My computer has picked up a host virus. My AVG has caught a bunch of virus the last few days, but the host stealer keeps comes back everytime I reboot after yet another scan. This all started when AVG caught some kind of back door trojan. How do I get rid this host changer?!

Also theres a pesky WinAntivirus spam message that keeps on popping up.

I've got Windows 2000 with Verizon DSL. And am trying to keep my host/homepage as AOL . . .

The scan I'm running now is coming up with

a Virus JS/Pslyme
two Tibs downloaders
and the host change thing.

Help!

Update and run Ad-Aware, Spybots, SpywareBlaster. If you don't have them, you can get them here: http://dwightblackburn.com#spyware

When you run them, remove anything they find. Once that is complete, update your AVG. Do this by opening the product and then clicking the update button.

When that is done, run the antivirus (AVG) in Safe Mode.

Windows 2000

If the computer is running, shut down Windows, and then turn off the power
Wait 30 seconds, and then turn the computer on.
When you see the black-and-white Starting Windows bar at the bottom of the screen, start tapping the F8 key. The Windows 2000 Advanced Options Menu appears.
Ensure that the Safe mode option is selected. In most cases, it is the first item in the list and is selected by default.
Press Enter. The computer then begins to start in Safe mode.

Run the AVG and allow it to remove all infected files.

When you are finished with all troubleshooting, close all programs and restart the computer as you normally would.

I hope this will help. If you still have problems after, you made need some advance help. Let us know.

Dwight

Hi Dwight! I did the Ad-Ware and SpywareBlaster scans and the AVG again (it listed one threat found-Host change & Virus JS/Pslyme)... and theWinAntivirus message still pops up and my home page still gets changed over to Google.

Whats next?

And another thing ... The Control panel has disappeared.
At Start/"Settings" there is no Control Panel listed, just Network & Dialup Connections, Printers and Taskbar Start Menu.

Control Panel back?

Right click on the start Menu select Properties

Click the Customize button aganst the Start menu OK?
ignore the next screen click the Advanced tab

New window opens and the very first item of the Menu in the window is the Control Panel display settings click on the Display as a link option then press the OK button then close the Page with the Apply button.
Have a peek now? Has it returned

As to your other issues that may need a Hijackthis! log making to determine where the root of this issue lies

Please verify that you ran the AVG scan in Safe Mode after you had updated it.

Dwight, I did another safe mode updated AVG scan today.

Scan results status change: (Back to Google)

C:/Windows\system32\drivers\etc\hosts

The WinAntivirus spam message still keeps poppin up too.

I did another scan since I had so much trouble getting to and posting at answerpool.

The scan still finds the host problem.
And 3 Trojan downloader viruses (healed now)

And a (Red!) at C:\Documentsandsettings\Adminstrator\LocalSettings Virus found JS/Psyme - Infected

Did you put the hosts file in as recommended on my site? http://www.dwightblackburn.com (look under "Blocking Unwanted Parasites").

If so, you can ignore the Hosts file change as this would be normal. If not, then i suggest you follow the directions from the link in that paragraph and put in the modified hosts file in an effort to prevent this type of problem.

If you can't figure out how to put this in, contact me via the email link on my page and I can provide one-on-one assistance.

In Safe Mode, open the Windows Explorer window (right click on "My Computer" and choose "Explore". Then open the C:\Documentsandsettings\Adminstrator\LocalSettings and select and delete the JS/Psyme folder/file. (Empty the Recycle Bin to remove it from there, too.)

You may need to select the Tools menu in Windows Explorer and choose Folder Options. In the View tab, select the "Show hidden files and folders" to see the "LocalSettings" folder.

Once this is done, restart the computer in the Normal mode and run another scan to see if the infected file is cleared.

I hope this helps!

Dwight

Dwight, When I get to the Local Settings folder it is empty!

After going through those steps again, (had to open hidden files) when I get to the Local Settings Folder, in there are 4 folders: Application, History, Temp, and Tempory Internet Files.
I still can't find that JS/psyme folder. Where to next?

If you cannot locate the JS/psyme file/folder, then the AVG must have removed it. It may be located in the Virus Vault which you can open in the AVG program folder in the Start/Program menus. If you see it there, you can empty the Virus Vault to remove it.

Note: These are same instructions about installing the hosts file as those I emailed to you.

You can use a HOSTS file to block ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and even most hijackers. This is accomplished by blocking the connection(s) that supplies these little gems.

Follow these steps for Windows 2000:
(For other operating systems, see this page) http://www.mvps.org/winhelp2002/hosts.htm

Create a new folder in your C:\ drive named "hosts". Right click on your "My Computer" icon and choose "Explore". Then click the + sign to left of My Computer to expand the folder. Select the C:\ drive and click File/New/Folder. Type in the name "hosts" (without the quote marks).

Save the hosts.zip file that is *attached to this message to the C:\hosts folder.
Do this by right-clicking on the *attached hosts.zip file and choose "Save As" and save it to the c:\hosts folder. Create the hosts folder first.

*RE: The comment about the "Attached hosts.zip" file which can be downloaded here: http://www.mvps.org/winhelp2002/hosts.zip

Extract the hosts.zip file to the C:\hosts\hosts folder. Do this by opening the hosts.zip file. In WinZip choose the Wizard mode.

Using the WinZip Utility program

1. Double click the hosts.zip file WinZip will open. If you have not paid for the program yet, you will have click the "Agree" to the shareware agreement.
2. If it isn't in the Wizard mode, select that.
3. By default the first option will be selected, "Unzip or install from an existing zip file".
4. Click Next.
5. The next window will show the file you're extracting, and below that a text box named "selected folder". The default setting is C:\unzipped\filename.
6. Use the "Select different folder" button to change the unzipped file location to read:
C:\hosts
7. Then click "Unzip Now".
8. Once the files are unzipped, click "close" on the Wizard.

When the hosts.zip file is extracted, you will see a file named hosts (note: you will see that this file does not have a file extension, it is just "hosts".

Copy/paste the hosts file to the
C:\WINNT\SYSTEM32\DRIVERS\ETC
Folder. Do this by right-clicking on the hosts file and choosing "Copy". Navigate to the Winnt folder, then to the System32 folder, then to the Drivers folder, then to the ETC folder. In each case, select the + sign to left of the folder you wish to expand. At the ETC folder, just select it and then right-click/Paste the hosts file into the ETC folder. Once done, your system will be protected from ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and even most hijackers.

The result will look like this:
http://aycu39.webshots.com/image/27678/2003523620277103396_rs.jpg
See image by clicking link.

See this image to see an example of what this protection will look like:

http://www.dwightblackburn.com/image/ad-hosts.jpg

If you still have trouble doing this, you install the Windows Live Messenger or the "Go To My PC" program and then allow me to connect with your computer and then install this file. See details about this procedure here: http://www.dwightblackburn.com/#gotomypc

Dwight

Dwight,
This is the same infection that I called you about the other day! Win Antivirus 2006, and it did the same thing to the laptop I'm working on, and which I'll be doing a total re-format on this Saturday.

Even after disabling System Restore, its very hard to get rid of, and I cannot find any traces in the registry to remove either, which is prompting me to reformat the laptop. Good luck jersey!

chris

Chris
Check the Prefetch folder

Have you got CCleaner? www.ccleaner.com that is pretty tough abs you are possibly formatting when tick all tick boxes to clear the cookies and History files too Often latches onto the cached file to keep it "live"

Trying to cover as many bases as I can (Yes the sayng is said in th eUk as well )
There is a small chance this may be a Rootkit which are like virusea yet cannot be deleted/detected by A/V programs have to run a Rootkit detector Program

Big article and review

quote:

While many security suites have a basic level of detection, these standalone tools will do a search-and-destroy on the rootkits that may be hiding in your system.

quote:

For the most part, these programs are for advanced- to expert-level users. They're not intended to be used as general-purpose solutions; they don't always distinguish between false positives (i.e., files hidden by the operating system deliberately) and real rootkits; they come with no warranty — they're provided "as-is" — and some of them (such as Trend Micro's product) have their core technologies available in a far more user-friendly version in a commercial product. In short, if you're not a professional, your best bet, at least for now, is to either hire a guru or use a mainstream product that has some kind of rootkit detection

www.informationweek.com/news/showArticle.jhtml?articleID=196901062
So they aren't for a normal user ...Say Hijackthis! reader experience Level

Another selection Here Goes to the MacAfee website Security threat section
http://vil.nai.com/vil/stinger/default.aspx

May have removal instructions on the Home page for this pest?

There must be something in this Google search I made everybody?
About 700 hits

Thanks Van, I need some luck!

Dwight, I accomplished the hosts file, but the home page still switches back and the antivirus spam message still pops up...

I did finally find and vault that JS/psyme.

And I found the Control Panel (via up folder of from the Printers folder) But in the
Control Panel we can only access 6 folders there (Admin. Tools, Fonts, Network Dial Up Comunications, Printers, Schedule Task & User Passwords) All the others folder up comes the Restriction Message: "This operation has been canceled due to restrictions in effect on this computer. Contact your system adminisrator." How do I get this restriction lifted?

I sent an email to Vansrme with some Webpages that may be helpful. Once he sees them, perhaps he will report back if that helped at all. The removal instructions are rather complex so I wish to see what he finds before trying to go into them.
Dwight

Thanks Dwight! I'll check into those links. I can rarely get into the Control Panel to do anything, so getting to do anything in it is problematic at best! I'll check into the pre-fetch and see if it will let me empty it.

chris