errors PLEASE HELP

You're almost certainly infected with something. Try scanning in Safe Mode (update your antivirus first).

You may have the fatso.b worm, which is a real pain. Fatso.b gets rid of your System Restore tab, (Start--My Computer--System Restore), and also closes down software that could help remove it. I've read the worm is transmitted through online messengers.

The problem is that to do a complete removal you have to be able to turn off system restore, restart, and turn system restore back on.

Rather than saying this again, here's info from another board :
-------------------------------------------------------------
Symantec has a removal program for Serflog.A (which I believe is the same thing as the Fatso.A worm, the name for it used by Trendmicro). I've got XP Pro SP2 and I've just had trouble with the Fatso.B virus which inserted a couple of entries in the Registry Editor to turn off my System Restore Tab and if I tried to use the Wizard in the Help & Support Centre I got the same message as you about it being turned off by Group Policy. I used Trendmicro's free Sysclean Package and Housecall to detect and get rid of the worm but I had to do their Manual Removal Instructions as well (see www.trendmicro.com/vinfo/virusencyclo). My worm wouldn't let me visit Trendmicro's website, so a friend copied the relevant programs onto a CD for me and printed out the instructions, or I guess you could get someone without the worm to email the programs to you.

Here's what I had to do to get my System Restore Tab back:

(Courtesy of a guy called Bert Kinney, by the way...)

Look in your Registry Editor:

Click Start, click Run, type REGEDIT, click OK. You should now be in Registry Editor.

In the left panel, double-click the following:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsNT\SystemRestore

Do you see two entries on the right hand panel:

DisableSR
DisableConfig

Trendmicro's Manual Removal Instructions for Fatso.A (Serflog.A) says that you should right-click on both entry values, choose Modify and change them from "0" to "1" by choosing Modify, but this definitely didn't work for me with my worm.

Instead I had to delete both entries completely by selecting them, click Edit, click Delete. Close the Registry Editor. Click Start, right click on My Computer and click Properties. Hopefully your System Restore Tab will have reappeared and you will be able to access the Wizard now.

If yours doesn't, Bert suggests a registry edit at Kelly’s
Korner (but I haven't tried this because I didn't need to):

Look on line 278 left side.
http://www.kellys-korner-xp.com/xp_tweaks.htm

This is important because you need to be able to disable the System Restore in order not to be reinfected by the worm.

I really hope this solves the problem for you too.
----------------------------------------------------------------

Here's the info from Microtrend, in case you can't get to these pages:

---------------------------------------------------------------------
WORM_FATSO.B

Overview
Malware type: Worm
Aliases: W32.Serflog.B, W32/Crog.worm, W32/Sumom-B, Win32.Sumom.B
In the wild: Yes
Destructive: No
Language: English
Platform: Windows 95, 98, ME, NT, 2000, XP
Encrypted: No
Characteristics: Propagates via Instant Messengers

Overall risk rating: Low
Reported infections: Low
Damage potential: High
Distribution potential: High

Description:

This memory-resident worm spreads copies of itself to all online MSN messenger contacts of an affected system by sending copies of itself using several attractive file names to all contacts found in the said instant messaging application.

It terminates processes that contain certain strings in the window title, which may be related to antivirus and security-related applications. It also modifies the HOSTS file to redirect the browser whenever a user attempts to access a list of Web sites. This worm disables the System Restore feature.

Description created: Mar 8, 2005
Description updated: Mar 17, 2005

Solution
Minimum scan engine version needed: 6.810
Pattern file needed: 2.483.01
Pattern release date: Mar 8, 2005

Solution:


AUTOMATIC REMOVAL INSTRUCTIONS

To automatically remove this malware from your system, please use Trend Micro Damage Cleanup Template / Engine.

MANUAL REMOVAL INSTRUCTIONS

Identifying the Malware Program

To remove this malware, first identify the malware program.

1. Scan your system with your Trend Micro antivirus product.
2. NOTE all files detected as WORM_FATSO.B.

Trend Micro customers need to download the latest pattern file before scanning their system. Other users can use Housecall, Trend Micro’s free online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process. You will need the name(s) of the file(s) detected earlier.

1. Open Windows Task Manager.
» On Windows 95, 98, and ME, press
CTRL+ALT+DELETE
» On Windows NT, 2000, and XP, press
CTRL+SHIFT+ESC, then click the Processes tab.
2. In the list of running programs*, locate the malware file(s) detected earlier.
3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
4. Do the same for all detected malware files in the list of running processes.
5. To check if the malware process has been terminated, close Task Manager, and then open it again.
6. Close Task Manager.

*NOTE: On systems running Windows 95, 98, and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup. In this procedure, you will need the name(s) of the file(s) detected earlier.

1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
2. In the left panel, double-click the following:
HKEY_CURRENT_USER>Microsoft>
Windows>CurrentVersion>Run
3. In the right panel, locate and delete the entry or entries whose data value is the malware path and file name of the file(s) detected earlier.
4. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
5. In the right panel, locate and delete the entry or entries whose data value is the malware path and file name of the file(s) detected earlier.
6. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Runservices
7. In the right panel, locate and delete the entry or entries whose data value is the malware path and file name of the file(s) detected earlier.
8. In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Policies>Explorer>Run
9. In the right panel, locate and delete the entry or entries whose data value is the malware path and file name of the file(s) detected earlier.
10. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>policies>Explorer>Run
11. In the right panel, locate and delete the entry or entries whose data value is the malware path and file name of the file(s) detected earlier.
12. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE\Software>Policies>Microsoft>
Windows NT>SystemRestore
13. In the right panel, locate and delete these entries: DisableSR = "0" DisableConfig = "0"
14. Close Registry Editor.

NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system.

Enabling Show All Files

This procedure allows you to access hidden malware files using Windows Explorer.

» On Windows 95, 98, and NT

1. Open Windows Explorer. Right-click Start then click Explore.
2. On the View menu, click Options or Folders Options.
3. Click the View tab.
4. Select Show all files, then click OK.

» On Windows ME, 2000, and XP

1. Open Windows Explorer. Right-click Start then click Explore.
2. On the Tools menu, click Folder Options.
3. Click the View tab.
4. Select Show hidden files and folders, then click OK.

Removing Malware Entries from the HOSTS File

Deleting malware entries from the HOSTS file removes all malware-made changes on host name association.

1. Open the following file using a text editor (such as NOTEPAD):
%System%\drivers\etc\HOSTS
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98, and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.)
2. Delete the following entries:
* avp.com
* ca.com
* customer.symantec.com
* dispatch.mcafee.com
* download.mcafee.com
* f-secure.com
* grisoft.com
* kaspersky-labs.com
* kaspersky.com
* liveupdate.symantec.com
* liveupdate.symantecliveupdate.com
* mast.mcafee.com
* mcafee.com
* my-etrust.com
* nai.com
* networkassociates.com
* rads.mcafee.com
* sandbox.norman.no
* secure.nai.com
* securityresponse.symantec.com
* sophos.com
* symantec.com
* trendmicro.com
* uk.trendmicro-europe.com
* update.symantec.com
* updates.symantec.com
* us.mcafee.com
* viruslist.com
* www.avp.com
* www.ca.com
* www.f-secure.com
* www.grisoft.com
* www.kaspersky.com
* www.mcafee.com
* www.my-etrust.com
* www.nai.com
* www.networkassociates.com
* www.pandasoftware.com
* www.sophos.com
* www.symantec.com
* www.trendmicro.com
* www.viruslist.com
3. Save the file and close the text editor.

Additional Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.

Users running other Windows versions can proceed with the succeeding procedure sets.

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_FATSO.B. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro’s free online virus scanner.



Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.


Technical Details
File type: EXE
Memory resident: Yes
Size of malware: 36,352 Bytes
Initial samples received on: Mar 8, 2005
Compression type: PESpin
Variant of: WORM_FATSO.A

Details:

Arrival and Installation

This worm arrives via MSN messenger. Upon execution, it drops the following copies of itself in the root directory:

* Crazy Japanese man kicks crazy frog!.pif
* Crazy.Html
* dsm.exe
* Dumb Looking Goth Chick.pif
* Funny Hitler parody!.pif
* HillBilly Chick lol.pif
* Hot Blonde!.pif
* Me drunk at The Sea!.pif
* Me Love You Long Time.pif
* Me pic.pif
* Modelling Her New Bikini.pif
* My birthday pic!.pif
* One Eye Granny pic!.pif
* Punk Lives! lol.pif

It also drops a copy of itself in the Windows folder and the Windows systems folder using any of the following file names:

* dsm.exe
* msmpatch.exe
* svosm.exe
* sysup.exe

The attributes of the said file is set to hidden so that it is not visible to users.

Autostart Technique

So that it runs at Windows startup, this worm creates the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
%Value% = “%Data%”

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\Explorer\Run
%Value% = “%Data%”

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\policies\Explorer\Run
%Value% = “%Data%”

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
%Value% = “%Data%”

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunServices
%Value% = “%Data%”

%Value% refers to any of the following:

* AvSer
* DsmSer
* rollbk

%Data% refers to any of the following dropped files:

* dsm.exe
* msmpatch.exe
* svosm.exe
* sysup.exe

Process Termination

This worm terminates processes that contain the following strings in the window title:

* ADWARE
* ALERTS
* AUTOSTARTED
* BENIGN
* BLOCKER
* BULLGUARD
* BUSTER
* CENTER
* -CILLIN
* CLEANER
* Command
* DESTROY
* DETECTION
* DOCTOR
* EARTHLINK
* EDITOR
* ELIMINATE
* FIGHT
* Filter
* FIREWALL
* FIXING
* HUNTER
* KERIO
* LIVEUPDATE
* MALWARE
* MALWHERE
* MCAFEE
* NETCOP
* NOD32
* NORTON
* PANDA
* PROCESS!A
* PROMPT
* PROTECTOR
* REGISTRY
* REMOVAL
* RESTORE
* SANDBOX
* SECURE
* SECURITY
* SOPHOS
* SPYBOT
* SPYWARE
* STOPPER
* SWEEPER
* TREND
* Update
* VCATCH
* VIRUS
* WATCH

The processes may be related to antivirus and security-related applications.

It also terminates the following running processes:

* apvxdwin.exe
* atupdater.exe
* aupdate.exe
* autodown.exe
* autotrace.exe
* autoupdate.exe
* avconsol.exe
* avengine.exe
* avsynmgr.exe
* avwupd32.exe
* avxquar.exe
* bawindo.exe
* blackd.exe
* ccapp.exe
* ccevtmgr.exe
* ccproxy.exe
* ccpxysvc.exe
* cfiaudit.exe
* cmd.exe
* defwatch.exe
* drwebupw.exe
* escanh95.exe
* escanhnt.exe
* firewall.exe
* frameworkservice.exe
* icssuppnt.exe
* icsupp95.exe
* luall.exe
* lucoms~1.exe
* mcagent.exe
* mcshield.exe
* mcupdate.exe
* mcvsescn.exe
* mcvsrte.exe
* mcvsshld.exe
* msconfig.exe
* msdev.exe
* navapsvc.exe
* navapw32.exe
* nisum.exe
* nopdb.exe
* nprotect.exe
* nupgrade.exe
* ollydbg.exe
* outpost.exe
* pavfires.exe
* pavproxy.exe
* pavsrv50.exe
* peid.exe
* petools.exe
* regedit.exe
* reshacker.exe
* rtvscan.exe
* rulaunch.exe
* savscan.exe
* shstat.exe
* sndsrvc.exe
* symlcsvc.exe
* taskmgr.exe
* Update.exe
* updaterui.exe
* vpupd.exe
* vshwin32.exe
* vsstat.exe
* vstskmgr.exe
* w32dasm.exe
* winhex.exe
* wscript.exe

Propagation via Instant Messenger

This worm is able to propagate via MSN Messenger by sending copies of itself using the following file names to all contacts found in the said instant messaging application:

* CRAZY JAPANESE MAN KICKS CRAZY FROG!.PIF
* DUMB LOOKING GOTH CHICK.PIF
* FUNNY HITLER PARODY!.PIF
* FUNNY HITLER PARODY.PIF
* HILLBILLY CHICK LOL.PIF
* HOT BLONDE!.PIF
* ME DRUNK AT THE SEA!.PIF
* ME LOVE YOU LONG TIME.PIF
* ME PIC.PIF
* MODELLING HER NEW BIKINI.PIF
* MY BIRTHDAY PIC!.PIF
* ONE EYE GRANNY PIC!.PIF
* PUNK LIVES! LOL.PIF

HOSTS File Modification

This worm also modifies the HOSTS file to redirect the browser whenever a user attempts to access any of the following Web sites:

* avp.com
* ca.com
* customer.symantec.com
* dispatch.mcafee.com
* download.mcafee.com
* f-secure.com
* grisoft.com
* kaspersky-labs.com
* kaspersky.com
* liveupdate.symantec.com
* liveupdate.symantecliveupdate.com
* mast.mcafee.com
* mcafee.com
* my-etrust.com
* nai.com
* networkassociates.com
* rads.mcafee.com
* sandbox.norman.no
* secure.nai.com
* securityresponse.symantec.com
* sophos.com
* symantec.com
* trendmicro.com
* uk.trendmicro-europe.com
* update.symantec.com
* updates.symantec.com
* us.mcafee.com
* viruslist.com
* www.avp.com
* www.ca.com
* www.f-secure.com
* www.grisoft.com
* www.kaspersky.com
* www.mcafee.com
* www.my-etrust.com
* www.nai.com
* www.networkassociates.com
* www.pandasoftware.com
* www.sophos.com
* www.symantec.com
* www.trendmicro.com
* www.viruslist.com

The browser is redirected to 213..154.54.

Other Details

This worm also creates the following registry entries to disable the System Restore feature:

HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft\Windows NT\SystemRestore
DisableSR = "0"

HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft\Windows NT\SystemRestore
DisableConfig = "0"

It also drops the file, CRAZY.HTML, in the root directory. Running this file displays a picture from the following Web site:

http://www.turorce3d.com/bilder/annoying/
annoying_desktop_2_1024x768.jpg

----------------------------------------------

GOOD LUCK!

Message Edited by tdx on 03-23-2005 01:42 AM