A friend's computer has strange problems: no programme can be started by
double-clicking (the pointer becomes an hourglass for a moment, then an
arrow again, then nothing). Every minute or so a Winsock error comes up and
refers to a logfile in c:\. The logfile says that dirdisc.exe and crypt.exe
were blocked by an unknown firewall. Both files are in c:\windows\system32,
dated 17 November, 2004 and are no standard Windows files.

An outdated Norton virus scanner did not find anything. AdAware finds some
40 suspicios files and crashes after a while. Google does not find anything
usable about dirdisc.exe. I tried to install a new McAfee instead, but could
not get the setup programme to work.

Does anyone here have an idea what this is and how to get rid of it?

Turan Fettahoglu

From: "Turan Fettahoglu" <turan.fe@invalid>

| A friend's computer has strange problems: no programme can be started by
| double-clicking (the pointer becomes an hourglass for a moment, then an
| arrow again, then nothing). Every minute or so a Winsock error comes up and
| refers to a logfile in c:\. The logfile says that dirdisc.exe and crypt.exe
| were blocked by an unknown firewall. Both files are in c:\windows\system32,
| dated 17 November, 2004 and are no standard Windows files.
|
| An outdated Norton virus scanner did not find anything. AdAware finds some
| 40 suspicios files and crashes after a while. Google does not find anything
| usable about dirdisc.exe. I tried to install a new McAfee instead, but could
| not get the setup programme to work.
|
| Does anyone here have an idea what this is and how to get rid of it?
|
| Turan Fettahoglu

Please submit samples of dirdisc.exe and crypt.exe to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submissions will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

When you get the report, please post back the exact results.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

On that special day, David H. Lipman, (DLipman~nospam~@Verizon.Net)
said...

I second Davids advice. Also, I'd like to ask, whether said friend
opened a mail that had "You've received a greeting from a family
member!" as subject, and whether (s)he clicked on the link.

I could wget the file (it was stored on a Yahoo! domain), and sent it
to virustotal.

My AVG finds *three* files in the 900kb "postcard.exe" archive, two IRC
\Backdoor.Flood and one Parite. Virustotal called the IRC bot
"Zapchast". Someone wanted to make sure, that the computer WILL be
infested.

And e-Trust failed miserably with both scanners, btw. (definitions from
November 4th)


Gabriele Neukam

Gabriele.Spamfighter.Neukam@t-online.de


--
Ah, Information. A property, too valuable these days, to give it away,
just so, at no cost.

That was not necessary. After the umpteenth attempt to install McAfee I
managed to install a Kaspersky demo version. It found a Sober version on the
mentioned files, plus lots of other Sobers and NetSkys on other .exe files
that were not active.

homily from me about safe hex.

Good news: the computer seems to be clean now, better (or worse?) news: it
will not get any new malware, because it cannot access the Internet now, bad
news: I am supposed to get it online again.

Thanks a lot for your advice

Turan

From: "Turan Fettahoglu" <turan.fe@invalid>

| That was not necessary. After the umpteenth attempt to install McAfee I
| managed to install a Kaspersky demo version. It found a Sober version on the
| mentioned files, plus lots of other Sobers and NetSkys on other .exe files
| that were not active.
|
| homily from me about safe hex.
|
| Good news: the computer seems to be clean now, better (or worse?) news: it
| will not get any new malware, because it cannot access the Internet now, bad
| news: I am supposed to get it online again.
|
| Thanks a lot for your advice
|
| Turan

Why can't it access the Internet now ?

Was there adware removed such as New Dot Net ? Malware such as New Dot Net isert a Layered
Service Provider (LSP) into Winsock and if not removed when the malware is removed it will
break the TCP/IP stack.

If it is a WinXP SP2 PC then you can execute in a command prompt...

netsh winsock reset catalog
netsh winsock reset

If it is not then download LSPfix

http://www.cexx.org/LSPFix.exe
http://www.cexx.org/lspfix.htm


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Might well be. The owner ran SpyBot before I arrived. AdAware got stuck
after finding 38 critical objects. Some suspicious cookies were manually
removed. On top of that, I tried JV 16 Power Tools (formerly RegCleaner),
which found lots and lots of rubbish.

I'll try next weekend and post the result.

Thank you again
Turan

From: "Turan Fettahoglu" <turan.fe@invalid>


|
| Might well be. The owner ran SpyBot before I arrived. AdAware got stuck
| after finding 38 critical objects. Some suspicious cookies were manually
| removed. On top of that, I tried JV 16 Power Tools (formerly RegCleaner),
| which found lots and lots of rubbish.
|
| I'll try next weekend and post the result.
|
| Thank you again
| Turan

Make sure that he is using SpyBot S&D v1.4 and Ad-aware SE v1.06. If they are older
versions, remove them and install the latest version and then re-scan the system. First
update them and I suggest performing the scans in Safe Mode.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

You bet I did.

One more problem: I was looking for a file in Windows Explorer, <right
mouse> <Find>, <Find what>, clicked on <Files and folders> and nothing
happened. Any idea how to fix this, or is this off-topic?

Turan

Both did not make any difference. We want to be on the safe side, so I'll
reformat C: and reinstall Windows from scratch.

Thanks everybody
Turan