Help with Suspected Virus

viper · 15th April 2006, 10:26

Hi Guys,

Just received a msg on my MSN Messenger window from one of my contacts with a link leading to msnmessenger profiles with my name and asking if it was me. I clicked on the link and a dos application downloaded.

Now I cannot find the file which got downloaded to my default download folder from where I doubleclicked it.

Within a minute I got a Windows file error message on my screen(XP SP2) asking me to restore my original files as they have been replaced by some other files. I tried running a Norton Antivirus scan but even my NAV is acting up saying that I should register and activate my product which was already activated and valid till Dec 2006.

Please help what should I do.

Viper

2L8uLoose · 15th April 2006, 11:23

Viper,
Sometimes Norton does not catch the virus.. try using a WORMKILLER app or something..here's the link.
http://www.freedownloadscenter.com/B...killer-xp.html
Hope it helps!
Cheers

aZa · 15th April 2006, 11:25

Heya Viper

1. Never download / accept / click on links from unknown ppl
2. Check the authenticity of the url and extention etc.
3. Norton sucks
4. be uptodate with MS patches
5. Get NoD32

if ur faithful norton has been pwn3d then try downloading Stinger from mcafee its a small standalone viruss scanner for latest threats. if u have a firewall then u would know which application is connecting to the net or just use tcpview and check them out.

cheers

viper · 15th April 2006, 11:38

Guys,

I just reinstalled my Windows and the funny thing is I did not log onto MSN. But this window popped up and someone buzzed me. User Called "I will get my revenge Pete".

Am scared since I have a lot of data and no back up. He

lp

abhibh · 15th April 2006, 11:53

Hi,

If you have original windows i will suggest you 2 things that will keep you safe each and everytime.

1. Windows one Care Live. You can get it online for free at http://www.windowsonecare.com/purchase/default.aspx . install the beta for free will take around 15 - 30 mins on 256k connection. Its online installation. You should atleast have 256 MB RAM unshared.

2. Windows Defender. http://www.microsoft.com/athome/secu...e/default.mspx .
Its a spyware remover from misrosoft for free for its customers.

I have been using Onecare form past 3 months and not a single problem. Its very light and good. And windows defemder i have been using for past 1 month and it simply rocks. Dont even let you know about any spyware that hits yer computer.

P.S. I have 1 Gb ram and used to use norton and Mcaffe. Norton was so heavy and mcafee was so buggy at times. Used NOD but was not uptomark. Though Kaspersky was good but used to update defination everyday

Cheers.

abhibh · 15th April 2006, 11:57

Hi,

Are yo on lan. If yes then one can netsend you these messgaes easily if they know yer computername. But if you are not on lan then it must be a Trojan.
http://windowsupdate.microsoft.com/ Go here and update yer windows and i m sure problem will go away. Do rememerb to install windows onecare and defender.

freakrz · 15th April 2006, 12:05

you reinstalled windows and still got infected.did you format your hard drive.or just upgraded on the existing system.

ok..first check all the processes that are running in the background.
hit CTRL + ALT + DEL and check for the processes.it will be helpful to give you a clear idea if you could provide the process names running.

Do this in safemode..you can enter safemode by pressing F8 just after you start your p.c and before the starting windows screen pops up..

check your start up.to do that --> click start menu --> run --> type msconfig
-->enter..->a window will be displayed in that check the start up .remove all the unnecessary stuff.all that you dont want to start when windows starts up..like winamp,yahoo messenger,msn etc..you can start up after you start windows..they dont require to be in the start up.

since you have stated msn messenger,through which ur being threatend..i would like to suggest you to disable the messenger service.that would protect you to a certain extent.till you clean up the system.

step 1 : Right click on My Computer
Click Manage
Click on Services & Applications
Click on Services
Step 2: On the right side of the same window scroll down .you will find "messenger"
Double Click that --> a window pops open
stop the service
in the start up type --> select "Disabled"

If you have a service named messenger sharing...Follow the same steps as above..and disable it.

now get a firewall, something like zone alarm or outpost,which is available free online.install it..and just watch the logs..i know this is getting complicated..but do that only if you want to find who 's bothering you..well i could give you more details..if you want to..just p.m me..

AVG is a better antivirus and its available free online...you can download it here...

http://free.grisoft.com/doc/2/lng/us/tpl/v5

if you could give me some more details about the virus or what ever errors you r encountring..i could give you more detail about the cleaning procedure...

viper · 15th April 2006, 12:52

Hi Guys,

What I have figured out is that it is a Trojan. Got detected by a older version of Panda anti virus. Norton i snot getting completely uninstalled and all antivirus programs are not working. it says expired. The virus is in System win32/hosts or something like that.

Viper

viper · 15th April 2006, 15:31

Hi Guys,

Have finally identified the problem. It is a FakeMSN8Beta virus which from one file has multiplied into 90 files in 20 mins.

It is located in C:\WINDOWS\System32\taskkill.com
and C:\WINDOWS\System32\netstat.com.

AM now formatting my comp to prevent any further problems as my whole comp is acting up.

Viper

15th April 2006, 10:26	#1
viper BANNED Join Date: Mar 2005 Location: Mumbai Posts: 1,773 Thanked: 19 Times	Help with Suspected Virus Hi Guys, Just received a msg on my MSN Messenger window from one of my contacts with a link leading to msnmessenger profiles with my name and asking if it was me. I clicked on the link and a dos application downloaded. Now I cannot find the file which got downloaded to my default download folder from where I doubleclicked it. Within a minute I got a Windows file error message on my screen(XP SP2) asking me to restore my original files as they have been replaced by some other files. I tried running a Norton Antivirus scan but even my NAV is acting up saying that I should register and activate my product which was already activated and valid till Dec 2006. Please help what should I do. Viper
	() Thanks

15th April 2006, 11:23	#2
2L8uLoose BANNED Join Date: Feb 2005 Location: Bombay Posts: 628 Thanked: 6 Times View My Garage	Viper, Sometimes Norton does not catch the virus.. try using a WORMKILLER app or something..here's the link. http://www.freedownloadscenter.com/B...killer-xp.html Hope it helps! Cheers
	() Thanks

15th April 2006, 11:25	#3
aZa Senior - BHPian Join Date: Mar 2006 Location: Noida / Delhi Posts: 1,595 Thanked: 21 Times View My Garage	Heya Viper 1. Never download / accept / click on links from unknown ppl 2. Check the authenticity of the url and extention etc. 3. Norton sucks 4. be uptodate with MS patches 5. Get NoD32 if ur faithful norton has been pwn3d then try downloading Stinger from mcafee its a small standalone viruss scanner for latest threats. if u have a firewall then u would know which application is connecting to the net or just use tcpview and check them out. cheers
	() Thanks

15th April 2006, 11:38	#4
viper BANNED Join Date: Mar 2005 Location: Mumbai Posts: 1,773 Thanked: 19 Times	Guys, I just reinstalled my Windows and the funny thing is I did not log onto MSN. But this window popped up and someone buzzed me. User Called "I will get my revenge Pete". Am scared since I have a lot of data and no back up. He lp
	() Thanks

15th April 2006, 11:53	#5
abhibh Senior - BHPian Join Date: Sep 2005 Location: Back in the HOOD near you! Posts: 2,768 Thanked: 39 Times	Hi, If you have original windows i will suggest you 2 things that will keep you safe each and everytime. 1. Windows one Care Live. You can get it online for free at http://www.windowsonecare.com/purchase/default.aspx . install the beta for free will take around 15 - 30 mins on 256k connection. Its online installation. You should atleast have 256 MB RAM unshared. 2. Windows Defender. http://www.microsoft.com/athome/secu...e/default.mspx . Its a spyware remover from misrosoft for free for its customers. I have been using Onecare form past 3 months and not a single problem. Its very light and good. And windows defemder i have been using for past 1 month and it simply rocks. Dont even let you know about any spyware that hits yer computer. P.S. I have 1 Gb ram and used to use norton and Mcaffe. Norton was so heavy and mcafee was so buggy at times. Used NOD but was not uptomark. Though Kaspersky was good but used to update defination everyday Cheers.
	() Thanks

15th April 2006, 11:57	#6
abhibh Senior - BHPian Join Date: Sep 2005 Location: Back in the HOOD near you! Posts: 2,768 Thanked: 39 Times	Hi, Are yo on lan. If yes then one can netsend you these messgaes easily if they know yer computername. But if you are not on lan then it must be a Trojan. http://windowsupdate.microsoft.com/ Go here and update yer windows and i m sure problem will go away. Do rememerb to install windows onecare and defender.
	() Thanks

15th April 2006, 12:05	#7
freakrz BHPian Join Date: Nov 2004 Location: Visakhapatnam Posts: 176 Thanked: 51 Times View My Garage	you reinstalled windows and still got infected.did you format your hard drive.or just upgraded on the existing system. ok..first check all the processes that are running in the background. hit CTRL + ALT + DEL and check for the processes.it will be helpful to give you a clear idea if you could provide the process names running. Do this in safemode..you can enter safemode by pressing F8 just after you start your p.c and before the starting windows screen pops up.. check your start up.to do that --> click start menu --> run --> type msconfig -->enter..->a window will be displayed in that check the start up .remove all the unnecessary stuff.all that you dont want to start when windows starts up..like winamp,yahoo messenger,msn etc..you can start up after you start windows..they dont require to be in the start up. since you have stated msn messenger,through which ur being threatend..i would like to suggest you to disable the messenger service.that would protect you to a certain extent.till you clean up the system. step 1 : Right click on My Computer Click Manage Click on Services & Applications Click on Services Step 2: On the right side of the same window scroll down .you will find "messenger" Double Click that --> a window pops open stop the service in the start up type --> select "Disabled" If you have a service named messenger sharing...Follow the same steps as above..and disable it. now get a firewall, something like zone alarm or outpost,which is available free online.install it..and just watch the logs..i know this is getting complicated..but do that only if you want to find who 's bothering you..well i could give you more details..if you want to..just p.m me.. AVG is a better antivirus and its available free online...you can download it here... http://free.grisoft.com/doc/2/lng/us/tpl/v5 if you could give me some more details about the virus or what ever errors you r encountring..i could give you more detail about the cleaning procedure...
	() Thanks

15th April 2006, 12:52	#8
viper BANNED Join Date: Mar 2005 Location: Mumbai Posts: 1,773 Thanked: 19 Times	Hi Guys, What I have figured out is that it is a Trojan. Got detected by a older version of Panda anti virus. Norton i snot getting completely uninstalled and all antivirus programs are not working. it says expired. The virus is in System win32/hosts or something like that. Viper
	() Thanks

15th April 2006, 15:31	#9
viper BANNED Join Date: Mar 2005 Location: Mumbai Posts: 1,773 Thanked: 19 Times	Hi Guys, Have finally identified the problem. It is a FakeMSN8Beta virus which from one file has multiplied into 90 files in 20 mins. It is located in C:\WINDOWS\System32\taskkill.com and C:\WINDOWS\System32\netstat.com. AM now formatting my comp to prevent any further problems as my whole comp is acting up. Viper
	() Thanks