Help with possible virus

Discussion in 'Archived Threads 2001-2004' started by Kevin Eckhardt, Feb 10, 2002.

  1. Kevin Eckhardt

    Kevin Eckhardt Stunt Coordinator

    Joined:
    Jun 16, 1999
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    0
    Hi,
    My mom's computer has contracted what appears to be some sort of virus, but I'm having a hard time trying to figure out what it is. In IE her start page and search page have both been replaced with links to some sex sites. I believe it is www.sexhound.com if that makes any difference. McAfee VirusScan 4.5.1 with the latest DAT files didn't detect anything. (Yes I scanned on all files) The info library on McAfee's site isn't too helpful because it only allows you to search for viruses by by name, not symptoms. Web searches have also turned up fruitless. I searched through the registry and replaced all references to the website, but they reappeared upon a reboot. I didn't see any rogue programs in the startup list under system info. Has anyone 'contracted' this themselves? Any ideas on how to find it and remove it? I'd like to be able to fix this for her the next time I'm over there.
    Kevin
     
  2. Rob Speicher

    Rob Speicher Supporting Actor

    Joined:
    Nov 24, 2000
    Messages:
    935
    Likes Received:
    0
    Trophy Points:
    0
    Download a trial version of Norton Antivirus 2002 from a site like hotfiles.
    Keep in mind it may not be a virus at all. If a site installed an ActiveX program it can change start pages, add links to the start menu, etc. Of course she'd have to actually go to those sites, so if that's the case I think you've got some other questions to ask [​IMG]
     
  3. Andre F

    Andre F Screenwriter

    Joined:
    Dec 9, 2000
    Messages:
    1,486
    Likes Received:
    2
    Trophy Points:
    0
     
  4. Kevin P

    Kevin P Screenwriter

    Joined:
    Jan 18, 1999
    Messages:
    1,439
    Likes Received:
    0
    Trophy Points:
    0
    If your homepage gets changed everytime you reboot the PC, check the following places for "unwanted" (trojan) programs being launched:

    Startup folder(s)

    Registry - HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run and /RunServices

    Win.ini (Run= line, Load= line) - Win 95, 98, or ME only

    Autoexec.bat - Win 95, 98, or ME only

    If the homepage is getting changed only after visiting a certain website (usually the site the page is being changed to), then there is some javascript on the page doing the dasterdly deed. Put the site into the Restricted Sites zone to prevent this from happening in the future.

    If you still suspect a virus, try Norton AntiVirus 2002. You can download a trial version from Symantec.com. Make sure to update it to the latest virus definitions.

    KJP
     
  5. Kevin Eckhardt

    Kevin Eckhardt Stunt Coordinator

    Joined:
    Jun 16, 1999
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    0
    SUCCESS!!!
    Thanks for the suggestions. I ended up finding the entries in the registry under HKEY_CURRENT_USER and HKEY_USERS.DEFAULT instead of HKEY_LOCAL_MACHINE It was making a call to regedit with a strangely named .tmp file. This explains why I couldn't find anything when I searched for .reg files. I checked the file and sure enough it contained the registry changes. I deleted the file and removed the offending registry entries and everything is back to normal.
    Thanks again,
    Kevin
     

Share This Page