PLEASE HELP VIRUS W32.WALLZ

[kopenhagen]

Every time I format then as soon as I connect to the internet, the virus is attached to my pc.

I USE NAV with upgrade but it can't remove it

I try Trend micro housecall

still it can't remove

I still have the virus alert from Norton

C:\WIN/SYSTEM32\MOUSEHS.EXE
VIRUS NAME: W32.WALLZ

I try to remove it from safe mode no luck

my screen keeps frozen and sometime can't turn off or restart.

Does it happen to anyone?, I've checked with Microsoft support , I have modified registry according to them,
but no luck

Thanks

[jtaylor20]

try reformatting again, this time, before you connect to the internet you should install norton.  also, you should put the virus fix or patch onto a cd or something and load it on before you plug into the internet.  i had a similar problem last year, just a different virus.  it must have been attached to my ip or something.  but the above worked for me, so try it out.

[kopenhagen]

try reformatting again, this time, before you connect to the internet you should install norton.  also, you should put the virus fix or patch onto a cd or something and load it on before you plug into the internet.  i had a similar problem last year, just a different virus.  it must have been attached to my ip or something.  but the above worked for me, so try it out.

I have formated twice, and reinstall Norton then scan,also ad aware and spy bot

You're right the virus is attached to random IP
now how do you put the virus fix or patch into a CD???

[merlin_2]

May i suggest you disconnect fom the net.....and scan again in safe mode......and quarentine the virus in nav.....by reformatted a pc does not kill all the bugs!

[dl65]

kopenhagen.....  Several questions ......

1.....Do you have the system restore feature turned off ?

2.....Which version of Norton are you using and is it up to date re subscription and updates ?

3.....Does Norton find the virus and indicate where it is residing ?

4......Have you made the deletions and modifications to the registry as detailed by symantec ........ http://securityresponse.symantec.com/avcenter/venc/data/w32.wallz.html

Let us know

dl65  

[kopenhagen]

kopenhagen.....  Several questions ......

1.....Do you have the system restore feature turned off ?
it is ON
2.....Which version of Norton are you using and is it up to date re subscription and updates ?
I have NAV 2002, updates and subscription till 6/2006
3.....Does Norton find the virus and indicate where it is residing ?
c:\MSDIRECTX.SYS
C:\WIN\SYST32\MOUSEHS.EXE

4......Have you made the deletions and modifications to the registry as detailed by symantec ........ http://securityresponse.symantec.com/avcenter/venc/data/w32.wallz.html

Let us know

dl65  

1/SYS RESTORE IS ON

2/NAV 2002, UPDATES AND SUBSCRIPTION TILL 6/06
3/ C:\MSDIRECTX.SYS
C:\WIN\SYS32\MOUSEHS.EXE

4/ This is the tricky part, I have afew questions

"EnableDCOM" = "Y"
I DID BUT WHEN I RESTART THE PC, IT BECOMES "N" UNLESS I HAVE TO SAVE IT AND HOW?

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole

to enable DCOM.


Adds the value:

"restrictanonymous" = "dword:00000001"
I RIGHT CLICK,MODIFY ,BUT CAN'T PUT DWORD: 00000..

to the registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

to restrict anonymous access to network shares.


Creates the following file, which is not malicious:

%Windir%\Debug\dcpromo.log

I DID

ANYWAY, I scan on live with House call trend micro,symantec, AND  mc affee
NOne of them can't  remove this virus?

Thanks

[Fed]

Removal Instructions
1) Disable System Restore (Windows Me/XP).
2) Update the virus definitions.
3) Run a full system scan and delete all the files detected as W32.Wallz.
4) Delete the value that was added to the registry.

Have you done the first 3 things yet?
You may need KillBox to delete the file.
http://spywareinfo.com/~merijn/files/

[kopenhagen]

Removal Instructions
1) Disable System Restore (Windows Me/XP).
2) Update the virus definitions.
3) Run a full system scan and delete all the files detected as W32.Wallz.
4) Delete the value that was added to the registry.

Have you done the first 3 things yet?
You may need KillBox to delete the file.
http://spywareinfo.com/~merijn/files/

1/CAN'T DISABLE IT, IT'S FROZEN
2/I DID ALREADY
3/ IF I CAN DELETE , I DON'T NEED TO POST THIS THREAD
I DELTE MSDIRECTX.SYS IN SAFE MODE,WHEN PC REBOOTS IT'S STILL THERE.

NORTON ALERT

C:\MSDIRECTX.SYS VIRUS NAME: Hacktool.Rootkit
C:\WIN\SYS32\MOUSEHS.EXE VIRUS NAME: W32.WALLZ

Thanks for your help

[Fed]

Make a directory called C:\Hijack then go to
http://www.hijackthis.de/index.php?langselect=english
and download Hijackthis into the directory you made.
Bookmark the above site for later.  
Start Hijack, run a scan, save the scan, go back to the bookmarked site and get your saved scan analysed.
Take appropriate actions or post your scan in here (you will need a few posts to do it because of it's length)

[Raptor]

Obviously, you are installing software that brings the virus along.

[kopenhagen]

Obviously, you are installing software that brings the virus along.

you obviously don't know about Virus attacking Random IP
Good luck

[kopenhagen]

Make a directory called C:\Hijack then go to
http://www.hijackthis.de/index.php?langselect=english
and download Hijackthis into the directory you made.
Bookmark the above site for later.  
Start Hijack, run a scan, save the scan, go back to the bookmarked site and get your saved scan analysed.
Take appropriate actions or post your scan in here (you will need a few posts to do it because of it's length)

Thanks, I have scanned it, I have located the malicious file but still can't remove it MOUSEHS.EXE

Logfile of HijackThis v1.99.1
Scan saved at 3:31:07 PM, on 6/26/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Documents and Settings\A\Local Settings\Temp\Temporary Directory 1 for hijackthis_199.zip\HijackThis.exe
C:\WINDOWS\system32\1.tmp
C:\WINDOWS\System32\wmplayer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.geocities.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.geocities.com/
F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe
O2 - BHO: (no name) - {54EE0AE1-2951-AF60-CB4B-465A304E316E} - C:\WINDOWS\System32\FYI\xteivderqx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [System hoster] longwin32.exe
O4 - HKLM\..\Run: [Explorer] explorer.exe
O4 - HKLM\..\Run: [Services] C:\WINDOWS\system32\1.tmp
O4 - HKLM\..\Run: [SECRETSERVICE] C:\WINDOWS\System32\n0m0r3\v1rg.exe
O4 - HKLM\..\Run: [udtgrr] c:\windows\system32\pxhiwt.exe r
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler V1.39.12R] C:\WINDOWS\system32\1.tmp
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows Media Player] wmplayer.exe
O4 - HKLM\..\RunServices: [System hoster] longwin32.exe
O4 - HKLM\..\RunServices: [Explorer] explorer.exe
O4 - HKLM\..\RunServices: [Windows Media Player] wmplayer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119422031463
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4519/mcfscan.cab
O23 - Service: Shaw Secure (BackWeb Plug-in - 3875767) - Unknown owner - C:\PROGRA~1\SHAWSE~1\backweb\3875767\Program\SERVIC~1.EXE (file missing)
O23 - Service: fsbwsys - Unknown owner - C:\Program Files\Shaw Secure\backweb\3875767\program\fsbwsys.exe (file missing)
O23 - Service: Windows lsass Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe
O23 - Service: Mouse Hardware Sync (mousehs) - Unknown owner - C:\WINDOWS\System32\mousehs.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

[merlin_2]

delete this in hi-jack this......O2 - BHO: (no name) - {54EE0AE1-2951-AF60-CB4B-465A304E316E} - C:\WINDOWS\System32\FYI\xteivderqx.dll
delete what you think should not be there.....dont worry as hij back up files

[Fed]

Did you get your log file analysed at the hijackthis site as I suggested?
You have got a couple of nasties there.

Anyway, this is just crazy, why don't you re-format, then install OS, antivirus, antispyware & a firewall before you connect to the internet and it's fixed?

[kopenhagen]

Did you get your log file analysed at the hijackthis site as I suggested?
You have got a couple of nasties there.

Anyway, this is just crazy, why don't you re-format, then install OS, antivirus, antispyware & a firewall before you connect to the internet and it's fixed?

I did scan and analysed etc..

However, I just reformated for 3rd times this week

now I understand 2 things

1/ my ip was attacked by a virus as soon as I connect to the internet
2/ before I connect I should ENABLE my firewall! I'm just wondering it is offered by SP2?

Anyway, I just enable my firewall through network connection, so far this famous virus is not back there yet  

Thanks for all your help guys!

keep up the work