Solved

Virus blocking antivirus websites

Posted on 2006-07-08
7
1,489 Views
Last Modified: 2009-03-28
Hi all

I got a virus from   a sent from while on msn. It disabled my AV (AVG) and closes msconfig, regedit and things like that. It also blocks ALL antivirus websites! It runs as csrss.exe (the illegit one). I managed to disable/delete it, but its damage is done. I cannt get to any AV site yet. I have run avg, trendmicro, ewido and aware... all to no avail. I also ran the winsock fix. Any ideas guys?
0
Comment
Question by:Zorkinhimerlingling
  • 4
  • 3
7 Comments
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 120 total points
ID: 17064817
Please download HijackThis 1.99.1 and let us look at the log.
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.

Then go to the below link and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.


OR: just paste the log to this site:
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here.


The worm has blocked security sites, so check your hosts file.
Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts


Edit your hosts file, delete any entries below this line --> 127.0.0.1 localhost

or at --> http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Then post the link to the saved list here.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17064850
Hijackthis log can tell us the exact virus in your pc,
but without looking at your log I'm 90% positive that what you have is the chod.d worm and here is the fix.( I could be wrong of course but it doesn't hurt to run the tool)

Please Download MsnVirRem.exe to your desktop from one of the following mirrors:

http://downloads.malwareremoval.com/MsnVirRem.exe
http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item9
http://www.greyknight17.com/spy/MsnVirRem.exe

* First close any other programs you have running as this will require a reboot
* Double click MsnVirRem.exe to run it
* Once open, click the button labelled "Search and Destroy"
      <<Your computer will now be scanned for Infected Files>>
* When scanning is finished you will be prompted to reboot only if infected, Click OK
* Now click the "REBOOT" Button.
* After the Reboot, you WILL receive file not found errors (usually 4) please acknowledge them and continue.
* A Message should popup from MsnVirRem if not, double click the program again and it will finish

Please Post the contents of C:\msnvirrem.log
0
 
LVL 1

Author Comment

by:Zorkinhimerlingling
ID: 17065157
ah you guys are great, will try that tonight. Yes I heard something about chod in my research of this problem...
0
New! My Passport Wireless Pro Wi-Fi Mobile Storage

Portable wireless storage to offload, edit, and stream anywhere.

High-capacity, wireless mobile storage designed to accompany professional photographers and videographers in the field to easily offload, edit and stream captured photos and high-definition videos.

 
LVL 1

Author Comment

by:Zorkinhimerlingling
ID: 17066586
Fixing the host file fixed my problem, thank you very much.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17066622
No problem, thanks!

The virus added those entries in your hosts file but the virus would still be there I guess unless it has been removed.
If problem comes back just run the tool I've mentioned.
Anyhow, we'll be here to help anytime, :)

Good luck!
0
 
LVL 1

Author Comment

by:Zorkinhimerlingling
ID: 17066721
Wish i had more points to give out. Anyway, yes I deleted the virus from my java cache, and had previously ran hijack this. This was just the final damage it had caused. It was interesting to see that exact list of websites it was blockin'. What a bugger!
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17066741
>>Wish i had more points to give out. <<

Don't worry, we would still help even if you only have 20 pts to give, :)
Glad you got rid of the virus that's the main thing.

One day when you become a premium member you'll have unlimited points to give, :)
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
How important is it to take extra precautions to protect your online business? These are some steps you can take to make sure you're free of any cyber crime.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now