I've got a virus/trojan/worm I can't lock down. Suggestions?

[quarterback]

I used to have some little program that would let me see (and disable) everything that would start automatically when WinXP boots up.

It had sections for things that are in your registry, things that are in your startup folder and things in .ini files.

[Mr-Megalo]

I think you may mean MSCONFIG

start>Run type MSCONFIG


edit:might be best to do it in safe mode - hit F8 when your machine starting up and choose safe mode

[quarterback]

That's it!

Thanks.  I thought it was around here somewhere.

Thanks

I think you may mean MSCONFIG

start>Run type MSCONFIG

[Mr-Megalo]

your welcome - hope you get it sorted, trojans/Virii are a pain in a Windows users --I'm attempting to get by the auto-censor and should be beaten after I re-read the rules--

[quarterback]

And this one is definitely a pain.

[quarterback]

I've updated the Subject line.   If anybody knows of an app that will track this thing down or clear it out, I'd appreciate it.

[Harry Potter]

Spybot maybe.

[MaximRecoil]

Try one of the online virus scans such as Trend Micro's House Call. Also, run Spybot Search & Destroy. A program called HiJackThis can take care of most anything, but you need to know what you are doing. Fortunately there are forums that you can post the HiJackThis log on and they can help you interpret it and tell you what to do.

Also, it might help if you post a screenshot of your Task Manager and Msconfig windows (and if you have XP SP2, in an IE browser window go to Tools > Internet Options > Progams > Manage Add-ons > Add-ons currently loaded in IE and get a screenshot of that too) here to see if anything stands out.

BTW, doesn't your firewall give you the name of the application that is trying to "phone home"? If not, get one that does such as Sygate Personal Firewall (there is a free version that is fine).

It is most likely an activeX dll. If you find out which one it is, you can usually just unregister the dll using regsvr32.exe with the /u switch and then delete the dll.

[M3talhead]

Dont listen to any of them. They dont know what they're talking about. Just sell me your computer for $10 and I'll take care of it for you.

[quarterback]

Try one of the online virus scans such as Trend Micro's House Call. Also, run Spybot Search & Destroy.

Yeah, I had tried spybot but it didn't come up with anything. (I mention it above but I know I'm sometimes verbose )

A program called HiJackThis can take care of most anything, but you need to know what you are doing. Fortunately there are forums that you can post the HiJackThis log on and they can help you interpret it and tell you what to do.

I've not tried HiJack This because it seems so freakin complicated, but I've seen people posting their logs, so maybe that's my next step.

BTW, doesn't your firewall give you the name of the application that is trying to "phone home"? If not, get one that does such as Sygate Personal Firewall (there is a free version that is fine).

Yeah, it's Windows Explorer that's trying to connect to the Russian site.  Since Windows Explorer is all tied in with everything else in Windows, it tough (for me, at least) to track down what's really at work.

It is most likely an activeX dll. If you find out which one it is, you can usually just unregister the dll using regsvr32.exe with the /u switch and then delete the dll.

Yeah, I'm assuming it was an ActiveX deal that started it all, but I'm not sure where to go from there.  The good news (I guess) is that I haven't heard from it since.  I've rebooted a couple times but, so far, my firewall (Outpost) hasn't alerted me to anything out of the ordinary.

Sigh.  Oh well, maybe HiJack This is in my future.
Thanks y'all

[MaximRecoil]

Yeah, it's Windows Explorer that's trying to connect to the Russian site.

[missioncontrol]

you did make sure to update your definitions before sunning ad-aware and your anti-Virus right???

[abrannan]

Also, try some google searches on the domain that it's trying to connect to with additional words like virus and spyware.  You should be able to turn up some support forums where people say what they needed to kill it.  Also check the HKLM/Software/Microsoft/Windows/CurrentVersion/Run key, as that's likely where the startup programs are being run from.  Remove anything that isn't identifiable, and run a google search anything that looks like it may be a Windows component (a favorite hiding strategy of virus/spyware authors).  It's probably got some rootkit style components that are hiding it from spyware/virus scanners, so you need to be able to find and stop it from running first.

[shmokes]

McAfee has a program called Stinger that will search for and remove many common worms.  It can be downloaded for free from their site.

[hanelyp]

Use anything but internet explorer or you'll likely be reinfected.  If you must use that browser, up the security settings.  Same goes for outlook.

If a parasite program (or popup code in a web page)  is trying to contact a site by name, an entry in you HOSTS file (somewhere under your windows directory) can block it.

127.0.0.1   trouble.site

if adaware, spybot S&D, and a good virus scan all find nothing, I don't know what will find the infection.  I'm wondering if your problem might be in a web page you frequent.

[quarterback]

Definitely an ActiveX module which will be a dll. Do you have XP SP2? See what add-ons are currently loaded by IE and also what add-ons have previously been loaded by Windows like I described above.

I've got a bunch of them listed in there.

[SOAPboy]

Wow...

Suggesting Anti SPYWARE  Tools for viruses..

Highlighted the KEYWORD here

Best bet imo, Backup IMPORTANT files, Format..

Youll NEVER fully get rid of anything that hardcore, itll stick around, and something will trigger it again..

[MajorHavoc]

I know it's a PITA but get ahold of Hijack This.  Install it and go here http://housecall.trendmicro.com/housecall/start_corp.asp
run the online virus scan.  When that is complete, disconnect your cable modem or DSL or phone line, restart in safe mode and run spybot and adaware.  Now run HJT.  Save the results as a text file.   reenable your internet connection, restart and post it to any one of the many HJT assistance websites along with a description of your problem and the steps you've taken so far to isolate and identify the culprit.  If you are of a more independant bent, go over the HJT results.  Do a systematic search using yahoo or google to research each and every line of the HJT results.  This can be time consuming but it usually works for me.  Who knows, you may find a command line
CallRussia.exe  (kind of optimistic but it could happen).
If you are running XP you may be able to use to the goback feature but more and more of the newer virii get into the goback file and make it a useless effort.  Am I an expert virus hunter?  No!  Merely the parent of a teenager who has never met  a download she didn't like   

Good luck
Mike

[Captain_Dingo]

quarterback:

You might have one of the many trojans that infects your wininet.dll.  I found it was able to hide from most active scans (adaware, ewido, spybot, etc.), especially in safe mode where I was booting with no networking.

Search for a tool called smitRem.exe, and another script called Silent Runners.vbs.  Both of these are run in safe mode, and helped me clean the last remnants of one of these PITA trojans.

I found references to these on some of the sites that had people posting HJT logs.

[SirPoonga]

I've got something on my PC that tries to contact some Russian website everytime I start my pc.  After my pc has been running for a while, all/half the programs in my tray will shut down and restart themselves and, simultaneously, Windows will try to connect with this website.

FYI, those two actions are probably not related.  Your explorer is probably rebooting for some odd reason and the Russian thing gets executed when that happens.

Hardware or software firewall?

[quarterback]

Thanks again for all the replies.  I've gotten some feedback on my HiJack This logs and I think I've got this thing beat.

FWIW, it looks like it was "Vundo", "Vundo.b" or probably some other variant (since none of the spyware or virus checkers could identify it)

http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.b.html

What a freakin pita.

[HaRuMaN]

Quit downloading pr0n/warez and you'll be fine.   

[quarterback]

Quit downloading pr0n/warez and you'll be fine.