Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Strange unknown virus

Status
Not open for further replies.
Guest_imported

Guest_imported

New member
Jan 1, 1970
0
Hi all

I had to reinstall my whole system 5x over this weekend because some Virus is bugging me, I'm hoping someone knows this thing, because I tried scanning the disk with f-secure and Norton Antivirus (all with newest updates), but they don't find anything.

The Virus tends to:

delete system Files such as emm386.exe and vmm32.vxd

encript file names into weird ASCII characters, making
them undeletable

start sorting all my files into folders named folder00001,
folder0002 etc.

Does anyone know such a Virus?
 
Sort by date Sort by votes
done that, they only gave me stupid advises, not much more usefull than the stuff they write in their help files. Things like:

-scan your disk with the latest LiveUpdate
(proves they didn't read my tread)

-scan your disk using a rescue disk
(liveupdates Rescuedisk never worked from beginning on)


Not really helpfull at all
 
Upvote 0 Downvote
Here are some questions that might help us track this down:
What OS and version are you running?
Are you connected to a network?
When do you notice the "virus" attacking, is it after installing a program or after restoring some data?
Do you have VBS or scripting enabled?
Are you using MS Word or Excel and if so do you have macros enabled?

Anything that you can remember that can help us track down where this is coming from.
James P. Cottingham

I am the Unknown lead by the Unknowing.
I have done so much with so little
for so long that I am now qualified
to do anything with nothing.
 
Upvote 0 Downvote
1. Run an online scan here and see if it finds anything:


2. Download The Cleaner which is free to try and run a scan with it. The Cleaner is a trojan specific scanner that can find trojans that normal av scanners may miss.
3. Download Startup Log and run it. Then copy and paste the contents of the text file it creates to your reply here. Maybe it'll show something.


4. Do you have a firewall? If not install the free version of Zone Alarm and see if it stops any programs or trojans from trying to access the net. If so let us know which ones. It's possible you may have been hacked. If so ZA should keep the hacker out.

 
Upvote 0 Downvote
Wow, People with brains, thank god for that ;)


honest, I'll see that I can try all of Kento's solutions as soon as I get home.

however, while I'm doing that I'll also provide you the information about my system

OS: Win98

Network: Yes, LAN with 4 PCs (one infected) Broadband internet connection behind a router.

Noticed since: After installing and using Morpheus and Kmeleon, first problem was Explorer crashing, then windows didn't start due to missing system files (emm386, vmm32). After I found files with encripted names (ASCII characters, in DOS), then suddenly new folders

VBS Scripting: not sure, never played much with that

Office: haven't been using word or Excell recently



Hope you can make something out of all this. Right now I'm preparing for the worst:

-Backing up all picture, video, webpage, document and sound files on my disk
-getting ready to flash the motherboard rom
-getting ready to repartition and format everything.

Guess you're the only that can stop me now...

David A. Lee
WebDesigner
 
Upvote 0 Downvote
Depending on what version of IE you install, VBS and WHS are turned on by default. If the "virus" is a script program, you might want to turn these off along with macros. To turn these off, you will need to go to Explorer (not IE), then to View, Folder options, and File Types. If these scriptings are on, you can find them here and change the default from Run to Edit. NOTE: some programs may need scripts to run so you may have to do some testing. See if this helps, hurts, or whatever.

It may be possible that someone installed a timebomb on your system that is specific to your business or apps. Have you laid off any employees that may have been upset/disgruntled with your company?

The reason that I mention this is it seems that the "virus" hasn't spread to the other PC on your lan. Are Morpheus and Kmeleon installed on those machines, too?

What happens if you reinstall everything but these two programs? Can you run the PC for a while or does the PC go down eventually anyway? I'm trying to track down where this virus comes from.
James P. Cottingham

I am the Unknown lead by the Unknowing.
I have done so much with so little
for so long that I am now qualified
to do anything with nothing.
 
Upvote 0 Downvote
HI.

Since the major damage is already done, then you will need to re-install Windows in any case.

If you don't want to reformat, you can try this:
1) Backup importatnt files in any case!
2) Boot with a WIN98 boot disk.
REN WINDOWS WIN-BAD
REN PROGRA~1 PROG-BAD
3) Now install a new copy of Windows to the windows folder.
Recommended method - boot from the CDROM.
4) after installation, first install, update and scan with your antivirus program, to catch leftovers of the virus.

However, backup - format - reinstall is recommended in your case.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
VBS scripts were active, using IE 6.0

The timebomb thing cannot be, the problem is on my home PC

Morpheus and Kmeleon were only on that system, the first act of the Virus was while I was testing Morpheus. Explorer crashed and gone was emm386.exe, preventing win98 from booting again. After the first reinstall I tried Morpheus again, same thing, after a short while Explorer crashed, this time vmm32.vxd missing.

another odd thing is the virus seemed to also function in dos mode, especially when using scandisk. Actually Scandisk was about the only program who found traces of the Virus. It just claimed some 100 files (those with ASCII symboled names) are corrupted. Upon fixing it the chk files of scandisk got corrupted.

Are normal viruses usually active in Dos Mode?
 
Upvote 0 Downvote
It may be an actual DOS virus. I'll do some more looking.
James P. Cottingham

I am the Unknown lead by the Unknowing.
I have done so much with so little
for so long that I am now qualified
to do anything with nothing.
 
Upvote 0 Downvote
Or it could be the obvious hard disk error, bad sectors can do exactly this in a drive that is dying.
I've seen it 3 times now, twice on the same drive (formatted between occurences) and loaded only with windoze.

To cure it I installed a 2nd copy of windows to c:\win98 and the drive has been mostly OK since apart from odd file renaming into ascii in the c:\windows folder as more sectors die off.(gotta remember that the first thing installed on a drive is normally the OS and if you reinstall the same OS its likely to be in exactly the same place on the drive every time, if you format the drive and use the same install options)

A thorough scan should highlight these and mark them as unusable but the number will slowly grow. this is a warning of imminent HDD failure.

Damaged files that are "rescued" are put into fol.0001 fol.002 and fil.001 fil.002 etc etc.
Buy a new HDD and you wont see this happen for some considerable time.

Hope this will save you from worrying about Viruses that don't exist and save you the trouble of reinstalling every 3 days ;) I can't have sent that email, it says from Superuser.
 
Upvote 0 Downvote
I know of such a virus. It's called by dozens of names (some of them quite impolite) but its best description is "General Entropy".

Yes. All hard disks fail. The reasons for failure are many. Viral activity is one of the rarer reasons for failure.

Aside from a presumption that the problems have been caused by a virus, sak_Leed has had only the usual clues... all of which point to a somewhat obvious culprit.

My advice would be for sak_Leed to obtain a few tools. (Perhaps Spin-Rite, Lost & Found and a new hard disk with at least the capacity of his current disk.) Until these items are obtained, sak_Leed should power down his computer and refrain from using it.

That's right... turn it off. Don't fiddle with it. Don't scan it for viruses. Don't run Scandisk.

Use Spin-Rite to check (and-or repair) the drive. If many files have been lost, use Lost & Found to restore them to the new drive. In this case, scanning for viruses should wait until the more obvious problems have been corrected.
VCA.gif
 
Upvote 0 Downvote
I have to agree with Alt255 and karver on this. It is unlikely these problems are caused by malware, much more likely to be either a failing hard disk or marginal memory chips. Either way it looks like stuff is being written to the wrong sectors of the HDD and ovewriting system files and the like.

When Scandisk attempts to rescue stuff it will put it into sequentially numbered folders, which is what is happening. When files are partially overwritten, they end up with seemingly random characters in them. When the file directories are overwritten, the files look to have been given new, random character names.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

RodneyMcSnow
  • Locked
  • Question
Hardware firewall bypassed access to the lan network. Please Help! No it's not a root kit or virus
Replies
1
Views
140
ChrisHirst
ChrisHirst
diembi
  • Locked
  • Question
McAfee can stop my not virus process?
Replies
0
Views
95
diembi
diembi
RodneyMcSnow
  • Locked
  • Question
computer says windows 2012 has detected a virus
Replies
2
Views
98
kjv1611
kjv1611
Ferbert
  • Locked
  • Question
Strange - can get to one server, but not the other??
Replies
2
Views
71
Viconsul
Viconsul
madanthrax
  • Locked
  • Question
Strange Error 404s
Replies
2
Views
90
madanthrax
madanthrax

Part and Inventory Search

Sponsor

Back
Top