I have this crazy virus. There's a program called WScript.exe that runs at startup and uses 90% of the CPU. It keeps on recreating in C:/WINNT/system32. It causes my computer to beep and click like none other. Luckily, I can "end task" it with my Windows 2000 task manager.

So, I was considering to buy Norton Anti-virus. I go to the official website. Seconds later, my browser closes automatically. Then I go to Amazon to try to buy it; browser closes again! Then my cousin suggests that I go to Microsoft.com and learn how to set up a firewall. You guessed it; the browser shuts down. I think that this virus scans the websites I go to and shuts it down if it finds anything that can be used to stop it.

I'm not kidding. Does anyone know what this is all about? I already ran Ad-aware and Spybot, but the virus still remains.

have u tried using a different browser?

Funny, I was just about to post this.

What my computer does is very similar thing, and I've finally narrowed it down to "new virus" at first (and porpus2 will remember this, I was talking to him at the time) I thought it was Photoshop, then XP, then Spyware, but now I think it's a new virus.

This is the first time I've been infected. I've just updated AVG and I'm going at it now. My problems fit the same description, except according to task manager for winXP, IE keeps opening up (but I don't see it) and then my computer will slow to a halt, the menus will stop working, etc, and I have to restart my computer as it tries to beep me to death.

I also ran Spybot and Ad Aware, nothing signifigant came up.

www.grisoft.de (http://www.grisoft.de/) for the greatest AV program out there

EDIT: I don't think it has anythign to do with the browser.

errr...what's the difference between a "normal" and a supervirus?

I think they call it a "super virus" because they have never seen anything like it before (that does all of these things) Then again, neither have I...

Sounds like a varient of either the Sasser worm or the other one that is more or less like the Sasser worm I just cannot remember the name of it...

Navigate to you hosts file and open it in Notepad.

The hosts file will be in %System%\drivers\etc\hosts where %System% is System32 in Winnt (Win2k) or Windows (XP).

The file has no extension, so you'll have to browse for "all files" instead of .txt

Chances are the virus has overwritten this file to prevent you from accessing a variety of sites. For example one current virus adds something like this:


127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com

That essentially prevents your computer from accessing any of those sites.

Remove anything like that that you see. Unless you've modified the hosts file in the past, the only thing that should be in there is


127.0.0.1 localhost

Remove everything except that one. Then click File, Save

Don't do save as, because that will add an extension to the file and we don't want that.

In theory, this should allow you to regain access to all of those sites. If nothing else, are verifying your browser's ability to get to the sites.

Just the other day, I was cleaning a system from a flurry of virii and spy/adware (what I get for leaving the family computer for months unprotected) and I came on a certain virus that really threw me off: This virus would actually close certain programs like regedit, msconfig, and especially Norton Antivirus. I'm not sure if it was the Gaobot worm or something else, but it was winning my system over, I was mostly powerless. I then noticed how those AV sites were 127.0.0.1ed in my HOSTS file. When I cleared them, they came right back. This in my opinion was the most aggravating fight I've ever had with a virus.

So how did I get through this? Pay attention:

http://housecall.trendmicro.com/

Even if your HOSTS file was modified, they seemed to have forgotten about this site (www.trendmicro.com was 127ed anyway). So for those of you who don't know what this site is, they offer a free online virus scan of your computer. It seems to take a bit longer than most conventional offline scanners, but it gets the job done. Run this free service before purchasing norton antivirus. And with that said, I think it's time for a sticky on virii/spy/adware protection in Computers/Games.

I just got this virus... forgot what its called. It shuts down ALL of the windows/programs with the words/objects containing "antivirus", "safe", and stuff like that.

Found a way to remove it on norton's site:

Click start>run>regedit>HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>currentversion>run
Click start>run>regedit>HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>currentversion>run services

In these 2 folders, delete all values with crss.exe (or something like that) and anything that's weird to you. usually, run services shouldn't have anything in it unless you are using lan/other things.

yeah coppertop i remember, it happened like yesterday... you were able to talk to me over aim, so why dont you (supree) talk to someone over AIM and let them send you the downloaded file...

If you have a virus, DON'T BUY SOMETHING ONLINE. It may have a data or key logger.

Didnt you have antivirus software in the first place supree?

btw is the virus the w32.korgoA by any chance?

@Unflux: since it closes (and not redirects) the sites I guess it isn't the hosts file.

ehat if someone mad a viris that made its own host file somewhere and changed the code so that windows didn't use the origina lhost file?

I hate viruses :-/ :red:

i had 8,223 on this cpu it did nothing but slow down the admins on it becasue i kept

i had 8,223


**** :/

what i left AVG off for a little while

Alright - I think I've got rid of it. After going through and updating and running every peice of av software I have, and running the housecall thing lost mentioned. I used Ad-Aware, Spybot - Search&destroy, AVG, and housecall.

By the way, norton blows for AV purposes, but some of his other tools are pretty good.

First thing, (winXP) ctrl+alt+delete, and then go into processes. Order them by CPU usage, and stop the process called "System" that occasionally blips. Next, run all the av software above.

viruses can be a pain...

I once had a virus that's mission was to download&install windows updates and remove the blaster worm ... :P

All

It took me a while to respond because my browser kept on shutting down whenever I tried entering this thread. I had to quickly kit reply to stop this. For some reason the reply page doesn't shut down.

Unflux

I did not find any file with no extension, but I did find the virus that started it all. It was a zip file with some weird file inside. Once I clicked the weird file, a picture of Avril Lavigne filled my screen. That was the exact moment that my CPU started smoking. For some reason the zip and the pic got stored in my system 32 folder, even though I originally had downloaded the file onto my desktop. I hope deleting those could solve the problem some way...

MTSoul

I have Windows 2000, so I don't have a folder called regedit. Instead, I have a file called regedit.exe. When I click it, it says something like "Administrator does not allow you to edit register." I have to find out how to change this lock (I am the admistrator and only user by the way).

So how did I get through this? Pay attention:
http://housecall.trendmicro.com/
I went to that site to use it, but it said I needed some software. I dloaded it, but can't install it (I'm using FF). It says it can't find where Netscape is installed; I pointed it to mozilla firefox folder. It said it can't find where plugins go; I pointed it to the plugins folder in the FF folder, and then the searchplugins folder, each with no luck. What do I do to install this?

If you are gonna "fix" problems with the REGEDIT option, be careful you can
potentially cause more harm then good. I should know, it's like playing brain
surgeon on the computer without the PhD.

I went to that site to use it, but it said I needed some software. I dloaded it, but can't install it (I'm using FF). It says it can't find where Netscape is installed; I pointed it to mozilla firefox folder. It said it can't find where plugins go; I pointed it to the plugins folder in the FF folder, and then the searchplugins folder, each with no luck. What do I do to install this?
Yeah I believe you need IE because of ActiveX.

No, it didn't work. The virus came back.

How do you open winxp in safe mode?

Yeah I believe you need IE because of ActiveX.
dang FF and all it's security :P I was afraid of that. Okay... *busts out IE*

IE is one of the esier ways to get into a cpu

just sayiong so ot le tya know

I figured out how to open up windows xp in safe mode - except it freezes when I try and do that! (My virus senses are tingling) Anyway, I've discovered some suspicious entries in my startup thingy. they are:

HKEY_LOCAL_MACHINE\Software\MicroSoft\Windows\Curr entVersion\Run\OptionalComponents\IMAIL
HKEY_LOCAL_MACHINE\Software\MicroSoft\Windows\Curr entVersion\Run\OptionalComponents\MAPI
HKEY_LOCAL_MACHINE\Software\MicroSoft\Windows\Curr entVersion\Run\OptionalComponents\MSFS
HKEY_LOCAL_MACHINE\Software\MicroSoft\Windows\Curr entVersion\Run\OptionalComponents\MAPI

yes, I know MAPI appeared twice. Now, I call them suspicious only because EasyCleaner 2.0 says that it is suspicious/to difficult to pinpoint.

Just in case you don't know (some people don't realize and this helps with a lot of 'impossible' to find viruses):

If you're having trouble spotting, finding, deleting a virus/adware try restarting your computer in safemode and running your anti-virus/ad-ware remover while in safe mode. Since safe mode only uses the core files many viruses and spyware don't ever load and can't defend/mask themselves.

We had one once that would shut the computer down if you clicked on the icon for the virus (thus making it 'impossible' to delete). Safe mode fixed this because the virus wasn't able to initiate itself.

I've discovered the source of the problems on my computer. A file called netdc. what a bastard that was.