Spyware, Viruses, & Security forum

General discussion

Most Nasty Freaking Virus I've encountered

by rhonrod38 / October 21, 2006 8:31 PM PDT

Windows XP.

Ok bear with me folks, and prepare for a ******* wall of text. Where to start its hard, well I've got a nasty virus. Upon boot this morning, windows just went absolutely spastic, i checked the task manager. LOTS AND LOTS of foreign processes I didn't recognise nor trust. Then it froze. Now I tried a few things, but I came to the conclusion that windows was absolutely fked.

Now if all else fails, I says, boot up windows say mode. Now I did successfull and voila it worked. Now with several malware removing programs (adaware, spybot) I was able to locate and destroy these offending viral files.

However chaps, upon rebooting normal windows this virus had recreated all the files I had purged. Its' a lot more vicious and deeply entrenched then I realised.

I gave up after awhile, for it seemed everytime I clear all the files in safemode they were just replaced. Then a wave of brilliance hit me, and I've got a half-way solution in place.

I rebooted into safemode. I opened ALL the offending files in notepad. I cleared ALL the code, saved it, and ticked the 'Read-Only' box. Then under the security tab of everyfile (i think its' a safemode only option) I denied access, writing, modifying, deleting etc etc to the Administrator, users, system, EVERYTHING etc etc.

My thinking, was that the virus would recognise the files were there, but couldn't overwrite them, re-modify, delete or recreate them. So now that I reboot windows, the malicious offending files still load up in task manager, however they do not have their freezing and other lame viral effects.

I've temporarily disabled, or perhaps disarmed it. Now before you start recommending me programs to delete the files, (I'll compile a list of files down below to help you identify the virsus/trojan/worm) I'm hesistant. You see before, I kept deleting the trojans, worms etc and they kept coming back.

Meaning, I must find the source of the virus, the source file if that makes any sense. I must also find out how to enable the windows firewall again (I will use other firewall, but clearly this is an effect of the virus).

The firewall error: "Due to an unidentified problem, Windows cannot display Windows Firewall settings."

Now I hope this list helps you, these are some of the files I kept removing before, but they kept being recreated. Many are identified by adaware/spybot as malware, and many are on in the 'Processes' of the Task Manager:

drsmartload.exe, nckige.exe, avoxqu.exe, update.exe, goll.exe, install.exe, two.exe, service.exe, loadadv455.exe, uniq (no file extension), vcncr.exe, rorjxk.exe, eywblbby.exe, cgqrvrva.exe, ToolBar888 (registry key, $_2341233.TMP, Firefox(default):.doubleclick.net/(id)

I do not want to format. Its a last resort, my tactical nuclear strike. Additionally my cousin told me of a similiar problem, where formatting did not completely solve the problem.

Please I need your help. I think I've nullified most of the virus' deadliness, but it is STILL DEFINITELY THERE. Just partially disabled. Please consider everything I've said carefully, a simple deletion of the files listed, is not going to suffice.

Post a reply
Discussion is locked
You are posting a reply to: Most Nasty Freaking Virus I've encountered
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Most Nasty Freaking Virus I've encountered
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
bump
by rhonrod38 / October 22, 2006 12:00 AM PDT

bump.

Collapse -
sorry
by Nataliya33 / October 22, 2006 1:12 AM PDT
In reply to: bump

sorry only reconise one process goll.exe i know thats trojan.gobrena cause thats the trojan i got in my computer and it added a file called goll to my desktop.

Collapse -
Name of the TROJAN? please.
by drgovinddas / October 29, 2006 9:31 PM PST
In reply to: bump

I had a similar experience about a month ago and ended up doing a 4 x government wipe of my hard drive and then Formatting and reinstalling. The only way I could get rid of Trojan PSW.Generic2.IGX.and all his bad buddies. Exactly the same MO as yours. Could not remove the files.

I got the same Trojan exactly one week later and immediately did a repeat...4x government wipe of the Hard Drive ...etc.

I would like to know the name of the Trojan that you encountered.

Thank you

Collapse -
Name of the TROJAN? please.
by drgovinddas / October 29, 2006 9:32 PM PST
In reply to: bump

I had a similar experience about a month ago and ended up doing a 4 x government wipe of my hard drive and then Formatting and reinstalling. The only way I could get rid of Trojan PSW.Generic2.IGX.and all his bad buddies. Exactly the same MO as yours. Could not remove the files.

I got the same Trojan exactly one week later and immediately did a repeat...4x government wipe of the Hard Drive ...etc.

I would like to know the name of the Trojan that you encountered.
Windows XP Professional SP2.

Thank you

Collapse -
Re: Most Nasty Freaking Virus I've encountered
by Tufenuf / October 22, 2006 1:21 AM PDT

Howard's Beast, Have you tried running a virus scan and Ad-aware scans in SAFE mode? You should also turn off System Restore first then run those scans in SAFE mode which may get rid of the virus/trojan/malware. If it comes up clean after doing this then turn on System Restore again.

Tufenuf

Collapse -
Read my post
by rhonrod38 / October 22, 2006 1:36 AM PDT

Look at my post... Yes I did specifically use all my anti-spyware software IN safemode. Again, I explicitly stated multiple times, that I had no problem with locating and destroying much of the malware in safemode...but upon reboot into Windows the files were recreated.

System restore on my machine, has ALWAYS been off.

Please people, if you are going to post a response, read my original post thoroughly so as to avoid pointless suggestions.

Collapse -
(NT) (NT) Howard's Beast, read your post but no antivirus listed??
by DarCLew2 / October 22, 2006 2:57 AM PDT
In reply to: Read my post
Collapse -
(NT) (NT) We are ONLY volunteers trying to help !
by Marianna Schmudlach / October 22, 2006 3:05 AM PDT
In reply to: Read my post
Collapse -
Attitude
by shpielr / October 29, 2006 9:28 PM PST
In reply to: Read my post

What an ugly attitude; and you expect people to spend time helping you??

Collapse -
really issues here.
by rbodnieks / October 29, 2006 10:28 PM PST
In reply to: Read my post

People are only trying to help you and you start hissing at them. That will NOT promote willingness to help. Check yout attitude and mellow!! If you want help for a very serious problem then don't turn on people with your attitude. Either that or Format!!

Collapse -
Try This
by cannen00 / November 1, 2006 7:30 AM PST
In reply to: Read my post

First, turn off system restore. Empty out your recycle Bin. Download and install Avast Antivirus from Download.com. Acquire the newest updates to avast, adaware, and spybot. Unplug your network cable.

There is a mode in Avast that will allow you to reboot and run a boot time scan. This scan would happen before the GUI is even loaded. The scan will look through every single fine on your computer. So set it to do a boot time scan.

Start Spybot and click on "Mode" at the top of the screen and click on "Advanced Mode". Now, on the bottom left you should see and button named "tools". Click that. On the left side towards the top you will see where you can click on "Resident". Click that. Put a check in the box that says "Resident Tea Timer". The tea timer will help you block changes to your registry.

On the left, click on "System Startup". This will bring up a list, similar to msconfig, where you can stop things from starting. Take the check out the boxes next to anything you don't recognize.

Close spybot. Click Start -> Run -> and type msconfig. Select the radio button that says "Diagnostic Startup". Click "Apply", "Ok".

If you don't already have one, set a password for your account on your PC. Clear your cookies, temp internet files and offline content. Click on the advanced tab in Internet Options and scroll to the bottom. About in the middle of the box, you will see an option to empty the browser when closed. Check that box if it isn't already. Clear your private data in FireFox too.

Start IE. Right Click in a blank area at the top around the address bar and remove the checks off of any toolbars or things your don't need/recognize. Click Tools, Manage Addons. Disable any addons that you don't recognize the source of, name of, or manufacturer of. Basically you are disabling things that look fishy.

Shut down your computer. Pull the power plug and wait about 30sec or so. Plug the computer back in and restart. The scan should soon start. You will need to answer some questions, so don't go to far and check back often.

When the scan completes, and you come to the welcome screen, where you have to type your password to login, click the shutdown button and select restart. Restart in Safe Mode.

When you login to safe mode, run adaware and spybot scans. When you run the adaware scan, make sure you make it do a full scan.

When you finish all of this, log back in normally and see if you can find the problem. If it worked, congratulations. If not, I can't help you anymore from here.

Don't forget to reverse the steps above to turn on things that were turned off and turn off things that were turned on. Unless of course, you like what they did. Hope that helps.

Collapse -
The firewall error: "Due to an unidentified problem, Windows
by Marianna Schmudlach / October 22, 2006 2:12 AM PDT

Cause

Case 1: This happens due to missing or corrupt SharedAccess registry key, which represents the Windows Firewall Service. This usually occurs if the system is infested with Virus or other Malware, or in the aftermath of Virus removal. In conjunction with the solution provided in the article, it's advisable to run a thorough cleanup of the system.

http://windowsxp.mvps.org/sharedaccess.htm

Thorough cleanup instructions:

http://aumha.org/a/quickfix.php

Collapse -
Status Report: Situation has worsened
by rhonrod38 / October 22, 2006 3:26 AM PDT

Upon trying some of your methods listed, I rebooted. I now cannot log into any accounts through safe mode, last known good configuration etc.

"A problem is preventing Windows from acurately checking the license for this computer. Error Code: 0x8004005"

How can I proceed from here, how can I log on??

Collapse -
Just chiming in. Pests are known to do such damage.
by R. Proffitt Forum moderator / October 22, 2006 3:37 AM PDT

Repair is sometimes iffy to impossible. I sometimes have to use the XP PARALLEL INSTALL METHOD and migrate to the new undamaged OS.

Here's something I'd try from the command line boot option if you can get to that.

"Start the computer in Safe mode by hitting F8 at bootup. Logon as administrator.

Start/run regsvr32 regwizc.dll
Then start/run regsvr32 licdll.dll

If this doesn't help try these steps:

Start/run regedit. Delete the following keys:

HKEY_USERS\.DEFAULT\Software\Microsoft\Cryptograph y\Providers
HKEY_USERS\S-1-5-20\Software\Microsoft\Cryptography\Providers

Exit the registry editor, restart normally.

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP
http://mvp.support.microsoft.com/"

Alter the steps to do what we do from the command line to get the same steps done. If you can't do that then let's pass on this and head to the XP PARALLEL INSTALL.

Sorry to read System Restore was off and about you hitting a real nasty. Better luck next time.

Bob

Collapse -
What is the XP PARALELL INSTALL METHOD?
by rhonrod38 / October 22, 2006 12:13 PM PDT

Note I can't start the computer in safe mode anymore, it won't let me log onto any user at all.

System restore was off because, I've got nothing but grief in the past utilising it.

Thanks for the help.

Collapse -
Your friend called the... Search engines.
by R. Proffitt Forum moderator / October 22, 2006 12:25 PM PDT

If we type XP PARALLEL INSTALL into google.com we discover this method widely documented. I don't duplicate ready or easy to find web content.

Best of luck,

Bob

Collapse -
I was going to do Paralell install but
by rhonrod38 / October 22, 2006 12:50 PM PDT

It won't boot from my CDROM drive. I've set all priority to that device in the BIOS, and it still goes straight to HDD.

Collapse -
THANK YOU REALY
by NascB / June 20, 2007 11:25 PM PDT

For the first time in my windows history I saw one good advice which I applied from day one. Having 2 paralel XP instalations.

Folks Having two paralel XP instalations is:

Having 2 times safety
SAVES gazilion reinstall atempts
Increase data security and transfers
separate software set up aka ( Multimedia / Gaming ) VS ( Networking / DTP DesktopPUblish... / office )

THE MOST IMPORTANT > ONCE YOU HAVE 2 XP OS running:

ALL THE TASKS you HAVE to DO get DONE in HALF
the time instead TWICE the PAIN.
Optimized for specialized tasks means steady HIGH performance.

Hyper Threading live. Happy

Greetings From SERBIA

Collapse -
Try this
by terrickisaiah555 / October 22, 2006 12:00 PM PDT

It is possible you have a Master Boot Record (MBR) virus. The only way to remove these is to boot from a clean disk. You might try booting from an sterile updated antivirus boot disk. It sounds as though your system files or configuration have been corrupted. After you have scanned and removed the malware/s you may need to run chkdsk/f to repair this as well. If this does not work you might try running a windows repair by reinstalling windows over the top of your existing installation (without removing the partitions of course!)
Hope this helps,

Viper

Collapse -
I'm new to this...
by Mailman / October 25, 2006 11:19 AM PDT

...discussion, and did not read every post, but could you boot into safe mode and try System Restore to before the problem began?

~Dave

Collapse -
I Fixed Mine
by clanbain / October 25, 2006 4:57 AM PDT

Well Everything except the Firewall problem. It did take 3 days work and I don't know where it came from but I suspect my 13 year old daughter from downloading the problem.

I ran every Anti Virus/Spyware program I could find and something seems to have worked.

My story:

My PC's Firewall and virus protection was disabled ( PC-cillin) and would not re-enable I had files _muzu_stonedrv9.exe and avoxqu.exe which I found you post on a search. After having run Avast Awhich I had managed to reload and run PC-illin and at least got back on the internet. Next I ran Ad-Aware, Spybot S&D and NOD32 (30 Sample AV), this would not read the boot drive and indicated after reading some of the posts indicated a damaged Boot sector. I search on the web and found F-Secure's , F-PROT (A Free AV program for the MBS). This did not find anything wrong with the boot sector. After this I installed AVG's both the Anti Virus and the (30 day sample) Anti Spyware program. This found a lot more than anything else (and I think I will bug this. Finally I went to McAfee site and ran a webscan for my system. This found an other 5 unidentified programs which I manually deleted.

So far so good. I have down loaded Hackthis and I cannot see anything left that is suspect.

I don't have a solution to Windows Fiewall but I don't use it anyway.

I hope this may be helpfull to someone.

Best of luck.


After I had tried a few things.

I Ran all

Collapse -
Thanks for the advice, but
by rhonrod38 / October 25, 2006 10:19 AM PDT
In reply to: I Fixed Mine

I cannot log into any users in any way, shape or form.
Additionally when I go into my BIOS, and change it so it will boot from my CDROM Drive, that doesn't work either. So I can't reinstalled windows on top, nor can I use an anti-viral disk to scan the machine before loading the OS.

Unfortunately I don't have the time, nor the energy to fix this atm I have exams. I really don't want to worry about it.

Collapse -
Repair Install
by micker377 / October 30, 2006 3:29 AM PST

I've found that occasionally when the computer won't boot from CD, change BIOS choices to ALL "Boot from CD". You will have to change it back when you are done re-installing.

Collapse -
start of bug fix
by clakowicz / October 28, 2006 2:49 PM PDT

Download Ewido software (Free) run it. Delete your prefetch file. This is simialr to SPYSheriff malware I ran into some time ago. The bug is hiding in an executable form.Has the bug prevented youform using system restore to go back to an earlier time when things worked?

Collapse -
My solution
by rhonrod38 / October 28, 2006 8:15 PM PDT
In reply to: start of bug fix

I have partially fixed my login problem, one of my DVD drive cables was loose, so thats why it would boot from disk.

Anyway, I think this virus was just simply too deeply entrenched, very much embedded in the system. I could never trust myself to do internet banking or login into other important accounts without being sure it was all gone.

So I formatted.

Thanks for the help, but in a serious case like this, I honestly believe no anti-viral solution was feasible.

Collapse -
formatting
by clakowicz / October 28, 2006 11:56 PM PDT
In reply to: My solution

When all else fails a format will let you sleep at night. I suspect many coffees or stronger drinks will be lined up as you reinstall your software.

Good luck

CL

Collapse -
Nasty virus
by alfcrane / October 29, 2006 7:07 PM PST

Sorry to hear you had to go through all that trouble, still not to be in the clear.

For all you others, simply having Symantec's GoBack (comes free with Norton SystemWorks) installed would have solved the problem in about 5 minutes: with only a couple of mouse clicks you could "go back" in time to a moment prior to getting the virus, without even losing any work or files in between.

A. Crane

Collapse -
Some more steps
by PromptCritical / October 29, 2006 9:06 PM PST

Whenever I have encountered a virus like this I look for two more additional things.

One: You are not finding the file that keeps downloading and reinstalling the virus. When in safe mode look for out of place and unidentified folders withing all subdirectories of your hard drive, particularly in Program Files. Don't forget the root.

Two: This may help identify the location of the reinstaller. Look for registry entries in Local Machine/software/microsoft/windows/current version/run and runonce. Look for anything unusual. Clues to these entries can also be seen in MSConfig.

If you don't want to jump in feet first into the registry, then use MSConfig to disable everything that loads up on startup. Take the time to restart with each time re-enabling each startup item in MSConfig. This should also identify what is the offending reloader. After you kill that key file, kill the rest.

Collapse -
In the future...
by Dr. Zoltar / October 29, 2006 10:37 PM PST
In reply to: Some more steps

I know this post will fall under the ''too little too late'' category, but if this happens again run a program called ''Hijackthis!''. Then search the web for a forum (there are many) that will analyze your Hijackthis! log and give you steps on how to fix your infestation. Not only has this worked on my home PC, but also for family friends whose computers were infected with all sorts of nasty stuff.

Collapse -
windows xp
by grandam121 / October 29, 2006 10:48 PM PST
In reply to: In the future...

A virus will live in the system restore in xp, you must shut down system restore to successfully delete any virus.

Popular Forums
icon
Computer Help 47,885 discussions
icon
Computer Newbies 10,322 discussions
icon
iPhones, iPods, & iPads 3,188 discussions
icon
Security 30,333 discussions
icon
TVs & Home Theaters 20,177 discussions
icon
HDTV Picture Setting 1,932 discussions
icon
Phones 15,713 discussions
icon
Windows 7 6,210 discussions
icon
Networking & Wireless 14,510 discussions

Big stars on small screens

Smosh tells CNET what it took to make it big online

Internet sensations Ian Hecox and Anthony Padilla discuss how YouTube has changed and why among all their goals, "real TV" isn't an ambition.