Symantec.com forwarded to my home server

[EpicOfTimeWasted]

If you're able to, you could download the Ultimate Boot CD.  Throw it on a CD and boot from that CD, and run the virus scanner it has.  The virus definitions are from January though, so there's a pretty decent gap in detections, but it could be worth a shot.

Spybot S&D can supposedly run from a PE boot CD now too, but I have no idea how to set that up.

[CrAz3D]

wow, such wisdom...I don't have the money to spend to move out   I do, but I'd rather save it for later

[CrAz3D]

Finally.  Someone from f150online.com told me to do this & it worked.

Start Windows In Safe mode.

Open Regedit and navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion

Look for an entry called RunServices

If you find it, that is your culprit. Delete it and you should be good to go.

I fixed a PC last month with those exact same symptoms. Took me awhile to find it though.

BTW - this was on a XP machine...

Also, look in the Run, RunOnce and RunOnceEx keys for suspicious entries, etc. Rookie virus pr!cks put stuff here sometimes too.

Good luck !!

It was an External.exe in C:\Windows\system32\  that was doing this.  I thought it looked suspicious when Googling External.exe came up with nothing

[Kp]

Deleting the whole RunServices key was probably a bad idea.  Lots of non-malware uses that too, like some continuous-protection AV products.

[dxoigmn]

Also, you can see all things that startup via registry by running msconfig (Start->Run).

[CrAz3D]

The only thing I saw related to RunServices was the External.exe so I deleted it.

I couldn't use msconfig

[dxoigmn]

I couldn't use msconfig

Interesting. Then I suggest using autoruns

[CrAz3D]

Ok, it doesn't matter now, I've fixed it

[dxoigmn]

Ok, it doesn't matter now, I've fixed it

Always good to have that kind of utility. When I feel something is astray (almost never on my comp but other people's ) I usually run that to see what is starting up.

Something odd though. I tried putting a RunServices key on my XP machine, added an appriopriate entry and rebooted to see if this worked. And it didn't. So I loaded up AutoRuns and it didn't even report my entry as starting up. So I thought that was kind of weird. So I first looked through AutoRuns to see if it even detected that key and it had a string in there to do it. But when I started looking at what it was actuallying doing it made a call to first GetVersion and compared the result to 0x80000000 (as in the code sample provided in the documentation) meaning if the value returned was greater it is a Win9x/ME system and skipped over this key and some others. So I was like oh, RunServices only works on those particular OSes, yet it works on your XP machine? Am I mistaken somehow?

[TehUser]

For anyone interested in the inner workings of this particular virus, I also received it in an E-Mail and infected myself with it (purposely).  It's protected with PESpin, so the code is obfuscated.  I also took the following notes:

File: External.exe
IRC Server:      aue-clan.com
EXEServer:   (?)
Port:      8900
Channel:   #pwnz
Operator:   whoopie
Channel Key:   elite
Login:      (?)
Comments:   IRC server is set up for bots.
      SMTP remailer virus.
      Kills protective EXEs.

Basically, if you've been infected, it used you to send off thousands more spam emails.

Edit: I saved a copy of the infecting executable if anyone else wants to have a look.  Lastly, with regards to the RunServices key, it also puts itself in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, which do load with Windows XP.

[dxoigmn]

Edit: I saved a copy of the infecting executable if anyone else wants to have a look.  Lastly, with regards to the RunServices key, it also puts itself in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, which do load with Windows XP.

Link? Always to fun analyze viruses.