A New Virus !! Please help People!

Hello Friends,

I think I have come across a new virus.

I am using windows xp service pack 2, with avast home installed, latest updated.
Ad aware se installed, and broadband adsl connection to the Internet

For the past 3 days, I have noticed the following…

After starting firefox or even ie, for about 15 minutes, suddenly there is some disk activity, and the taskbar changes colour to cream colour for about 10 seconds, turns blue again, and then my internet stops functioning. I can use all other programs like office, accounts programs etc, but notthing related to internet.

I cannot even disconnect from the internet, because as soon as I click on the connection icon, it just flashes on the screen for a microsecond and goes away.

I have to reboot my machine, to be able to reconnect again.

I solved this problem by restoring my registry to a month back.

I have one more computer same configuration, which developed the same problem, which is NOT connected by lan, it is independent. I still have not tried to repair that computer as it is not a priority for me.

BUT

I have just received a call ( I do a lot of work for friends :slight_smile: about exactly this same problem, and unfortunately, his system restore was turned off.

We tried to restore an acronis image on 10 days ago, but the problem remains.

3 infected computers in 2 days? Is it something new and big?

Can you people help?
P.S. Windows 98 se is not affected, as both machines are dual boot, but win 98se fuctions properly. Only winxp is targeted?

Thanks for reading such a long post.

Don’t worry about the length of the post.
It is a clear discription of the things that are happening and we like that.

Let’s start with checking if the system is clean.
Visit my website and follow the instructions there.
Click on one of the flags to select your preferred language.

Report back here whith the results when you are finished.
Perhaps it is a good idea to have your friends do the same.

Hello Eddy,

Thanks for your quick reply

I san ad aware, found notthing
Then ran spybot and foun just one small adware infection.

still the problem remains.

whats do i do?

Please help!

But did you do ALL as stated on my website?

Yes, everything…

Hijack this showed 23 items
do you want me to post a log?

Also, I restored a 8 month old image, but still the problem is there. The winxp dir is on d drive. Maybe the virus is on e or f: or maybe even c, but not targeting win98?

:slight_smile: Eddy : Is your website in German ?

 "Super" : For the XP portion of your computer, I 
  recommend you use "Ewido" from www.ewido.net/en .
  This good & FREE program "specializes" in detecting &
  removing trojans, worms, keyloggers, etc that the
  antivirus & antispyware programs are not that good at
  doing . Either run its Online Scanner or install the program.

They malware removal instructions are in German, English, French and Dutch.
You can select the language by clicking on the desired flag.

WoW! Thanks for your replies people!

I think I MAY have found the problem
There were 3 entries in the rootkit revealer. I dont know hoe to fix them, but they sounded safe.

Also, with the help of hijackthis, I have deleted almost everything that showed up on the scan, BUT one entry keeps comming back after a reboot. its is

O17 - HKLM\System\CCS\Services\Tcpip..{6E899066-A58C-4DD4-91FB-6DF2956FC6B0}: NameServer = 218.248.255.145 61.1.96.71

It looks suspicious to me… can anyone guide me about it? please?

WoW! Thanks for your replies people!
No problem. Some of us are here to get help, others are here to tryo to help, others are here to try to learn ;)
I think I MAY have found the problem There were 3 entries in the rootkit revealer. I dont know hoe to fix them, but they sounded safe.
Be carefull. You really must have certain knowledge to interprete the result form a rootkit scanner correctly. Not everyhting reported is bad. And yes, I admit...... Most of the times it requires a lot of knowledge before someone can really judge the result correctly.
Also, with the help of hijackthis, I have deleted almost everything that showed up on the scan, BUT one entry keeps comming back after a reboot. its is
I hope you still have the HJT log. Please post it here and let me (or others) have a look.

I will come back to you about the entry you mentioned after seeing the entire HJT log.

PS:
Have you checked the HJT log with my analyzer?
If so, what was the result?

I have deleted the log, I have not saved the file, so sorry.

I was not able to connect to your hijackthis log analyser as maybe the link was down?

The error it now shows before closing internet connection is
Generic Host Process for Win32 services has encountered a problem and needs to close

This is the error that sometimes comes before the internet connection closes

This problem has come again after 45 minutes. I thought the problem had gone, but no…

I shall get back to you people after 7 hours now, as my parents are threatening to pull the plug from my computer…:} its 2 am here.

Thanks for ALL your help and support

I got through to hijackthis log analyser. Its COOL! Thanks for the link eddy.

It also feels that the link I found with the ip address is suspicious. Also, I am not able to delete it either with hijack this or otherwise, as it comes back after very reboot.

ALso one more thing that I have discovered, is that the message that comes on screen,

Generic Host Process for Win32 services has encountered a problem and needs to close
gives me 2 choices, to send an error report, or dont send. If I just rag the window to the bottom of the screen, the internet continues to work, but if I select send, or dont send, there is a lot of immediate disk activity, the toolbar changes colour, and the internet connection stops.

I know for sure, that with you people guiding me, I have learned a LOT.

Thanks people and please help

:slight_smile: Hi "Super " :

 Looks like you have reached the point where you should
 ask Experts who are experienced & trained in the use of
 the HijackThis program AND know the "tools" that should
 be used to "correct" the "problems"; these Experts are on
 antiSPYWARE Forums and since you have Ad-Aware, I
 recommend the Ad-Aware oriented forums at :
 www.landzdown.com .

 Concerning RootkitRevealer : all scans should only be run
 immediately AFTER all the temporary internet files have
 been deleted. There is a Support Forum at :

http://forum.sysinternals.com/forum_topics.asp?FID=17 .

Don’t know if this will help much. I tried “NameServer=218.248.255.145.61.1.96.71” on Google and found 31 links, you might want to give it a try.

http://www.google.com/search?client=opera&rls=en&q=NameServer+=+218.248.255.145+61.1.96.71&sourceid=opera&ie=utf-8&oe=utf-8