Number 265 - June 2005
A Computer Problem Mission
by Carl Tenning, Tacoma Open Group For Microcomputers
   I have a retired friend who had some computer problems and asked if I could help. It is a fairly new Dell computer running XP Home. He had automatic update turned on and Windows XP appeared to be up to date. However, he cannot get his antivirus to update (Problem #1). In the process of troubleshooting this problem, several others were also found. We ran his antivirus application, but with an out-of-date signature file, it found nothing.

   The first thing I look for when access to certain internet sites is denied (like antivirus updates), is to see if someone or something has altered the HOSTS file. The HOSTS file contains shortcuts to various internet sites, intended to speed-up your internet access. However, entries in the HOSTS file can be used to redirect access to some unintended site or even your own computer. When the access to a certain site is redirected to your own computer, of course it won't find it there and you get a screen saying it can't find that particular site. The HOSTS file (there is no extension) is a pure text file, so it can be read by NOTEPAD. The best way to find the file is to use START > Search.

   This is where I found Problem #2. The search window would open, but the dialog box did not appear, so no search criteria could be entered. The little dog would appear and wag his tail, but there was no Dialog Box. Using GOOGLE to search the internet for something related to this problem I found that Microsoft had posted the solution at:
      http://support.microsoft.com/?kbid=831430

   The solution was to reregister two files "jscript.dll" and "vbscript.dll". Apparently something had removed the registration of these files from the registry. A mere coincidence or malware at work? I found that a DLL file can be reregistered by using Start > Run and typing "regsvr32 jscript.dll" (without the quotes). Next I wanted to have a look at the Registry, but I found that neither Regedit.exe or Msconfig.exe would run (Problem #3). At this point I strongly suspected that some malware got into his computer. Fixing this problem would take further research.

   However, by this time I was able to locate the HOSTS file and I found that it had indeed been altered to block access to any antivirus updating site.
This strongly sounds like some malware has got into his computer. I removed the offending HOSTS file and replaced it with the original Windows XP installation version. Then I installed Symantec Antivirus 8.1. It installed and will run, but would still not install or run LiveUpdate. Then I discovered two more problems. Neither Regedit.com or Msconfig.com would run. Now I really suspected some malware at work.

   In the meantime, my friend's son ran a scan using some other virus detection application and it found and removed five malicious applications.

   When I got back to my friends computer, Regedit was working again (but I forgot to try Msconfig). I had found from researching this problem that there is a virus (possibly Win32.Darby.J) that disables the registry editing tools by placing a key in the registry called "DisableRegistryTools". It is located at:

   [HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\Policies\System].

   (all one line -Ed)

   I suspect that this was fixed by his son's running of another antivirus scan.

   By this time, fortunately, my friend, seeing the benefits of a computer club, joined our club. Next, to get Symantec AntiVirus updated, I copied the virus protection signatures from my computer to his ("Program Files\Common Files\Symantec Shared\VirusDefs"). I also copied the Licenses from my computer to his ("Program Files\Common Files\Symantec Shared\Licenses"). After that, Live Update would install and work (previously it wouldn't even install). I think the problem may have been that his old version of Norton AntiVirus did not completely uninstall. There were still traces of it in the registry. We were able to run Symantec Live Update and do a complete up-to-date antivirus scan. His computer was now clean.

   Finally, everything is back to normal. That was a tough one. Mission accomplished!
  Number 265 - June 2005