Virus??? How do I get rid of it?

I think it's a virus that's infected two of our computers here, but Norton Antivirus can't find anything wrong, and I've found no mention of anything like it on any of the virus encyclopedia websites on line.

Here's the history:
Two months ago we bought a new computer and installed it on our LAN.  Our LAN is currently connected to the internet through one computer (not infected) running Wingate.  All our computers are pentiums running Windows 98.

Shortly after we installed this computer, IE began behaving oddly:  nearly every time a site was slow to come up, or we typed in an incorrect address, it would bring up a pornographic site (www.justwild.com) instead of the error message.

About a month after this began happening with the new computer, the same thing began to happen with one of our older computers.  Neither computer is the wingate server.

We have tried the following, with no effect:
--deleting all cookies and temporary internet files
--installing netscape and using that instead (it happens with netscape just as readily as IE)
--attempted to remove both netscape and IE (netscape was easy but IE was not, I'm sure we missed pieces) and reinstall: came up immediately.
--deleted all java and .class files
--our ISP has no clue

We are at our wits end -- don't want to concede defeat and wipe the hard drive!!!

Help?

Thank you,
Cathy
cathylachapelleAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ggilmanCommented:
Have you tried contacting Symantec? If there is a virus they don't handle, I'm sure they'd like to know about it and could probably help.

Sounds a little simple but have you done a search for "justwild"? Do start->find->files or folders. In "named", put *. In "containing text", put "justwild". If there is code somwhere on the machine forcing you to go this site, it should have the text of the site in it somewhere. Even if the file is binary, sometimes a searh like this can find it.
0
ggilmanCommented:
Just a guess to what might be happening: Whenever an error occurs while loading a web page(can't find DNS server, page not available, etc...), your computer is presented with an error code. In turn, your web browser interprets this error code and displays a page with that information stating something like "Web site not found.". Now, if these web pages for your browser were hacked, you might see something similar to what you are. From what I can tell, Internet Explorer "error pages" are located in a dll, namely c:\windows\system\shdoclc.dll. You might try replacing that file on the infected machines with one from a good machine.
0
cathylachapelleAuthor Commented:
We did contact Symantec last week, so far they've only asked if we've got up-to-date virus definitions (we do).

We did, actually, try the "containing text" search early on.  I tried it again, and still got nada.  Maybe the IP address would be in the offending file (instead of the name)?  How do I find out the IP address of the website we get bounced to?

I replaced all four shdoc files in the system folder.  It's still happening.

<sigh>
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

LizardKingCommented:
Just a note if you havent checked already do a registry search on each machine -- many newer viruses store info deep in the registry , making them harder to detect
0
cathylachapelleAuthor Commented:
how do I do a registry search?
0
iwinCommented:
run regedit and search...

as for the ip address of that site, at the dos prompt, type ping www.justwild.com and the reply comes back with 207.138.32.37
0
Davy070599Commented:
Hi,

I suggest you should try another virusscanner.  I propose Antivirus toolkit pro (www.AVP.com).  You can do a free trial download.
It finds more virusses than norton antivirus.

Byeee...
0
ggilmanCommented:
An easy way to get their IP address is to try to ping the server. Goto a DOS command prompt. Type "ping www.justwild.com". You should get a message saying "Pinging www.justwild.com [xxx.xxx.xxx.xxx]", where the x's are the IP address.
0
ggilmanCommented:
Oops... didn't see the post from iwin
0
cathylachapelleAuthor Commented:
found nothing odd in the registry.

Searched for "containing text" with the IP address, and found it! In the file C:\windows\user.dat: It has the address iwin noted, as well as the specific address it goes to, 165.90.20.174 (www.justwild.com/bp_fetish.54%5bl%5d.html/) in the two lines:

(stuff) Connections (stuff)DefaultConnectionSettings (stuff)http://165.90.20.174/wpad.dat (stuff) SavedLegacySettings (stuff) http://165.90.20.174/wpad.dat 

and again at
(stuff) Doc Find Spec MRU (stuff)
MRUListabcghifjed (stuff) b207.138 (stuff)...
(next line)(h165.90.20.174) (stuff)

This file looks like it has all kinds of IE settings, including licensing codes, and the copy on my computer has very different numbers and addresses than this following both DefaultConnectionSettings and Doc Find Spec MRU.

Could this be the root of the problem?  If so, how do I fix this file?
0
ggilmanCommented:
User.dat is part of the registry. You probably need to run regedit to fix the problem. Running regedit, try to just delete the bad lines. You can do a search in regedit to find the text you found. The registry is very important though so be sure to back it up.

http://www.computel.net/info/regbackup.cfm

Problem that I see is that if the virus is still present, this may fix it but the problem may re-appear until the virus is fixed.
0
ggilmanCommented:
Actually you said nothing strange in the registry but the text is in USER.dat which is part of the registry. How can this be??
0
ggilmanCommented:
I have a similar stuff to

(stuff) Connections (stuff)DefaultConnectionSettings (stuff)http://165.90.20.174/wpad.dat (stuff) SavedLegacySettings (stuff) http://165.90.20.174/wpad.dat 


(Of course not the http://165.90.20.174/wpad.dat  but the rest)

at this registry location:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Current Versions
0
ggilmanCommented:
A better solution than deleting the key would be to goto a clean machine and export part of the registry. You can then import it into the bad machine. Do this by going to the good machine, running regEdit, get to the part that you need to replace and in the menu click Registry->Export Registry file. Save this to a filename. Now, goto the bad machine and perform a similar operation but this time do Registry->Import registry file & take the file you exported from the other machine.. Still don't forget to do a backup.
0
ggilmanCommented:
My registry has Doc Find Spec MRU at:

HKEY_Users\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\
0
ggilmanCommented:
My registry has Doc Find Spec MRU at:

HKEY_Users\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\
0
ggilmanCommented:
Oh, by the way, I think I figured out what the Doc Spec MRU is. That is a list of the last finds you have done. Hence, when you did a search for the IP earlier, it put it in this list. Nothing to do with your problem but the first one probably does.
0
cathylachapelleAuthor Commented:
I don't know what happened with searching the registry.  I still don't find it in the registry of one of the computers.  maybe this is a clue: I can only find the IP in the Doc Spec MRU section of the registry (of the first computer to be infected).  I poked about looking for the default connection section, and it's all in binary, at least on my computer (I can't commandeer the infected computer all day).  

I tried importing a new registry, but this turned out to be big trouble.  The LAN does not like having one computer suddenly turn into a duplicate of mine.  Not only that, but suddenly it was very confused, not being able to find all of the parts it thought it should have.  I restored the original registry.

I also tried simply replacing the user.dat file with mine, but the registry detected that as an error on restart, and brought back the original.

I think any futzing with the registry will have to be either through a control panel or by changing the relevant key directly, but I won't have a chance to try either for a few more hours.  Any clues or suggestions?
0
ggilmanCommented:
I didn't mean for you to copy the entire registry. That's not normally a good thing. You can however export just a section. In regedit, goto a branch in the registry that you want to copy to another machine and click on the "folder" icon. In the menu now click registry->export and you will see a button saying "Selected branch". This should be on by default. This will only copy this branch. Since your branch is bad, this should work.
0
ggilmanCommented:
Of course you should probably go to as low of a branch level as possible while keeping the infected part. (Don't start at HKEY_USERS) I would guess you would probably just export this part:
 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Current Versions

since DefaultConnectionSettings  and SavedLegacySettings  are corrupted.

The registry has too many machine-specific things to be copied entirely from another machine but at this level you should be safe.
0
cathylachapelleAuthor Commented:
that makes sense -- excuse my cluelessness!  So I exported just that branch.  I don't know if it's worked yet.  The web site is still listed after "defaultconnectionsettings" in the c:\windows\user file, I don't know why.
0
ggilmanCommented:
I don't know what to say but if you exported the branch from a good copy and imported it into the bad registry, that setting should have changed. Maybe the virus itself is still lurking on your system and once in a while goes out and checks that setting and resets it?
You can try manually editing the registry entry. Those settings are normally binary and can be lengthy to input but if the export/import didn't work, you might try that. Actually since it has a text now, you may need to delete each entry (Here I'm talking about defaultconnectionsettings) and create a new binary Value in Connections (right mouse click on Connections->New->Binary value). Give it the same name "DefaultConnectionSettings", and enter the binary data you get from another machine.
0
ggilmanCommented:
Actually you may also try just deleting DefaultConnectionSettings and SavedLegacySettings. It's quite possible that the application will re-create them for you and this would be easier than a manual edit. Worst case your web browser will crash when trying to find a page and you will have to re-import the branch you saved off. Best case, problem solved.
0
cathylachapelleAuthor Commented:
I tried deleting those keys. It did recreate the savedlegacy key on restart. (not the other one) in both hkey_current_user and hkey_user.

However, the user.dat file is *still* unchanged.  Shouldn't it be changing when regedit is changed?  And the porn site just came up again when I was trying out netscape.

I'm remembering that I did not find the IP when I searched the registry, only when I searched files in the C drive.  I don't think that IP was ever see-able in the registry.  Am I mistaken to think this is weird?

0
ggilmanCommented:
Very weird. System.dat and User.dat basically combine to make the registry itself, which you edit with regedit. Any changes in regedit should modify at least one of these files. Apparently a smart little virus there. I don't know of any other way to edit the registry other than regedit. The virus may have corrupted regedit itself or found someway of hiding from regedit. Might try replacing regedit with one from another machine but I doubt this will help. I wonder if regedit32 (from Winnt) would work under 98?
I'm not really sure what else you could do. Do you happen to have a backup of the system from some time before it was infected? If so, you may have backed up the registry.
I guess you could try to edit that bad entry with a text editor. Kind of risky since you shouldn't be doing that with the registry but as long as you have a backup of the registry, you might give it a try. You could at least change that ip address to a non-offending site. Actually you'd probably have much better luck if you tried it with a binary editor so that when you saved it you wouldn't have to worry about the file format messing up. You can find binary editors on the web if you don't have one. Visual Studio (C++) can open binary files too if you have that on any of the machines.
Other than these, which are more last ditch efforts than solutions (other than the backup restore), I don't really know what you should do.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DbaertCommented:
Go to www.mcafee.com. here you can have you computer checked for viruses online. i did it and it works fine. you can also download their demo version.
0
ggilmanCommented:
Dbaert, I know you're a little new here but I don't think you should have posted your text as an answer. Previously Davy already posted a comment telling cathy to try other virus software. It is considered rude and hoggish to rephrase someone's comment and post it as an answer. Granted, you chose a different virus software than Davy but in effect, the solution is the same. You should have posted your phrase as a comment, rather than an answer. If it happened that mcafee solved the problem, you could have still won the points since they can be awarded for comments.
0
cathylachapelleAuthor Commented:
McAfee could not find any problems on this machine.  Nor could any other virus detection software.
0
cathylachapelleAuthor Commented:
I have submitted the file user.dat to symantec's virus analysis lab, with an explanation of the problem.  Thanks for helping me to track it down this far.

Cathy
0
HooNoseCommented:
As someone above mentioned: the values SavedLegacySettings and DefaultConnectionSettings are binary values! That is why a registry search doesn't find the text strings you search for. However a part of these binary data contains the text, i.e. the ASCII values for the IP address. Hence, doing a text search (find in files) in this binary file, the IP is found. All that is perfectly okay. I don't think RegEdit was corrupt here.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware

From novice to tech pro — start learning today.