and 2 were trojan horse. It removed the trojan horse files but NOT the others. Thie then allowed me to log onto Sheff Forum and click on this thread. I then clicked on the link provided by sccsuxs to his Line1 site and downloaded the Symantec removal tool. This then enabled AVG to remove the remaining files from my system. This, in turn, re-activated the System Restore Tab on My Computer/properties which I then turned off.

Phew!!!!

I then re-booted and whooopeeee!!!

It all seems to be fine now. I just ran AVG again to double check and all seems fine.

The question I now have is this. My daughter uses MSN messenger all the time and this apperas to be where the virus came from in the first place. The Symantec information says it sends the virus to all your MSN contacts. SO .............. do we risk getting infected again if she uses MSN? Should we email all her contacts telling them and advising them what to do to get rid of it?

I have now installed ZoneAlarm so will this protect us from getting it again?

Once again, I just want to say a huge thanks to Vidster and sccsux for all their wonderful help. If you're ever round this end of town, I owe you a pint!!!

Originally posted by FetishFairy

......First I ran the McAfee stinger from the link Vidster provided....

I think you'll find that Draggletail provided the 'stinger' link ;)

Originally posted by Draggletail
[/i]

......First I ran the McAfee stinger from the link Vidster provided....

I think you'll find that Draggletail provided the 'stinger' link ;)

:hihi: :hihi: :hihi: :hihi:


As long as it's fixed i'm a happy chappy FetishFairy :thumbsup:

Originally posted by FetishFairy
Wooo hooo!!!

I finally managed to get rid of that nasty virus thanks to all the wonderful help and information from Vidster and sccsux.


Glad U got it sorted:thumbsup:


Originally posted by FetishFairy
The question I now have is this............... do we risk getting infected again if she uses MSN?


Yes. Though the chances of re-infection are slim.





Originally posted by FetishFairy
Should we email all her contacts telling them and advising them what to do to get rid of it?


It would certainly help ;).


Originally posted by FetishFairy
I have now installed ZoneAlarm so will this protect us from getting it again?


Allow ZA to lock the hosts file (this will, at least, allow normal(ish) net access in the event of re-infection).

Originally posted by Draggletail
[/i]

......First I ran the McAfee stinger from the link Vidster provided....

I think you'll find that Draggletail provided the 'stinger' link ;)

My apologies Draggletail, and please accept my thanks also. :thumbsup:

No worries, glad you got it sorted out. Looked like a real headache! :thumbsup:

Three Words: Format And Re-install

Originally posted by Trever
Three Words: Format And Re-install
But what if you've loads of stuff on there not backed up? most of us are guilty of that :)

Originally posted by Trever
Three Words: Format And Re-install

What!...Because of a worm? :suspect:

I'm not sure i would recommend reformatting a computer every time a worm/virus/trojan was installed!

Like Draggletail says, most people have gigabytes of data/programs they have not backed up. How long would that take to replace?. Longer than running a removal tool IMO.

Originally posted by Trever
Three Words: Format And Re-install


I'm sure I answered this here (http://www.sheffieldforum.co.uk/showthread.php?s=&threadid=31896&perpage=15&pagenumber=2#post326695) in my reply to All4OfUs.


The number of times I've seen people give out usless/incorrect/misleading information like this is astounding.

I have had Win 98 running on this PC since 2000 when I first installed it, and have (now, this is the important bit) never had to re-format this HD (or any of the others here for that matter).


You also have the added bonus, in that when you fix it, you will have increased your knowledge base.

Format and Re-install is a good habbit to get into. It means you will regularly back up your hard drive, your computer won't be full of crap, your computer will be running at it's best. I have worked professionally with computers for over 10 years now so I know what I am on about. You can spend days if not weeks trying to sort out some problems, in the end you'll probably just end up getting mad, smashing your house up and killing your wife etc.
Just do like the pros. Format and re-install.

Well just to report, it's all working fine now with no problems at all. All it takes is a bit of patience and some good advice from some very kind people.

Originally posted by Trever
It means you will regularly back up your hard drive, your computer won't be full of crap, your computer will be running at it's best


Regular back-ups should be a matter of course. As should a good alround security policy. As should regular "cleaning". There is no need to re-format a hard drive!



Originally posted by Trever
I have worked professionally with computers for over 10 years now so I know what I am on about.


Only 10 years eh? That'd be around '94/'95 then? I was a qualified programmer before then, which (logically - and remember, computers function using pure logic) means I have more experience..... Though I don't presume to know more than anybody else;).


Originally posted by Trever
Just do like the pros. Format and re-install.


A true professional would find out the cause of the problem, then work to fix it. A re-format is a pros last option!



As the OP points out above, the PC is now fine, and a re-format was not required. Information, logic and knowledge worked perfectly well.

Quote "A true professional would find out the cause of the problem, then work to fix it. A re-format is a pros last option!"

Yes but would the customer want to pay?

A format and re-install take's one hour and cost's £30

Finding a problem can take days and would cost the customer mega bucks!!

Unfortunately this is how it works and this is what people want. They don't care how you fix it, just as long as it works and cost's as little as possible.

Originally posted by Trever
A format and re-install take's one hour and cost's £30!


What you gonna do? Stick a message up saying "I'll tell you the answer if you pay me via PayPal":hihi: :hihi:


Took me about 20 mins to work out the problem from the HJT logs the OP posted (this includes transfering the removal tool to a "safe" area and cost me nothing (other than a little of my time - which, though precious, doesn't preclude me from trying to help when I can) - also, FF (the original poster) didn't ask if we knew anywhere they could get it fixed, or prices, or inane suggestions, they asked their fellow forum users if the knew what was wrong and if it could be fixed).


Originally posted by Trever
Finding a problem can take days and would cost the customer mega bucks!!

Which customer???? No one has paid anything (nor lost any data). Whereas your method would have had them loose their data. Then again, you could then fleece the "customer" for resueing the data", couldn't you:suspect:


The way myself, Vidster et-al went about it meant all data was left intact, and the OPs machine is now restored to a state of operational functionality. :clap:



I'm out of this now.

Originally posted by Trever
A format and re-install take's one hour and cost's £30
Erm... beg to differ... off topic I know but you'd be looking at closer to 5 hours if you do a PROPER job of installing all relevant patches, recovering their key files to their original locations (eg: email, templates, reinstalling software, etc...

Oh and add another hour again if you're ghosting the hard drive to DVD so they can restore it quickly and easily a lot quicker next time around without the expense in time and money.

and even then you'd be hard pressed to do it in less than £50...


For a business customer who needs a solid base from which to be able to restore their PC and keep it focused on business app's it's one thing... but for a home user who has more time than money the "format and reinstall" is not something I'd recommend for this especially when we have a plethora of tools like HJT available to help locate the problem with a little experienced help and patience.

OK then I'll try that next time.