PDA

View Full Version : Static virus or Prog found by AntiVirus but cant finish and regery shuts 5



Adman2
01-08-2004, 05:23 PM
I have a xp1800+, 512MB ram, plenty of HD space and running Win2000. (I also have a Linux distro on a seperate partition that I hardly ever use).
My anti-virus prog is AVPersonal and I updated the latest virus definitions last week from the AV site.
Now when I run a scan it goes through 5 of the 7 system tests ( the 7 tests are: Intilizing, Memory, Master Boot Record, Boot Record, System Files, System Test, Self Test) stating that they are OK and then gets stuck half way through the 6th test, (System Test). It says that test is running and then a pop-up box appears with a heading "Attention, virus or unwanted program". Inside this popup it has a big red question mark, the word "Static" and a yes and no button. I don't know what its asking me yes or no about but I have tried both buttons numerous times. After I've pushed either yes or no the box refreshes itself disapering and reappearing in a fraction of a second. After I've pushed either button or the shut "X" often enough I get a new box saying "The CRC sum of C:\Prog' files\AVPersonal\AVWin.EXE has changed! Shutting down AntVir". The anti-virus program then shuts down. I've tried rebotting the computer but I get the same problem. I've had this problem for nearly 2 weeks now. I tried opening my registry to see if I could find anything but the registry shuts down automaticly after about 3 seconds every time. I also tried going online and getting my computer scaned by one of the virus companies but I couldn't get the scan to work. It wouldn't start. I'm stumped and don't know what to do. Any help would be greatly appreciated.
Thanks Adman2

Megaman
01-08-2004, 05:26 PM
Try AVG Personal. It might work. http://www.grisoft.com

Pheonix
01-08-2004, 05:46 PM
Just in case there is something bad shutting it down, see if you can download Stinger (http://vil.nai.com/vil/stinger/) which is a "standalone" sekker and killer of common and late model malware. the advantage is that it does not require installing. Just download and double click to run it.

Adman2
01-08-2004, 05:48 PM
Sorry, the anti-virus program I use is AVG Personal, and that's the one that can't seem to complete the virus scan before stopping and telling me the "Static" message.
thanks anyway, Adman

Susan B
01-08-2004, 06:02 PM
It is likely that you have had your Hosts file hijacked in order to prevent you getting to any AV or other "tool" site.

Have a look through and follow the instructions in this thread (http://pressf1.pcworld.co.nz/thread.jsp?forum=1&thread=48252), beginning with the sixth post down regarding the Hosts file then grab Stinger and run that.

Also do the TrendMicro online anti-virus scan afterwards, if you can.

Adman2
06-08-2004, 01:26 AM
Followed the tread and tried what was suggested but with no joy. I did a search for HOSTS including subfiles but the only files without any suffix were LMHOSTS which tured out to be a Microsoft IP mapping thing and BESTTIME_GHOSTS from ColinMcRee Rally prog. The other files were HOSTS.sbs and .sbs.sig, and Imhosts.sam, which was the same as LMHOSTS.
I downloaded STINGER and ran it. It reported that I had:
83351 clean files,
17 infected,
298 repaired and
15 deleted.
The main virus reported was the w32/Pate. a virus and the infected files were repaired but there was also the w32/Sdbot.worm.gen.g virus and the w32/Pate.a.dll virus and files with these were deleted.
I thought that may have fixed my prob but alas I still had mostly the same symptoms:
AVPersonal unable to complete a scan and but instead of a box with the word STATIC in red I just got a box saying "the CRC sum of C:\Prog Files\AVPersonal\AVWIN.exe has changed! Shutting down AntiVir"
Everytime I try to open regedit it dissapears a few seconds after opening it, even when I try to export the reg in those few seconds.
Everytime I try to open a very basic game called CUBE.bat it freezes and I have to re-boot to regain control of the puter. Even Ctrl/Alt/Delete won't unfreeze it.
The anti-virus scanner on the web at TrendMicro won't run, and I am unable to remove AVPersonal, Spybot S&D, Spyware Blaster and numerous other progs using CntrlPanel Add\Remove progs. It usually says "C:\ProgFiles\name-of-program whatever it is\unins000.msg is missing. Please correct the problem or obtain a new copy of the program".
I tried running STINGER again after selecting all the options under prefances, and it reported:
110852 files clean, 1 file infected and 1 file deleted.
I presumed that it was the infected file that was deleted but it took me a while to find it. When I did find it, it said:
C:\ProgFiles\AVPersonal\INFECTED
C:\ProgFiles\AVPersonal\INFECTED\msblast.VIR
C:\ProgFiles\AVPersonal\INFECTED\msblast.VIR
FOUND the w32/Blaster.worm.a virus!
C:\ProgFiles\AVPersonal\INFECTED\msblast.VIR has been deleted

I also downloaded the HighJack_ This program and ran it a couple of times. I saved the log but didn't know what else to do with the results. I didn't cheak any of the 9 things it mentioned. Most of them looked ok such as from google.co.nz, System32\msdxm.ocx, Winpatrol.exe, QuickTime\qttask.exe, WinPatch.exe, InternetExplorer\Plugin\NPDocBox.dll, and a couple from HKLM\Systems\CCS\Services\Tcpip\...\(a long string of lettersand numbers inside brackets):NameServer=203.96.152.4203.96.152.12 The two entries are the same except one is CCS\Services while the other is CS1\Services, all other numbers and letters are identical.
I'm sick of this virus or however many viruses I've got. I don't know how I got them or even when but I'd certainly like to get rid of them. I'm even worried about emailing friends in case I spread it to them.
Any help or sugestions would be deeply!!! apreciated.
Thanks Adman2

Chilling_Silence
06-08-2004, 01:30 AM
Boot the Linux Distro and install ClamAV

Either that or get AVG Free Edition on a CD (You may have to do it from another PC).

BTW - If your PC is about to shut down while you're online, click Start --> Run --> and type:
shutdown /a

Should stop it in its tracks :-)


Chill.

Susan B
06-08-2004, 03:31 PM
You have something fairly nasty on your computer that is preventing AVG from doing a full scan.

Run HijackThis again and post the log here. Don't try fixing anything yourself just yet.

Have another look for a Hosts file - there will be one somewhere. You may need to change your search options to Show Hidden Files and Folders in order to find it. It should be in C:\WINDOWS\system32\drivers\etc

Susan B
06-08-2004, 03:37 PM
Also, clean out your temporary and temporary internet files, history, cookies and index.dat files. Grab CCleaner from here (http://www.majorgeeks.com/download.php?det=4191) to do that job for you. Make sure you tick the box "Delete index.dat files" before running it.

Adman2
11-08-2004, 12:49 AM
Thanks soooooo much for your help Susan B, you r truly a Gem!
I downloaded and ran CCleaner as well as Spyware Doctor from the link you posted.
CCLeaner listed so many files that it took almost 4 minutes to scroll through the list (I just wanted to have a look). I then ran Spyware Doctor and it told me I had the C_Dilla virus which it informed me was a low-risk registry key type problem.
I then ran another search for files called Hosts making sure I had set the System folders to not be hidden and for the search to include sub-folders. I got basicaly the same results as before with 5 folders found. 1 from ColinMcRae Rally game, 1 from Partition Magic and 2 from SpyBot S&D. The 5 file was called Imhosts.sam which was in C:\WINNT\system32\drivers\etc When I opened it in Notebook the file had a Microsoft copyright and was to do with mapping IP addresses. Sorry, no other files found.
I ran HijackThis again and would happily send you the log if I only knew how to do it. I've saved the file I just don't know how to send it except as an email attachment but I haven't got your address. I don't know how to do it within Pressf1 forums if that's possible.
Just as an aside, I just got a pop-up box saying "Message to Windows Infecte" warning me I have a virus that normal virus cheakers can't fix and if I want to fix it I should click on the link to www.XpVirusClean.com I just deleated it (4 times) but I have the pop-up blocker on Mozilla set to stop them but it hasn't worked on this one and a couple more advertising something about sex, viagra or something. I think these may have started about the same time I started having problems and I was wondering if the two things were related?
After using CCleaner and Spyware Doc as well as HijackThis and Stinger I hoped that I may have got rid of the prob but unfortunatly after trying to run regedit it again vanished within a few seconds of opening it. I'll have another go at uninstalling AVPersonal after I've sent this, but I'm not hopeful. I don't want to try it till after this is posted because I've managed to lose my whole post twice already because I haven't savbed it and when trying to post it I've ended up at the login page and by the time I get back to this reply page everything I've written has vanished. I now cut and paste it into Notepad before trying to do anything else.
Thanks so much for your help so far and if I can get any more help riding myself of this cursed problem, whatever it is, I'd be overjoyed.
cheers, Adman2

godfather
11-08-2004, 12:59 AM
To post a HiJackThis log:

You clearly are able to post here, so start a reply to this thread, open the saved log (it should open in Notepad) and go Edit - Select All, Edit-Copy then return to the reply window in this thread and put the cursor in the reply box, right click the mouse and select Paste.

That will paste the entire log in as plain text, as if you had typed it.

Its not difficult to insert copied text, as you will see.

Jen C
11-08-2004, 07:35 AM
>The main virus reported was the w32/Pate. a virus and the infected files were repaired
>I'll have another go at uninstalling AVPersonal after I've sent this, but I'm not hopeful.

This worm infects executables. When you ran the stinger it would of cleaned these files and removed them. This is why your AV program no longer runs, plus you will find some other programs also will no longer launch. The entries under Add/Remove for these programs will also need to be removed. I know in XP it just says that this program has already been uninstalled, so would you like to remove the entry from Add/Remove - I'm not sure how Win2000 deals with old entries like this.

You will need to reinstall your AV program, plus all the other executables that were infected and removed.

I just cleaned a machine with the W32/Pate (W32/Parite) worm, and they lost their AVG, MS Office, Mailwasher plus a few other applications - all which had to be reinstalled once the machine was clean.

Susan B
11-08-2004, 10:12 AM
> Just as an aside, I just got a pop-up box saying "Message to Windows Infecte" ... I think these may have started about the same time I started having problems and I was wondering if the two things were related?

They are probably not related unless your firewall has been disabled somehow (you do have a firewall, don't you?). The messages are coming in through Windows Messenger and you can disable WM by downloading and running Shoot the Messenger (http://www.grc.com/stm/shootthemessenger.htm).

For your other problems post your HijackThis logfile here as Godfather has advised so that we can sort through it.