NASTY 10_03_07 Virus 1

[MDRuiz]

Well, you guys have helped me before when I'm all out of ideas, so once again I have to throw myself before your mercy...

I downloaded this bogus .rar file sharing today's date and it wasn't long before my whole system was thrown into chaos. I immediately realized this thing was bogus and tried to delete it - no go. After a couple sweeps on it with another program, KillBox managed to do the job, but apparently it was too late. Explorer crashed and on reboot I was left where I still am right now:

-Start button / task bar are disabled (can't pull it up to be visible)
-Can't drag or drop files.
-Sound is disabled
-Windows Defender / Firewall are being blocked from running
-This thing activates before I can get into Safe Mode
-Nothing yet from scans of AdAware and Spybot.

This is by far the nastiest thing to hit my computer in all my days and it couldn't have happened at a worse time. Anyone ever deal with something like this? Google searches pull up malware situations that are nowhere near as nasty...

 

[electronicsfreak]

What antivirus are you using? Have you tried safe mode?

for now download these 3 things.

ccleaner

http://www.filehippo.com/download_ccleaner/

(if you have nero, uncheck it from the application section on the program)

avg anti spyware

http://www.ewido.net

(delete anything it finds)

eusing registry cleaner

http://www.download.com/Eusing-Free-Registry-Cleaner/3000-2094_4-10658410.html?tag=lst-0-1

Once done running those, run hijackthis from normal mode and choose do a system scan and save a logfile and post the logfile on here. Do not attempt to fix anything on this unless you know what you are doing as not everything it shows is bad.

http://www.download.com/HijackThis/3000-8022_4-10379544.html

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[electronicsfreak]

Just reread that, sorry missed your part about safe mode. If you can when you get loaded in safe mode, see if you can get a list of all processes running by using ctrl alt delete

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[MDRuiz]

electronicsfreak -

First, thank you for answering!

I was actually running a corporate edition of Norton that I had been running at my University...it was last updated a month ago or so. I was actually about to scan the said file, when it started getting laggy and I realized I couldn't delete the thing. It was downhill from there. So much for the auto-protect features of that Norton...

I had also tried cleaning my registry / junk files with Ace Utilities, but I'm going to try yours as well, and also give AVG a try.

I did go back into Safe Mode and get a process list. It reads:

taskmgr.exe
explorer.exe
lsass.exe
services.exe
winlogon.exe
csrss.exe
System
System Idle Process

Not much to go on right? I do have a HijackThis Log - and I ran it through an analyzer, but that didn't come up with anything glaring. If you're willing to take a look though I can post it, because I'm sure people on here would be able to catch something I wouldn't...

 

[electronicsfreak]

Yes please do post it. As for Norton, my personal opinion is it is not very good. I dislike norton for home systems. I can not comment for corporate business use but for home from my experience it is one of the worst. Keep in mind this is only my opinion, others disagree. Either way its up to you on whatever you want to use.

I reccomend antivir but you must have norton uninstalled first in order to install antivir or it will lock up.

http://www.free-av.com

If you do decide to use antivir, I have instructions on how to configure it for best results. Remember Norton MUST be removed first or they will conflict with each other.

This is to setup antivir after it has been installed.

Right click on the logo in the taskbar(a red square with a white umbrella), then left click configure. Towards the top left, you will see a box beside expert mode. Check this box. Now click the + beside scanner, and now the + beside scan. This will expand them.

Now click on scan itself to where it is highlighted. Now to the right under files, select the circle beside all files. Now click on action for concerning files. To the right, click the circle beside automatic. Now to the right of that, set primary action to repair and secondary action to delete. DO NOT check the box that says "copy file to quarantine before action".

Now click on archives to where it is highlighted. Make sure all boxes on this page are checked, if not check them. Now click on heuristic. To the right under win32 file heuristic, check the box beside "win32 file heurisitic", then click the circle beside medium detection level.

Now click the + beside guard and the + beside scan to expand them. Now click on scan to where it is highlighted. To the right under scan mode, check "scan when reading and writing". To the right of that under files, click the circle beside "all files".

Now click on heuristic to where it is highlighted. Check the box beside win32 file heuristic, and then click the circle beside medium detecion level. Now click ok and antivir is now setup for scanning. I highly reccomend doing a scan now.

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[MDRuiz]

Just a small preface to this: for some reason, Notepad and these web boxes are the ONLY places that "cut" and "paste" work for me...luckily. Word, the URL bar, files in windows - "paste" has been disabled in every other context.

Also, as to this logfile, something that inevitably comes up is SPECTRE aka Perfect Key Logger. Just want to note that I run this program on myself - safely for over 2 years - in order to take screenshots of myself while gaming and also as a backup device in terms of my writing. Other than that, brace yourself, here's the whole shebang:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:27:23 AM, on 10/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINNT\system32\CTHELPER.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\BPK\Spectre.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\wanmpsvc.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.gatewaybiz.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.gatewaybiz.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: PK IE Plugin - {1E1B2879-88FF-11D3-8D96-D7ACAC95951A} - C:\PROGRA~1\BPK\SPECTR~2.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Systran50premi.IEPlugIn - {9A0844DB-84CF-4440-BDB1-1F4F7C4F7FB0} - C:\Program Files\SYSTRAN\5.0\Premium\IEPlugIn.dll
O4 - HKLM\..\Run: [FolderSecurity] C:\PROGRAM FILES\Y0YS SOFTWARE\FOLDER SECURITY PERSONAL 3.0\SECFLD.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Spectre] C:\Program Files\BPK\Spectre.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SansaDispatch] C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-1793796417-2267269566-2376590940-500\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1793796417-2267269566-2376590940-500\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User '?')
O4 - HKUS\S-1-5-21-1793796417-2267269566-2376590940-500\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" (User '?')
O4 - HKUS\S-1-5-21-1793796417-2267269566-2376590940-500\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User '?')
O4 - HKUS\S-1-5-21-1793796417-2267269566-2376590940-500\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: &1CPG Grab pictures on this page - res://C:\Program Files\ZaberSoft\1ClickPicGrabber\1ClickPicGrabber.dll/GRABPAGEPICS.HTM
O8 - Extra context menu item: &Select for PasteCards - res://C:\Program Files\ZaberSoft\1ClickPicGrabber\1ClickPicGrabber.dll/PASTECARDS.HTM
O8 - Extra context menu item: 1C&PG Grab Target File - res://C:\Program Files\ZaberSoft\1ClickPicGrabber\1ClickPicGrabber.dll/GRABLINK.HTM
O8 - Extra context menu item: 1C&PG Grab This Picture - res://C:\Program Files\ZaberSoft\1ClickPicGrabber\1ClickPicGrabber.dll/GRABPIC.HTM
O8 - Extra context menu item: 1CPG Grab &movies on this page - res://C:\Program Files\ZaberSoft\1ClickPicGrabber\1ClickPicGrabber.dll/GRABPAGEMOVIES.HTM
O8 - Extra context menu item: 1CPG Grab pict&ures this page links to - res://C:\Program Files\ZaberSoft\1ClickPicGrabber\1ClickPicGrabber.dll/GRABPAGELINKS.HTM
O8 - Extra context menu item: Download Flash with Flash Capture - C:\Program Files\Flash Capture\dl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash2X Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093686980109

O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) -

http://studentupdate.wpunj.edu/webinstall/webinst.cab

O20 - AppInit_DLLs: C:\WINNT\system32\smss.dll
O22 - SharedTaskScheduler: Windows Updater - {259BA022-2005-45E9-A965-10EDB9C00605} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINNT\system32\bgsvcgen.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

 

[electronicsfreak]

Check these and click fix checked

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

O20 - AppInit_DLLs: C:\WINNT\system32\smss.dll

O22 - SharedTaskScheduler: Windows Updater - {259BA022-2005-45E9-A965-10EDB9C00605} - (no file)

Now restart your computer, bring up the menu like your going to go into safe mode and choose safe mode with command prompt. Put in your windows disc and type sfc/scannow

Post back with the results

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[MDRuiz]

Okay, I fixed 3 of the 5. The first two, (R1 & R0) don't go away even after I tell HijackThis to fix them.

When I rebooted into Safe Mode with the command prompt I got this:

"Windows File Protection could not initiate a scan of protected system files.

The specified error codes is 0x000006ba (The RPCServer is unavailable)"

 

[electronicsfreak]

Ok in normal mode, hit ctrl alt delete, then click file, then click new task to run, then type cmd on it. On that try sfc/scannow

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[MDRuiz]

Thanks so much man for going through all this with me, you're really my lifeline here.

I ran the sfc /scannow in normal mode and the "checking system files" progress bar appeared, ran through to 100% and then closed. No report afterwards. I assume that's normal?

And yet my system remains barely usable. I did notice one more thing however. Occasionally, with this virus, I'll get the message "Ordinal 6880 could not be located in the DLL MFC42.DLL" Clicking OK on that message crashes explorer and just leaves me with desktop wallpaper and Task Manager. I can't even run explorer again from there.

 

[electronicsfreak]

What I think happened was you got rid of most of the virus but in the process you hit some needed windows files

Do a search for that file. If it will not show up you can replace it here

http://www.dll-files.com/dllindex/dll-files.shtml?mfc42

Also bring up command prompt in normal mode, type chkdsk /r , tell it yes, then restart the computer. Post back with results.

Also n/p man I love helping as do everyone on this forum. We all do what we can when we can lol.

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[MDRuiz]

Alright, so I replaced mfc42.dll. The one I had in there was a slightly different size, so I figure, why not. Maybe it's infected or something.

No changes in my overall problems. No better no worse. I gave the chkdsk /r command and restarted. Here's what I got:

Stage 1
5796-5799 and 37628-37631 = unreadable

Stage 2
Correcting error in index $I30 for file 116201 (This came up 3 times)
Sorting index I$30 in file 116201
Deleting index entry winzm.mb - file 5579
Deleting index entry spuninst.inf - file 377613
Removing a bunch of orphaned files into 116201

Stage 3 - 100%

Stage 4
Windows replaced bad clusters 107697

Stage 5 - 100%

Meanwhile, back in windows, nothing has changed. Before I can get back into windows, I stare at my blank wallpaper for longer than I should - it seems like the virus is loading before anything else gets a chance. Then I'm greeted with Windows Defender error:

"Application has failed to initialize 0x800106ba. A problem caused this program's service to stop. To start the service, restart your computer or search Help and Support for how to start a service manually."

At this point I'm back to my crippled desktop - no start button or taskbar and I can't drag/drop or cut/paste...after about another 2 minutes of waiting my internet access opens up and here I am...

 

[electronicsfreak]

My advice, get your windows cd and do a instillation on top of this one. I do not know what else can be done. Either that or a last known good configuration.

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[MDRuiz]

Well, electronicsfreak, it did come to that. After adding a 2nd installation of Windows (XP Pro) on top of my infected one, I was able to troubleshoot the virus more effectively.

I'm posting my results in hopes that anyone with a similar experience might be saved the trouble.

The virus I got was a fake .rar executable identified only as 10_03_07.rar. Whoever is spreading this could easily change the name of course, but I would think that the tell-tale symptoms would remain threefold:

1. An inability to paste text or files (except on basic forms)
2. A taskbar stuck so that you can't access it
3. An awkward 1-5 min pause before explorer loads when booting up Windows

As of this writing Spybot, Ad-Aware, and Norton all fail at detecting this virus, but beyond using killbox or a similar program to eradicate the original infectious file (don't forget to delete the backup that killbox will make) you're going to look for two files.

The first will be in C:\WINNT\system32, it will be an unceremoniously named file called "a". It may or may not be identified as an executable by your system, but it will look unmistakably out of place. It should be about 1.5MB. Delete it and then delete it's prefetch file in C:\WINNT\Prefetch - mine was A.EXE-1A5E1CDB.pf. This should be around 21.kb.

I didn't have to struggle with deleting those files on the infected os so you may have to bring out killbox again to get the job done. Good luck! And thank you again electronics freak for your help!

 

[electronicsfreak]

n/p, sorry you had to go to reinstalling but sometimes it has to be done. It is always a LAST resort for me to say that though. Either way glad your back up and running.

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[MDRuiz]

Yeah, it's a pain with all that has to be reset / reinstalled / imported but it's the first clean install I've done in a LONG time, so I'll take the good with the bad...thing are running much, much smoother now in general.