Virus help!

[kregrs]

Early on Saturday morning I managed to bag myself a virus whilst downloading a file, the virus being Fakespypro, or so it called itself. 1st I knew of it was when I was unable to connect to the net via explorer, games such as reversi, and messenger still connect, but cannot open pages, when running the diagnostic tool it comes back with "Windows cannot connect to the internet using http, https or ftp. This is probably caused by firewall settings on this computer.

Check the firewall settings for the http port (80), https port (443) and ftp port (21). You might need to contact your isp or the manufacturer of your firewall software". Now, I've run various programs such as Smitfraudfix and Malaware, and seem to have got rid of the virus, but still cant get explorer to let me on net. I've tried turning Windows firewall off, made no difference, so what can I do? I've also tried a System restore, but it wont let me restore to a point before the virus downloaded. Is there a way round this firewall problem, settings etc, and if so, how do I find them? I'm not brilliant with pc's but can find my way round them, so any advice in easy to understand directions please lol. I also dont have any discs due to it being a 2nd hand pc. Is the firewall a problem I can deal with myself, or will I have to leave it to the experts, as its due to go in for a clean in the new year when I can afford it. I'm hoping there's something I can do as dont want to be unable to surf til after christmas. We have access to a laptop if anything needs to be downloaded to aid in sorting this. Oh, before I forget, it running Windows XP.

Thanks in advance, hoping someone on here can help.

[Alphageek]

It is most likely that the virus changed the proxy server setting in Internet Explorer.

 

Go to the Tools menu and pick Internet Options. When the dialog opens, click on the Connections Tab.

 

Click on LAN Settings and make sure there are no entries in the Proxy Server settings area.

[locutus]

Also check your "hosts" file

 

navigate to C:\Windows\System32\drivers\etc

You will find a file called "hosts" (no extention to it) Open this with notepad.

 

it should only say something along these lines:-

 

# Notes: the browser does not read this "#" symbol #

# You can create your own notes, after the # symbol #

# This *must* be the first line: 127.0.0.1 localhost #

# *********************************************************#

127.0.0.1 localhost

 

Any other website URL's will link to the IP address they're given, 127.0.0.1 basicly don't display at all. (you can use this to block any websites you DON'T want!)

[dx100uk]

you could also ty resetting your ie back to the defaults.

 

just google reset ie* [your version]

 

dx

[kiptower]

usefull add on

 

Blocking Unwanted Parasites with a Hosts File

google mvps.org

it has a hosts file you can download and will update your original

it has a hosts file download which has a lot of web address's and [problem] site's it sets to the 127.0.0.1, inc a lot of the PORN redirect rubbish also

you can also edit to add your own site blocking

and it has a regular update

[kregrs]

Thanks people, will try the suggestions as soon as I get in.

[pelvicthrust]

Not had time to read all the responses but have you tried a different (more reliable- more secure) Web Browser. i.e. Firefox

regards

PT

[Conniff]

Why is there a misguided misconception that Firefox is a secure browser.

 

At the moment it tops the list of apps with 40 know vunerabilities so far this year and is ahead of Microsofts internet explorer.

 

Bit9 research reports 40 known severe vulnerabilities this year for the popular browser

 

According to Cenzic, Firefox accounted for 44 percent of all browser vulnerabilities reported in the first half of 2009. In contrast, Apple's Safari had 35 percent of all reported browser vulnerability, Microsoft's Internet Explorer was third at 15 percent and Opera had just six percent share.

 

It's no good just reading and believing what others who have read it somewhere say. Have a look at the security firms reports yourself.

 

If you want reliable free security, you should be running Microsoft Security Essentials. http://www.microsoft.com/Security_Essentials/

Edited December 11, 2009 by Conniff

[dx100uk]

If you want reliable free security, you should be running Microsoft Security Essentials. http://www.microsoft.com/Security_Essentials/

 

tell you what coniff i cant recommend that higher

been using it now on my penstick for virus diags and it just about deals with everything

 

no need for hijack this, smtfraud comobofix etc etc.

 

another good tip is use a windows 7 disc and the repair option

 

its magic at getting os's going again

 

just put it n 2 very old HDD's and it recovered the lost info that even filescavenger couldn't

 

dx

[pin1onu]

I'm quite surprised reading this thread that your Antivirus package didn't pick this up. As a minimum there should be active scanning of all files being opened and downloaded.

 

As a general rule I would recommend downloading every file to disk first, then doing a manual scan with your AV software.

 

Found this on the Microsuck website entry dated July 2009 so most reputable AV/Antimalware programs should detect this. (See below for details - it has definitely modified your hosts file. )

 

If,like me, you don't like Microsoft products then here is the cocktail I use to keep Virus and Malware free.

 

Firewall - ZoneAlarm Free

Avira - Antivirus

Malware Bytes - Anti Malware software

Spybot - Anti-Malware.

 

They're all free and very reliable, but they need to be updated regularly. Running scans every few days help ensure you don't get hit.

 

Hijackthis and Smitfraudfix are useful tools if anything gets through.

Summary

 

Win32/FakeSpypro is a rogue security program that falsely claims that the affected machine is infected with malware and encourages the user to buy a promoted product for cleaning the alleged malware from the computer.

 

Special Note:

Reports of Rogue Antivirus programs have been more prevalent as of late. These are programs that generate misleading alerts and false detections in order to convince users to purchase illegitimate security software. Some of these programs may display product names or logos in an apparently unlawful attempt to impersonate Microsoft products.

 

 

Moderates Internet use

The DLL, "\iehelper.dll", installed by Win32/FakeSpypro is used to moderate the affected user's Internet use. For example, it may modify search results for the following search engines, by appearing to direct users to browser-security.microsoft.com:

 

• yahoo.com
  
• google
  
• msn.com
  
• live.com
  

 

Modifies Hosts File

Win32/FakeSpypro modifies the Windows Hosts file. The local Hosts file overrides the DNS resolution of a web site URL to a particular IP address. Malicious software may make modifications to the Hosts file in order to redirect specified URLs to different IP addresses. Malware often modifies an affected machine's hosts file in order to stop users from accessing websites associated with particular security-related applications (such as antivirus for example).

 

Win32/FakeSpypro modifies the Hosts file under

\drivers\etc\hosts, to ensure that users visiting 'browser-security.microsoft.com' are directed to the listed IP address:

It adds the following entry to the Hosts file:

'195.245.119.131 browser-security.microsoft.com'

 

The Fix

 

Use any reliable scanner (such as the ones named above).

 

Analysis by Wei Li

[locutus]

This is an OK online antivirus scanner

 

HouseCall - Free Virus Scan

 

That is good for fixing virus problems

[kregrs]

I was using Microsoft Security Essentials...

Anyway, pc will be going in to have a bit of a clean up and be looked at soon. But, I managed to get myself back online, after trying a few system restores and the advice detailed above. Things aren't quite how they're supposed to be tho, it wont allow me to install updates, explorer doesn't seem to be too happy either, and Security Essentials will no longer run. Now, I seem to have picked up another problem. Tried burning a disc earlier and the machine shut itself down. Came up with a blue screen and the message that windows had shut itself down, and some more stuff that went right over my head. The message ended with 'stop 0x0000008e' and a few other codes like that but in brackets. So what does it mean? Can I do anything or is it best to leave it to the experts?

Anyone offer any words of wisdom?

[kurvaface]

I have found Avira to be pretty good. Never had any probs with it and you can download a free version.

[kiptower]

for the error message go here

 

its an auto update problem

 

You receive a random "0x0000008E" error message on a blue screen in Windows XP

[dx100uk]

I was using Microsoft Security Essentials...

Anyway, pc will be going in to have a bit of a clean up and be looked at soon. But, I managed to get myself back online, after trying a few system restores and the advice detailed above. Things aren't quite how they're supposed to be tho, it wont allow me to install updates, explorer doesn't seem to be too happy either, and Security Essentials will no longer run. Now, I seem to have picked up another problem. Tried burning a disc earlier and the machine shut itself down. Came up with a blue screen and the message that windows had shut itself down, and some more stuff that went right over my head. The message ended with 'stop 0x0000008e' and a few other codes like that but in brackets. So what does it mean? Can I do anything or is it best to leave it to the experts?

Anyone offer any words of wisdom?

that puzzles me

i've been using mse to cure these issues for a few weeks now

typically i'd use the others mentioned in my post

but mse has been dealing with these rouge AV stuff brilliantly and quickly, just a one hit wonder.

 

cant explain why it didn't cure it or let it get infected whilst mse was there?

setting beem played with as mse is auto realtime unless turned off?

 

dx

[locutus]

that puzzles me

i've been using mse to cure these issues for a few weeks now

typically i'd use the others mentioned in my post

but mse has been dealing with these rouge AV stuff brilliantly and quickly, just a one hit wonder.

 

cant explain why it didn't cure it or let it get infected whilst mse was there?

setting beem played with as mse is auto realtime unless turned off?

 

dx

Puzzles me aswell... MSE was released 29 September 2009, long after that virus so even the basic definitions should catch that one! Along side the 'stop 0x0000008e' I think there are some serious updates need to be downloaded!

 

go to Microsoft Updates and download all the recomended updates!

[kregrs]

I attempted to download updates earlier, only to get error messages and being unable to download. So, I think its time I called it a day and give it to the experts to sort. Thanks to everyone for all the suggestions and advice, but I'm giving up before I fubar it completely lol. The advice you all gave at the beginning of the thread sorted that problem.

[Tezcatlipoca]

Why is there a misguided misconception that Firefox is a secure browser.

 

The problem here is interpetation of the staistics. On the one hand, you have X many issues that get reported, Y number of Firefox users and Z number of IE users. The vast majority of these issues affect all broswers, regardless of type. As Firefox becomes the dominant browser, naturally the number of people encountering issues when they happen to be surfing with FF increases. They'd encounter those issues just the same with IE, or any other browser, but because Y is now increasing over Z, it gives the impression that Y is more susceptile to X.

 

The second issue here is that where browser-specific issues are concerned, Firefox has and will continue to be subject to an increasing number of malicious programs being written to try and exploit it, purely because it's a more popular browser, so the coder's target audience is getting larger. If I want to write some malicious Javascript code I'm not going to waste my time writing it to hijack Chrome. If Chrome accounted for a vast part of the browser market, however, I would.

 

Overall, Firefox is a more secure browser for three chief reasons:

 

1) Firefox doesn't use ActiveX controls, which have traditionally provided potential hackers / vriuses are direct line into your PC, since IE's ActiveX support allows code from the web to directly affect Windows.

 

2) Firefox is open source, which doesn't protect against problems in itself, but does mean that problems / bugs that do get discovered are shared by the community and fixed far quicker than those reported to Microsoft.

 

3) Firefox is hugely configurable, part of which allows it to respond fluidly to threats, unlike IE which is static from a code perspective. Firefox already has a vast range of plugins that seemlessly combat website issues (such as popups, ads, scripts, etc.). I've run some browser tests specifically designed to take advantage of common exploits and hacks but without containing a malicious payload, I find that my copy of FireFox blocks them flawlessly. The same tests with IE6, IE7 and IE8 all allow through some exploits, most of which are later picked up by my other defenses (AV, FireWall, Registry guard, etc.) but they do get progressively better at defending themselves. The point here isn't to jump up and down and say "Look how insecure IE is", rather to point out that many of those vulnerabilities might have also affected FireFox, if it hadn't been so easy to simply and quickly add free plugins to the browser to take care of them. Something you can't do with IE.

 

That said, conniff is spot on about Security Essentials. It's free, and is excellent at intercepting a wide range of threats.

 

I attempted to download updates earlier, only to get error messages and being unable to download. So, I think its time I called it a day and give it to the experts to sort. Thanks to everyone for all the suggestions and advice, but I'm giving up before I fubar it completely lol. The advice you all gave at the beginning of the thread sorted that problem.

 

It's far from FUBARed, Kregrs. If you're willing, could you please try the following diagnostic tests and let us know the results (these tests are utterly safe, and won't change anything on your PC; they'll simply allow us to diagnose where the problem is):

 

1) Go to Start, then click Run. Enter cmd in the box, and hit Ok.

2) In the black prompt window, please type the following:

a) ipconfig /all (hit enter). Please make a note of the two lines that says DNS Servers.

b) ping bbc.co.uk (hit enter). You should get 4 lines returned that say something like Reply from 212.58.224.138. If you number is different, please make a note of it.

c) ping 212.58.224.138 (hit enter). As above, you should get 4 reply lines. Please let us know if you don't.

d) nslookup bbc.co.uk (hit enter). You'll get 2 main bits of data back. The top is the referring server, or the place your computer is going to get the location of the BBC. This number should match one of the DNS Server numbers from from step a). Please make a note of it.

The lower set of data is the IP of the site you're asking about (in this case, the BBC). It should match the number you got back from step b).

In this tep, pelase also make a note of the two Server: names that appear above the IPs.

 

If you could kindly post these numbers (the DNS servers from step A, the IP from step B, the IP from step C, and the two sets of IP's and names from step D) I or others will be able to confirm if the issue is with your network card, its settings, or the DNS settings.

Edited December 14, 2009 by Tezcatlipoca

[kregrs]

The problem here is interpetation of the staistics. On the one hand, you have X many issues that get reported, Y number of Firefox users and Z number of IE users. The vast majority of these issues affect all broswers, regardless of type. As Firefox becomes the dominant browser, naturally the number of people encountering issues when they happen to be surfing with FF increases. They'd encounter those issues just the same with IE, or any other browser, but because Y is now increasing over Z, it gives the impression that Y is more susceptile to X.

 

The second issue here is that where browser-specific issues are concerned, Firefox has and will continue to be subject to an increasing number of malicious programs being written to try and exploit it, purely because it's a more popular browser, so the coder's target audience is getting larger. If I want to write some malicious Javascript code I'm not going to waste my time writing it to hijack Chrome. If Chrome accounted for a vast part of the browser market, however, I would.

 

Overall, Firefox is a more secure browser for three chief reasons:

 

1) Firefox doesn't use ActiveX controls, which have traditionally provided potential hackers / vriuses are direct line into your PC, since IE's ActiveX support allows code from the web to directly affect Windows.

 

2) Firefox is open source, which doesn't protect against problems in itself, but does mean that problems / bugs that do get discovered are shared by the community and fixed far quicker than those reported to Microsoft.

 

3) Firefox is hugely configurable, part of which allows it to respond fluidly to threats, unlike IE which is static from a code perspective. Firefox already has a vast range of plugins that seemlessly combat website issues (such as popups, ads, scripts, etc.). I've run some browser tests specifically designed to take advantage of common exploits and hacks but without containing a malicious payload, I find that my copy of FireFox blocks them flawlessly. The same tests with IE6, IE7 and IE8 all allow through some exploits, most of which are later picked up by my other defenses (AV, FireWall, Registry guard, etc.) but they do get progressively better at defending themselves. The point here isn't to jump up and down and say "Look how insecure IE is", rather to point out that many of those vulnerabilities might have also affected FireFox, if it hadn't been so easy to simply and quickly add free plugins to the browser to take care of them. Something you can't do with IE.

 

That said, conniff is spot on about Security Essentials. It's free, and is excellent at intercepting a wide range of threats.

 

 

 

It's far from FUBARed, Kregrs. If you're willing, could you please try the following diagnostic tests and let us know the results (these tests are utterly safe, and won't change anything on your PC; they'll simply allow us to diagnose where the problem is):

 

1) Go to Start, then click Run. Enter cmd in the box, and hit Ok.

2) In the black prompt window, please type the following:

a) ipconfig /all (hit enter). Please make a note of the two lines that says DNS Servers. Could only see 1 DNS server. It was 192.168.0.1

b) ping bbc.co.uk (hit enter). You should get 4 lines returned that say something like Reply from 212.58.224.138. If you number is different, please make a note of it. Number was the same.

c) ping 212.58.224.138 (hit enter). As above, you should get 4 reply lines. Please let us know if you don't. Got the 4 reply lines,

d) nslookup bbc.co.uk (hit enter). You'll get 2 main bits of data back. The top is the referring server, or the place your computer is going to get the location of the BBC. This number should match one of the DNS Server numbers from from step a). Please make a note of it. 192.168.0.1

The lower set of data is the IP of the site you're asking about (in this case, the BBC). It should match the number you got back from step b).

In this tep, pelase also make a note of the two Server: names that appear above the IPs. DIR-615 192.168.0.1 and bbc.co.uk 212.58.224.138

 

If you could kindly post these numbers (the DNS servers from step A, the IP from step B, the IP from step C, and the two sets of IP's and names from step D) I or others will be able to confirm if the issue is with your network card, its settings, or the DNS settings.

 

Answers above, 1st step could only find 1 dns server, although there was also Default Gateway and DHCP server with the same number. And IP address of 192.168.0.101

 

Anyway, whats the verdict?

 

Thanks for your help, as usual with this forum the help and advice is awesome and always someone willing to help.

[Tezcatlipoca]

Answers above, 1st step could only find 1 dns server, although there was also Default Gateway and DHCP server with the same number. And IP address of 192.168.0.101

 

Anyway, whats the verdict?

 

Thanks for your help, as usual with this forum the help and advice is awesome and always someone willing to help.

 

Right, the good news is that there's nothing wrong with your network card, its drivers, your connecting router cable (if cable it be), the router itself, or its connection to the outside world. In short, your hardware is just fine.

 

By way of explaination, the internet runs - in part - on a system known as DNS, or Directed Name Servers. This turns memorable information, such as the name BBC.co.uk into computer IP address information, such as 212.58.224.138. Think of it like a giant phone book. You know the name of the person you want to call, look it up, and the book tells you the number. Pretty much the same thing with websites.

 

Now the DNS is served up from a number of sources, but principally it comes from your router, which gets it from your ISP (Internet Service Provider).

 

What I've got you to test here is firstly to see the DNS server responsible in your case for looking up website data (which was the test we did under A). In this case, the result was 192.168.0.1, which is your router.

 

We then tried to get the router to serve us up an external website address. We could have used any, but I wanted one that I could be sure was up and contactable, so I got you to try the BBC. We told the computer to fire a ping request at the website to see both if the server responded, and, if so, which server it was.

In this case, you confirmed that you got a reply, and that the IP address matched the one I quoted. This confirms firstly that your hardware can contact websites, and secondly that the website replying was geuine, so you haven't been hijacked when trying to connect to the BBC.

 

In test C, we double checked our connection by firing a ping at the BBC's IP address, rather than it's name. Again, the fact it came back fine shows your PC shuld be able to surf to the BBC either by name or number absolutely fine.

 

Finally, I got you to do an nslookup request. This is basically a DNS check, and determines not only the IP of the site you're trying to get to, but also where the DNS record is coming from. In your case, your D-Link router served up the DNS record 212.58.224.138 for bbc.co.uk, which we confirmed as being correct earlier.

 

As far as the bbc.co.uk website (which we're using as our control group here) goes, your issue isn't the HOSTS file that locutus mentions. He's quite correct in what he says; HOSTS is a local override that allows you to redirect, or block altogether, website DNS requests. However, if the file had been hijacked to prevent bbc.co.uk, then the tests we ran would have shown it.

 

Soooo...where does all this leave us? Well, it confirms that there is no hardware issue that will prevent you from opening up a browser and surfing to the bbc.co.uk website, and that your HOSTS file isn't preventing access to the bbc.co.uk site.

 

Now the next test. Please try to surf to BBC - Homepage with your usual browser. One of two situations will result:

 

1) You can't surf to the bbc.co.uk website. The problem is therefore your browser, or something hijacking it. You can further confirm this by installing a copy of another browser, such as FireFox, and trying to surf to the same site. If it works, the problem is most definitely your copy of IE. There are a number of things that may be able to help here, but Spybot is one of the best in sniffing out, and removing, common junk that hijacks your internet connections. I'd advise you isntalla nd run this program anyway as part of your standard cleaning routine.

 

2) You can get to bbc.co.uk. Great, your PC is still capable of website navigation from a hardware and software perspective. If there are other websites still causing you a problem, please repeat steps B and D from my previous post, instead using the name of the site you can't get to instead of bbc.co.uk. Let us know the results.

Edited December 14, 2009 by Tezcatlipoca

[kregrs]

The main problem I'm having is it wont let me download or install updates, say, for instance, I go the MIcrosoft site, it'll say its checking what updates are needed ( or words to that effect ), then it comes up with an error, says it cant check, and thats as far as I get.

[Tezcatlipoca]

The main problem I'm having is it wont let me download or install updates, say, for instance, I go the MIcrosoft site, it'll say its checking what updates are needed ( or words to that effect ), then it comes up with an error, says it cant check, and thats as far as I get.

 

Ah, sorry I was under the impression that you were unable to surf to certain websites at all, hence my asking you to perform those initial checks.

Still, it's not done any harm to perform those checks and confirm that things should be running fine.

 

Regarding the updates, you could just turn on the automatic updates service built in to windows (under Control Panel), which will grab the updates. If you don't want to switch this on, and have a copy of any non-IE browser installed, you can use the WindizUpdate website to get updates directly from Microsoft without having to use their website. This site is completely safe, and all the updates are genuine M$ updates.

This site was started and is maintained by a group of people who were upset that M$ updates via the web are only accessible to those surfing in IE and those who are willing to install WGA software on their PC.

 

Personally, I'd try installing FireFox (it's free and won't touch your existing IE installation at all), and try updating with the above site.

 

If you prefer to stick with IE, then I would guess that something, either IE itself or another program you have running, is blocking certain scripts that M$ likes to run on its update website. If these scripts aren't allowed to run, it will cause the kind of issue you mention, with systems just timing out. You could try reinstalling IE, or upgrading to the latest version (assuming you haven't already done so).

Edited December 14, 2009 by Tezcatlipoca

[pin1onu]

From the description you've given it sounds as if you are connected to the internet via a broadband router. A typical home network router possesses two IP addresses, one for the internal home (LAN) and one for the external Internet (WAN) connection.

 

The address you've given is the default address that a number of devices use as their default address. (e.g. 192.168.0.1 is the admin address used for some older model Netgear routers and also for D-Link routers).

 

The address range 192.168.x.x is reserved for class C private networks and is usually the IP addressing scheme for home networks

 

I would do the following to start with:

 

1. Open a cmd window. start -> run -> cmd

2. Type ipconfig /release

3. Type ipconfig /renew

4. Restart your browser and see how you go.

 

This should request a new IP address from your broadband router.

 

Can you also check the hosts file which is located at:

 

%SystemRoot%\system32\drivers\etc\ (cut and past the whole text into an explorer/my computer window) [/font]

 

In this directory you should see a number of files including hosts, lmhosts.sam, networks, protocls.

 

Do the following

 

The hosts file is actually a text file so you can use notepad to open it. (right click open with)

 

You should see a number of lines which commence with a #. The # indicates that the line is a comment and will be ignored.

 

Below that will be any entries in the host file. The only one that is normally in there should be

 

 

127.0.0.1 localhost

 

As this virus/malware modifies the host file you will likely have other entries in there. If you do then do the following

 

Use save as to create a backup of the file. Call it something like myhosts.old.

Remove the unwanted lines (use delete or backspace key)

Use save as and name the file hosts (use the all files (*.*) as the filetype

Reply yes if you are prompted to overwrite

 

Close down your machine and reboot to force the ip files to reload. (there are other ways to do this but this guarantees everything reloads cleanly and from the defaults.

 

Try accessing all the sites you can't get to.

 

I would also download Malware bytes and run a scan. You should also download and run Spybot - SD and run a scan. This should pick up any problems and quarantine or delete any suspect files.

[locutus]

easy way to reset hosts file here

How do I reset the hosts file back to the default?

[Tezcatlipoca]

Both pin1onu and locutus give good advice, but I'm not altogether convinced that this is a HOSTS file/DNS hijacking issue.

 

Of course, it might be quicker, kregrs, if you could just open the HOSTS file (located in the C:\Windows\system32\drivers\etc\ folder) in Notepad, then copy and paste the entire contents to this thread. We can tell you instantly if the file has been hijacked then.

 

Could you also kindly confirm if you actually have trouble surfing to any websites, or is the issue solely that the M$ update site times out for you when you try to start it up?