I think IVE got a virus 1

[swashbuckler]

i downloaded a program and then I opened it )za im an idiot) and I got this message
picture is here

http://upl.silentwhisper.net/uplfolders/upload8/pe.jpg

this PELOCK program had nothing to do with what i downloaded..but anzwazs...oh za im in safe mode right now and mz kezboard is all screwed up from this virus i have , whever i tzpe the letter y it comes out as z

everzthing was going fine until i knew something had got me, so i tried to use the taskmanager and it sazs TASK MANAGER HAS beEN dISABLED bz zour ADMININSTRATOR,but i am the admin...


i restarted into safe mode to trz to get rid of this thing, so I saw that in MSCONFIG there was somethign running under startup that was never there before
its c.windows.system32.winmgr.exe

sorrz i cant tzpe back slashes because it messed up mz kezboard so i used periods...anzwas

i took it off and restarted, but things were the same, it was right back in msconfig...so i went into the szstem32 folder and moved the winmgr.exe program out..then i restarted again... ..as soon as the desktop loaded i got tons of those PELOCK errors and then I got this error
pic is here

http://upl.silentwhisper.net/uplfolders/upload8/win.jpg

now NOTHING started up, mz virus scanner didnt start up neither did mz firewall...so whenever i trz to open anz program it sazs that program cannot be found, i couldnt even open mz browser..

so i restarted into safe mode, and the same things happened..ughh.. so then i realiyied i basicallz couldnt do anything. so i put the winmgr.exe back in the szstem32 folder and restarted..nnow when i open EXE files i get both those messages above, but the files still open

im totallz clueless

 

[gpalmer711]

The PElock message is because the virus writer has encoded his code using the PELock message. Because Windows XP has a built in debugger the virus sees this as an attempt to view the code behind it and displays this message.

Take a look at "What are Good Virus/Spyware?Update/Firewall Practices?" faq779-5240 for some online scanners.

Greg Palmer
Free Software for Adminstrators

http://www.palmersoft.co.uk

 

[swashbuckler]

ok heres and update
i scanned mz computer with adaware 6 prof
and look what came up
3 objs..

Vendor:Windows
Category:Vulnerability
Object Type:RegData
Size:-
Location:exefile\shell\open\command "" ()
Last Activity:25.07.2004
Risk LevelLow
Commentossible virus infection, executable file extension compromised
Description:No Detail Information Available.

ah ah there is an explanation to the exe file program
another one...

Vendor:Windows
Category:Vulnerability
Object Type:RegData
Size:-
Location:Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" ()
Last Activity:25.07.2004
Risk LevelLow
Commentossible unintended lockout from Task Manager (Task manager access disabled)
Description:No Detail Information Available.

Vendor:Windows
Category:Vulnerability
Object Type:RegData
Size:-
Location:Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegistryTools" ()
Last Activity:25.07.2004
Risk LevelLow
Commentossible unintended lockout from Registry Editor (Regedit access disabled)
Description:No Detail Information Available.

oh ya i forgot to mention regedit wasnt working either...

this one is self explanitory

 

[gpalmer711]

Start > Run > Copy and paste the following(without quotes) "REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD" > Click Ok

This will re-enable task manager

Then go to

http://www.dougknox.com/xp/file_assoc.htm

for a fix on the exe files not running.

Then do 2 of the online scans in the FAQ I provided above.

Greg Palmer
Free Software for Adminstrators

http://www.palmersoft.co.uk

 

[swashbuckler]

ok after i ran adaware i restarted, then those 3 vulnerabilities came back, so I rand trend micro virus scanner, and nothing was found, and I ran my NORTON ANTI VIRUS and nothing was found. so i ran adaware again and it found those 3 vulnerabilites again and deleted them..THEN I took winmgr.exe off MSCONFIG startup..then I restarted...now everything SEEMS to be back to normal..however winmgr.exe still remains in system32 folder...is this a malicious file or what?

 

[gpalmer711]

winmgr.exe is part of WMI

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/wmi/wmi_start_page.asp

Part of it's functionality is Remote Administration.

Can you give us a link to the file you downloaded? We may be able to more accuratly detect what the problem is.

It would be a good idea to run Spybot from the FAQ I gave you in my first post.

Greg Palmer
Free Software for Adminstrators

http://www.palmersoft.co.uk

 

[swashbuckler]

im still trying to get the file again...

however i downloaded spybot and it found tons of stuff adaware didn't (GO FIGURE!)

but they werent the main problem (i dont think) but it's still good to have em gone!

 

[swashbuckler]

now i tried using mcafees online scan and it FOUND winmgr.exe as a virus..BACKDOOR-EE
info is here

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=99130

and my symantec antivirus corporate edition didn't find it...

 

[gpalmer711]

Unfortunatly this is quite often the case - Why a product that costs a reasonable amount of money cannot find such viruses I don't know. Norton is good for many things, however it is always worth running something else. Such as the McAfee online scanner.

Is your problem sorted now?

Greg Palmer
Free Software for Adminstrators

http://www.palmersoft.co.uk

 

[swashbuckler]

i think its sorted. i got mcafee virus scan 8 and it got rid of winmgr.exe..so far so good. thx Greg

 

[linney]

Virus Scanners are not equipped to catch Trojans or Worms, they are mainly interested in Viruses, as the name implies.

Often they include detection for the more common type of Worms or Trojans, but the detections of these other pests is better handled by an appropriate type of scanner.

This may explain why some virus scanners catch what others miss.