Request for information as recieved by email.

Hi Mel,

Good Day!

Wish to inform that myself
came across Ownezx article on how to speed up the website on desktop
and just followed the instructions and made changes to the dns
settings, though did note down the original ones on paper.  After
having made those changes using mozilla's firefox2 browser and then
disabling external cookies did not notice any changes that day, but the
next day to my surprise found that firefox2 browser has been removed
and on accessing i.e.7 genuine validated on Genuine windows xp proff
sp2 noticed the page loading a site named = www.thecoolpics.net which
also contains a url on dns site that claims to make online websurfing
faster.

Myself tried to remove the homepage setting,
but just simply could not do it, even though being the sole owner of
this desktop pc, the microsoft showed this inability to change assuming
it to be controlled by some group that myself have joined and the
changes being made by system administrator? the following is their help
guide on this =

Why won't Windows allow me to change a system setting?
If
your computer is part of a network at an organization such as a school
or a business, your organization's system administrator might have
disabled or even removed certain settings by using Group Policy. Group
Policy is a feature of Windows that lets system administrators manage
users' access to Windows features. If you suspect that Group Policy is
preventing you from changing a setting that you need to access, contact
your system administrator.

For more information about Group Policy settings, visit the Microsoft TechNet (http://technet.microsoft.com) website.

But
Mel, since 3 months of my having upgraded with the windows software,
this is the first time such a problem has arised, which myself probably
think due to having made the changes in the dns setting, so tried to
put the original numbers and still the same problem is persisting,
could it be there is some hacking done? If so how to rectify and detect
and remove it without any harm to my system?

Please do come up with some solution to let me put the system to what it was prior to having experimented with the dns changes.

Thanking ou in anticpation of your most positive revert,

Hi Mel

Good Day!

Thanks for your positive revert and
also do check out with Owenzx as he advised me to download antivirus,
but honestly I am using the genuine Win XP Pro SP2 with Windows Live
One Care and Live Care, Windows Defender all working fine. It is only
when myself did this stupidity to change the DNS that some authorized
invasion has been made and uptill now inspite of making essential
security and administrative service changes and making seperate windows
for users, could not get this site [http://*thecoolpics.net] to release
my i.e. homepage and whenever download the firefox2 of Mozilla it is
being immediately removed. So inorder to be able to keep using the
Firefox this time myself downloaded and saved it in different name and
now it is not being removed? So hope you can understand what a mental
torture it has been when the microsoft indicates to me while not being
able to access the ie homepage that "some changes are being controlled
by system administrator" who is this one? is it the NTController that
myself discovered in the administrative service from control panel, do
I disable this account? as while trying to disable there is warning
that I might loose my settings?  Whom does this the cool pics dot net
site belong to?  I have even put this site under restriction sites of
the security.  But really wish to have the access to modify my homepage
back and for this your help will surely educate all a lot, do feel free
to cut and paste my problem in the forumn, highly oblidged and it shall
be much appreciated.

As for the Anti Trojan, myself do have
licenced Golden Version 7.05 of Trojan Guarder installed some two
months back,  except  for the  Isass.exe  error  it is  stating that 
no  Trojan is found.

Hello Mel,

Do look forward to getting the puzzle of all this solved with your expertize, thanking you in anticipation for the same.

FYI only,

Please note my last mail to Owenzx and his reply:-

Hi Owenzx

Atleast
this issue has given me an opportunity to fast converse with you:) Well
you are right again when you assume that it is not due to DNS and yes
have done exactly as per Step 6, it still has not solved the issue,
which means this is kind of some hacking done.

Now the issue is
how to detect this hacker though I have Trojan Guarder (licenced Golden
version 7.05 and is working good) as in the *STARTUP there is also a
error in [ Isass ] exe file bearing id 432, next is [PDVDServ] exe file
ID 1004 is showing = CL RC Engine2 Dummy Winidow (exactly this
spelling) and further in the 1) [MSASCui] exe ID 1308 & in the 2)
[ObjectDock] exe ID 2232, 3) [YzToolBar] exe ID 2292, 4) [iexplore] exe
ID 2980 all are showing GDI + Window. Now in [firefox] exe ID 3352 it
is showing = Members Area Friends For Cash. It is the only
Social Network That Matters in this World - Mozilla Firefox - so this
is what Trojan Guarder is showing to me in the start up files and while
shutting down the Isass shows error in closing down and not responding.

Hope you can get a clearer picture and help. Can i terminate from startup [Firefox] exe and reinstall again?

Owenzx replied:

Maybe
you might wish to check this site for help = www.freedrweb.com  - I do
have the experience of using Dr. Web it makes the pc slow and also the
free version is not helpful unless one goes for the paid one, and this
myself do not wish to if the matter could be resolved by understanding
that how this happened and is it not possible to recorrect the modified
registry entry made secretively by this unknown intruder if any?

Also
while typing to you, noticed sometimes the keys getting difficult to
press and kind of slowed down as if someone stopping me from typing? :)
lol really a online intimation kind of feeling creeps in oneself, hope
you do understand.  Please do assist me in understanding the issue and
solving it permanently..

Thank you once again to
agreeing to rescue me out of this mess, my own stupidity of having
played with changing DNS when there was only one Window with all
administrative priviliges that myself was using, now have created a
seperate window with less privileges to be used when not downloading
any prog or needing to have access to administrative privelegdes
exercised.

ISSUE IS A WORM. HERE IS A DESCRIPTION AND WAY TO REMOVE THE PROBLEM AS
DESCRIBED ON THE TREND MICRO WEBSITE. I ALSO RECEOMEND USING HIJACK
THIS AND POSTING THE LOG FILE HERE FOR A FURTHER ANALYSIS.

QUICK LINKS  

Understanding New Pattern Format




|

---

Malware type: Worm

Aliases: Worm.Win32.VB.ck
(Kaspersky), W32/YahLover.worm (McAfee), W32.Imaut.AA (Symantec),
Worm/VB.CK.24 (Avira), W32/Sohana-G (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Low

---

Reported infections:

Low

Damage potential:

Medium

Distribution potential:

High

---

Infection Channel 1 : Propagates via removable drives

Infection Channel 2 : Copies itself in all available physical drives

Description: 

This worm may be downloaded unknowingly by a user when visiting malicious Web sites.

It drops copies of itself.

It creates registry entries to enable its automatic execution at
every system startup. It also drops copies of itself in the Windows
Common Startup folder to enable its automatic execution at every system
startup.

It creates and modifies registry entry as part of its installation routine.

It drops copies of itself in all physical drives and in all removable drives. It drops an AUTORUN.INF file to automatically execute dropped copies when the drives are accessed.

It accesses Web sites to download files. As a result, malicious
routines of the downloaded files are exhibited on the affected system.

Solution:

Identifying the Malware Files

1. Scan your computer with your Trend Micro antivirus product.
2. Note the path and file name of all files detected as WORM_VB.GAX.

Trend Micro customers need to download the latest virus pattern file before scanning their computer. Other users can use Housecall, the Trend Micro online threat scanner.

Terminating the Malware Program

Since this malware uses a file name that is also the file name of a
legitimate process, it is necessary to use third party process viewers
such as Process Explorer, to isolate the malware process itself.

If the process you are looking for is not in the list displayed by Process Explorer, proceed to the succeeding solution set.

1. Download Process Explorer.
2. Extract the contents of the compressed (ZIP) file to a location of your choice.
3. Execute Process Explorer by double-clicking procexp.exe.
4. In the Process Explorer window, locate the process:
   
   
   %Windows%lsass.exe
   
   
   (Note: %Windows% is the Windows folder, which is usually C:Windows or C:WINNT.)
   
   
5. Right-click the malware process, and choose Properties.
6. Check if the value for the Current Directory is the following:
   
   
   
7. If yes, then right-click on the malware process, and click Kill Process Tree.
8. Close Process Explorer.

---

*NOTE: On computers running all Windows platforms, if the
process you are looking for is not in the list displayed by Process
Explorer, continue with the next solution procedure, noting additional
instructions. If the malware process is in the list displayed by
Process Explorer, but you are unable to terminate it, restart your
computer in safe mode.

Enabling The Registry Editor

This malware disables the Registry Editor. To restore the said system tool, perform the following instructions:

• On Windows 98 ME, NT, and 2000:

1. Open Notepad. Click StartRun, type Notepad, then press Enter.
2. Copy and paste the following:

REGEDIT4

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPol iciesSystem]
"DisableRegistryTools" = dword:00000000

    3.

1. Save this file as C:RESTORE.REG.
2. Click StartRun, type C:RESTORE.REG, then press Enter.
3. Click Yes at the prompt of the message box

On Windows XP and Server 2003:

1. Open the Run dialog box. Click StartRun, type Notepad, then press Enter.
   
2. Copy and paste the following:

REG add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableRegistryTools /t REG_DWORD /d 0 /f

    3.

3. Save this file as C:RESTORE.REG.
4. Click StartRun, type C:RESTORE.REG, then press Enter.
5. Click Yes at the prompt of the message box.

Removing Autostart Entries from the Registry

This solution deletes/modifies registry keys/entries added/modified
by this malware. Before performing the steps below, make sure you know
how to back up the registry and how to restore it if a problem occurs.
Refer to this Microsoft article for more information about modifying your computer's registry.

1. Open Registry Editor. Click StartRun, type REGEDIT, then press Enter.
2. In the left panel, double-click the following:
   
   HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersion
   
   Winlogon
3. In the right panel, locate and delete the entry:
   
   shell = "explorer.exe %Windows%systemlsass.exe"
4. Right-click on the value name and choose Modify. Change the value data of this entry to:
   
   “Explorer.exe”
5. Still in the right panel, locate the entry:
   
   Userinit = "userinit.exe,%Windows%systemlsass.exe"
6. Right-click on the value name and choose Modify. Change the value data of this entry to:
   
   
   %System%userinit.exe
   
   (Note: %System% is the Windows
   system folder, which is usually C:WindowsSystem on Windows 98 and ME,
   C:WINNTSystem32 on Windows NT and 2000, or C:WindowsSystem32 on
   Windows XP and Server 2003.)

Restoring Registry Entries

1. Still in the Registry Editor, in the left panel, double-click the following:
   
   HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain
2. In the right panel, locate the entry:
   
   Start Page = http://thecoolpics.net/
3. Right-click on the value name and choose Modify. Change the value data of this entry to:
   
   “User defined”
4. In the left panel, double-click the following:
   
   HKEY_CURRENT_USER SoftwareMicrosoftWindowsCurrentVersion
   
   ExplorerAdvanced
5. In the right panel, locate the entry:
   
   Hidden = "2"
6. Right-click on the value name and choose Modify. Change the value data of this entry to:
   
   “0”
7. In the right panel, locate the entry:
   
   HideFileExt = "1"
8. Right-click on the value name and choose Modify. Change the value data of this entry to:
   
   “0”
9. In the left panel, double-click the following:
   
   HKEY_CURRENT_USERSoftwareYahoopagerView
   
   YMSGR_buzz
10. In the right panel, locate the entry:
    
    content url = http://thecoolpics.net/
11. Right-click on the value name and choose Modify. Change the value data of this entry to:
    
    http://tools.search.yahoo.com/ym/buzz
12. In the left panel, double-click the following:
    
    HKEY_CURRENT_USERSoftwareYahoopagerView
    
    YMSGR_Launchcast
13. In the right panel, locate the entry:
    
    content url = http://thecoolpics.net/
14. Right-click on the value name and choose Modify. Change the value data of this entry to:
    
    http://radio.launch.yahoo.com/radio/play/playmessenger.as

Removing Other Malware Entries from the Registry

1. Still in Registry Editor, in the left panel, double-click the following:
   
   
   HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
   
   PoliciesExplorer
2. In the right panel, locate and delete the entry:
   
   NoFolderOptions = "1"
3. Still in the right panel, locate and delete the entry:
   
   NoRun = "1"
4. In the left panel, double-click the following:
   
   HKEY_CURRENT_USER SoftwareMicrosoftWindowsCurrentVersion
   
   PoliciesSYSTEM
5. In the right panel, locate and delete the entry:
   
   DisableRegistryTools = "1"
6. Still in the right panel, locate and delete the entry:
   
   
   DisableTaskMgr = "1"
7. In the left panel, double-click the following:
   
   
   HKEY_CURRENT_USERSoftwarePoliciesMicrosoftInternet Explorer
   
   Control Panel
8. In the right panel, locate and delete the entry:
   
   Homepage = "1"
9. In the left panel, double-click the following:
   
   HKEY_LOCAL_MACHINE SoftwareMicrosoftWindowsCurrentVersion
   
   PoliciesExplorer
10. In the right panel, locate and delete the entry:
    
    NoFolderOptions = "1"
11. In the left panel, double-click the following:
    
    HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows NT
    
    SystemRestore
12. In the right panel, locate and delete the entry:
    
    DisableConfig = "1"
13. Close the registry editor.

Deleting Malware-created AUTORUN.INF/s

1. Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
2. In the Named input box, type:
   
   
   AUTORUN.INF
   
3. In the Look In drop-down list, select a drive, then press Enter.
4. Select the file, then open using Notepad.
5. Check if the following lines are present in the file:
   
   
   [AutoRun]
   
   Open=boot.exe
   
   Shellexecute=boot.exe
   
   ShellAutocommand=boot.exe
   
6. If the lines are present, delete the file.
7. Repeat steps 3 to 6 for AUTORUN.INF files in the remaining removable drives.
8. Close Search Results.

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Running Trend Micro Antivirus

If you are currently running in safe mode, please restart your computer normally before performing the following solution.

Scan your computer with Trend Micro antivirus and delete files detected as
WORM_VB.GAX. To do this, Trend Micro customers must download the latest virus pattern file and scan their computer. Other Internet users can use HouseCall, the Trend Micro online virus scanner.

this can be downloaded from the follwing site:

http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html

before running a scan, make sure the little box that says "fix now" is unticked, as it may remove items which are needed.

Please post the log file in here once you have ran the scan.

Thanks,

Mel