My father got a virus. He says he didnt do anything, it just happened. After spending several hours tryin to deal with it. He said " Well a few weeks ago I saw a message that said I was infected and couldn't stop it". I said " You what?? What did you do?" "I hit that "x", I didnt want it up"

He is like talking to my 2 year old. Keeps telling me that anyone should be able to get rid of that. Call the cable company, its their fault, etc. He can get on my nerves at times, I am sure a few of you can relate to this.

Here is his prime symptoms:

Norton AV is freaking toast. It will run for 10seconds then terminate. I cannot delete or reinstall, When I try I get popup, "This MIS has to run through setup" I tried the manual delete from symantec, but I cant seem to do it properly.

IE will not access any website that has Antivirus programing, (Norton, Symantec, McAfee, etc) Get a note that says , "Website not found, please try again later".

MSCONFIG and REGEDIT will run for 10 seconds then terminate.

Now other than this, his browser appears to run ok, it will do all tasks, but I can tell it is running in "their" frame. Periodically a link to porn sites or search engines will pop on.

I have a friend goin to try to remove it Thursday night. I think I will try Housecall tomorrow, since I saw Roosters reference to it tonite. Maybe it will help. Damn aggravating.

Do you know which virus it is? maybe download a fix tool for it on your on personal comp and run it on his or take the drive out hook it on your comp and scan it

format, reinstall.

and get rid of norton. they suck. go get PC-Cillin

Yeah, format/reinstall. Most home versions of virus scanners blow hard. I use Corporate NAV and it does me good. But that's because it has a nifty "if you use this product more than 70% of the time at your workplace you can take a single copy home". And I did just that.

PC-Cillin is good, I also like TrendMicro for home version AV.

PC-Cillin doesn't go well with people who aren't familar with computers... hehe
When that window pops up asking if they wanna allow something to access there internet/computer.. They'll go nutz!!! I betcha!!!
hehehe

Welcome to my world.

It's never their fault. It's never anything they did. They (or their neighbour/son/grandson/mailman) are computer experts and know all about what to do. It should be free. We should drop everything and fix it now.


Bleh.

Figgy, you need teeshirts from http://www.thinkgeek.com !

"No, I will not fix your computer."

I'm fond of the -1 STR/ +1 CHA from the PvP line. ;)

http://www.syswear.com/ has some good t-shirts too.

Oh yeah - I have that t-shirt, Ivy - it rocks.

Can't wear it at work though.

Technically.

:cheese:

Hehe

Had another hour to kill so i worked on that virus somemore. I guess you develope some abilities :bang: That really are helpful in certain situations. Like playin DAOC.

Anyway, I was tinkering with IE security and i disabled third party browsers. This had a cool effect. I cannot access any internet now, but the puter operates a bit faster in other functions.

How is this helpful you wonder, well i can easily run MSCONFIG now. I just kept tryin to run it until I got fast enought to cut it on, click diagnostic mode, accept, restart in 10 seconds. :p

So now in safe mode, REGEDIT works!! So I was just glancing over the registry ( way outta my league, I am not schooled in puters ). I noticed some odd stuff... I found the NAV registry files (Nortons I believe) There are two sets of each one... here is like an example:

NAVblahblah
NAVblahblah.1

the first has two sub files

CLSID
CurVER

The second ( .1) only has
CLSID

What the hell is this Curver? Is that an arm of the virus? Did the virus copy norton registry add .1 and CurVer file?

It is just like a game... :eh:

Current Version

If you can get a HiJackThis to run on there (put it on a floppy)... run it, save the .txt file to a floppy and bring it back to yours, then post it here.

Then we can get somewhere!

Ok, here ya go. Maybe you can easily see the problems. Even with phone help I was not able to resolve this. I loaded the puter in safe mode and "webspecials" was not disabled, It kept re-enabling itself. I could turn off all services and startup in MSCONFIG except "webspecials". In TASKManager I wasnt able to ENDPROCESS on "webspecials" either. Under the REGEDIT I wasnt even able to delete the "webspecials" key. Kept replicating itself, even in safe mode. Ultimately I ended up reformating, glad it was my fathers PC, he had very little to lose. I actually think I disabled around 10 effects, odd files etc. Just that persistant "Webspecials" was indestructable. Hope it didnt live thru the reformat :p

Anyway If you have any ideas how I should have attacked this, please let me know. Just incase I see something similiar in the future. Never hurts to know more. Mayhap to help another reader.

Thx




Logfile of HijackThis v1.99.0
Scan saved at 2:40:45 PM, on 12/30/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Documents and Settings\Dalford\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea rchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Dalford\Application Data\Mozilla\Profiles\default\98c117jp.slt\prefs.j s)
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: CHungryBHO Object - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINDOWS\neti.dll
O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\PROGRA~1\BARGAI~1\bin\apuc.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O4 - HKLM\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: CHungryBHO Object - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINDOWS\neti.dll
O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\PROGRA~1\BARGAI~1\bin\apuc.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run

Run Housecall to get rid of any trojans that are causing this stuff to reappear.

Get rid of ALL of what I listed above.

Couldnt run Housecall. The computer wouldnt access any virus protection sites, always redirected. Housecall would start to load, then came up error every time. The more I study this Hijack file the more interesting it appears. IF I would have understood more, perhaps most of this stuff wouldnt have replicated itself. Perhaps gotten some clean internet access then Housecall would have worked.

You ok in my book rooster :cheese:

Thanks for all the advice

O4 - HKLM\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run



These were the parts that I couldnt remove even in Safe Mode

Download:

http://www.trendmicro.com/ftp/products/tsc/sysclean.com (save it to a new folder)

http://www.trendmicro.com/ftp/products/pattern/lpt325.zip

Unzip the lpt325.zip file to the folder where the sysclean.com is.

Reboot in safe mode.

Delete the webspecials directory (c:\program files\..)

Then run sysclean from said new folder.