Sign in to follow this  
Guest Deeks

Please help a fellow flight simmer, if you can.

Recommended Posts

I wonder if anyone can help me, a friend of mine called me with a computer problem and I am currently at my wits end trying to solve it all. First thing that happened was that his homepage was changed to an invalid page, the address is just a bunch of numbers slashes and percent signs, in the registry all of the default pages were changed to this "address". Also system restore and the help and support center do not start, some web pages do not load and no online virus scanners work, the page will load but then stops while it is either downloading the required data or starting to scan. At one point his virus scanner picked up a MHTML exploit and deleted it. I have run various spyware utilities, stopped some suspect programs and processes from loading and changed the registry entries to their correct values as well as cleaning out the history, cookies, and temp internet folders but the problem persists. Has anyone seen anything like this before? I have found other people that have this problem (very recently) but no resolutions anywhere. He very much wants to get back to flight simming but needs this problem fixed first. Anybody here want to take a stab?Thanks, Philip Olsonhttp://www.precisionmanuals.com/images/forum/supporter.jpg

Share this post


Link to post
Help AVSIM continue to serve you!
Please donate today!

You're REALLY not going to like my answer I'm afraid. What your friend has picked up is a self-repairing Trojan. Somewhere on his computer is a small program that is re-changing the relevant entries after you fix them. If none of the spyware finding programs have been able to track down that program, it's unlikely you'll be able to do so manually.It is possible that you can fix it with many hours of trial and error, but I think his best bet is going to be to cut the losses and start from scratch. Backup all documents and data that he needs to CD's, boot the computer from a rescue disk - safest bet is a boot CD from Macafee or Norton, and do a full reformat on the hard drive. Then do a clean install of Windows and all his other programs. Sorry, but that's my best advice. Probably going to be a full days work, but you could put that much time into trying to fix it, with no guarantee of success.Then be sure and run a good anti-virus and spyware checker on the backups CD's before restoring any of the data and documents.Richard

Share this post


Link to post

I was afraid that might be my only option. All I can say is thank God that it is not my computer!!!! I am going to go back over there tonight and have another go at it so if anyone else has any ideas before then I would appreciate it. Thanks,Philip Olsonhttp://www.precisionmanuals.com/images/forum/supporter.jpg

Share this post


Link to post

Hi Philip,a clean sweep is the best option, but if you really don't want to wipe out the HD, you could try a repair install of Windows. Some viruses 'disguise' themselves as Windows system files and a reinstall would overwrite them. However, in all likelihood there will be some files left over, so all this option reeally does is buy your friend some time - the computer will probably be running OK, giving your friend time to back up all his stuff before doing the reformat.Cheers,Gosta.http://www.hifisim.com/images/as2betateam.jpg

Share this post


Link to post

Most likely Win32.HLLW.Agobot worm or a variation. It will load a program into your /system32 folder named scvhost.exe (not to be confused with svchost.exe a normal windows tcp srv) and run it as a service. It will alter your HOSTS file and add all the known anti-virus sites and update url's to point to 127.0.0.1 (local host) so you will not be able to connect to them via iExplorer or thru your AV software. It will later delete the TCP stack settings in your registry so you will have no i-net access. You need a program called WinsockXPFix.exe to fix the stack values and MS has a security patch to stop the scvhost.exe from creating a service and defend against this worm exploit. If your not good at fixing these worm problems then best to wipe and reload Win.Deeks

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this