Talkstocks.net - Downloader.MSCache virus

November 14, 2003

Many users at Virginia Tech have noticed a problem with a certain website (talkstocks dot net). This virus is very similar to the Trojan.Sinkin (Realphx) virus from earlier in that it spreads itself through AIM profiles. This method is also used to install another virus recognized by Symantec AntiVirus as Downloader.MSCache. The code can infect all versions of Windows including Windows 98, ME, 2000, and XP(pro and home).

Infection Methods

This virus is activated when a user visits a malicious website (talkstocks dot net). This site prompts a user to install a browser plugin, and run an executable program. This program installs the Downloader.MSCache virus on a user's computer.

Symptoms and Effects

This virus will:

  • Install multiple adware and spyware packages.
  • Add registry keys.
  • Create numerous offensive Favorites in Internet Explorer.
  • Try to download code from a website (currently unavailable)

There may be other symptoms that are unknown at this time.

Removal

There are two steps to removing this virus from your computer.

Step 1 - Removing the Talkstocks dot net portion

Windows 2000 and Windows XP
  1. Press 'Ctrl-Shift-Esc'.
  2. Choose the 'Processes' tab.
  3. Select 'b.exe' from the list.
  4. Click 'End Process'.
  5. Go to 'Start/Search/For Files or Folders'.
  6. Search all files and folders for 'b.exe'
  7. Delete files that have the exact name 'b.exe' or 'b'
  8. Click on 'Start/Run...'
  9. Type 'regedit' and press 'Enter'.
  10. Navigate to 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
    \Windows\CurrentVersion\Run'
  11. Delete the 'Antivirus' key with a value of 'b.exe'.
  12. Close regedit.
  13. Empty the recycle bin.
  14. Restart computer
  15. Reset aim profile by removing the link for the virus.
Windows 98 and Windows ME
  1. Turn on the computer (or if the computer is already on, restart).
  2. While the computer is coming up and before the Windows screen appears, hold down 'F8' until a Windows start-up option screen appears.
  3. Use the up/down arrows to select the 'Safe mode' option.
  4. Press the 'Enter' key.
  5. When the computer has finished loading, go to 'Start/Find/Files or Folders'.
  6. Search all files and folders for 'b.exe'
  7. Delete files that have the exact name 'b.exe' or 'b'
  8. Click on 'Start/Run...'
  9. Type 'regedit' and press 'Enter'.
  10. Navigate to 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
    \Windows\CurrentVersion\Run'
  11. Delete the 'Antivirus' key with a value of 'b.exe'.
  12. Close regedit.
  13. Empty the recycle bin.
  14. Restart computer
  15. Reset aim profile by removing the link for the virus.

Step 2 - Removing the Downloader.MSCache portion

You can find removal information for the Downloader.MSCache virus at: http://www.sarc.com/avcenter/venc/data/downloader.mscache.html


This will not remove all traces of the virus from your computer. This will only stop the spread of the virus, and clean up damage from the Downloader.MSCache virus. Several adware/spyware packages are installed with these viruses as well. Many people have had luck in minimizing damage from the worm by running a third-party program to clean up adware such as AdAware or Spybot. You can find these programs on many websites by searching the internet.