Win XP Virus - Need Help 2

[johngiggs]

I have a PC running Win XP and I have a virus that I cannot seem to track down. I cannot run regedit (I managed to copy the executable and launch it from another location), I can't press CTRL-ALT-DEL to view the currently running tasks, and I cannot run msconfig. The value for the registry key "MSConfig" is "DQZCBRMSYW.EXE" I tried downloading and installing McAfee Virus Scan Pro and it did not detect anything. Any help would be greatly appreciated.

Thanks,

John

 

[SESaskDFC]

Howdy:

Go to

http://www.antivirus.com

and run their online scanner and see if anything shows up.. Most of the newer virii have the ability to disable av scan engines so they won't be found.. That's the problem with putting the cart before the horse (getting infected BEFORE you decide to get an anti-virus program - stupid, just plain ole stupid)..

Murray

 

[johngiggs]

It's definitely the executable "dqzcbrmsyw" that's causing the problem. I wrote a simple batch file which does the trick and allows me to run Task Manager, Regedit, and msconfig.

start C:\WINDOWS\system32\tskill.exe dqzcbrmsyw
@echo The Virus has been killed.
@echo off
pause

If/When I figure out what virus it is, I'll post it.

John

 

[SESaskDFC]

John:

Disab;e System Restore.. now run an av scan.. Reboot into Safe Mode and run another.. Boot back into normal mode and re-enable System Restore..

You can scan again if you want, but it will be clean..

Murray

 

[johngiggs]

I ran the virus scanner at antivirus.com and it found 19 viruses, most of which were the same (I cannot remember the exact name, but it was WORM.SPYBOT or something to that effect). Most of those had obscure names and were in the Windows\System32 directory. If I merely delete those files, will that be sufficient, or are more serious measures needed as Murray has proposed?

Thanks,

John

 

[SESaskDFC]

You have to disable System Restore... that is where the virii are being found..

Murray

 

[johngiggs]

Murray,

Thank you for your help. I'll go ahead and give that a try when I get a chance. Unfortunately, it's my fiance's parents' PC, so I do not have immediate access to it. I'll definitely let you know how I make out. No one else is even aware that a problem exists, however it has irked me for a while. The virus scanner at antivirus.com said that it could not remove any of the viruses that were found, so if I disable system restore and delete all of the files detected by the virus scan (they are not any necessary system files, just obscurely named executables), should that do the trick?

Thanks,

John

 

[SESaskDFC]

You won't even have to search to delete them.. simply disabling and then re-enabling System Restore will clear them.. in this case !!

Murray

 

[johngiggs]

Thanks, SESaskDFC. I took your advise (Disabled System Restore. ran a virus scan, rebooted into Safe Mode and ran another, booted back into normal mode, and re-enabled System Restore. No more virii!!

John

 

[SESaskDFC]

Glad I was able to help John.

Murray

 

[Xemus]

Assuming that the Virus name is W32.spybot.worm,
here's what Symantec knows about it (including what it does to your system and what you need to verify is cleaned up.)

http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html

http://www.closedsocket.com

 

[johngiggs]

Thanks, Xemus!! I thought I was all set, but I certainly will take Symantec's reccommendations into account and double check to make sure the registry entries are removed and verify that there are not any zero byte files in the startup folder. Below is the list of steps listed on Symantec's website for removal of W32.spybot.worm.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Restart the computer in Safe mode.
4. Run a full system scan and delete all the files detected as W32.Spybot.Worm.
5. Delete the value that was added to the registry.
6. Delete any zero-byte files in the startup folder.

Thanks,

John